Skip to content

ICU-23337 Fix undefined behavior in list_format_fuzzer: validate enum values#3890

Open
OwenSanzas wants to merge 1 commit intounicode-org:mainfrom
OwenSanzas:fix/list-format-fuzzer-enum-validation
Open

ICU-23337 Fix undefined behavior in list_format_fuzzer: validate enum values#3890
OwenSanzas wants to merge 1 commit intounicode-org:mainfrom
OwenSanzas:fix/list-format-fuzzer-enum-validation

Conversation

@OwenSanzas
Copy link
Copy Markdown

@OwenSanzas OwenSanzas commented Mar 6, 2026

Summary

The list_format_fuzzer harness reads UListFormatterType and UListFormatterWidth directly from fuzz data via memcpy into enum variables without validation. Loading arbitrary bit patterns into C++ enum types is undefined behavior.

Confirmed with UndefinedBehaviorSanitizer:

runtime error: load of value 2125315823, which is not a valid value
for type 'UListFormatterType' (aka 'enum UListFormatterType')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior list_format_fuzzer.cpp:52:52

The harness already validates these values for a third createInstance call (lines 58-61), but passes the raw unvalidated values in the second call (line 52).

Changes

  1. Read fuzz data into int32_t instead of directly into enum types (eliminates UB at the memcpy point)
  2. Validate values with abs + modulo before casting to the enum type
  3. Remove the redundant third createInstance call — it was only needed because the second call used unvalidated values; now the second call uses validated values directly

Experimental Verification (60-second fuzzing, AddressSanitizer)

Metric Original Fixed
Edge cov 1658 1651
Features 4218 3873
Corpus 314 261
Exec/s 9832 9913

Coverage is equivalent — the fix eliminates the UB without affecting fuzzing effectiveness.

UBSan Evidence

  • Original: crashes with crafted input containing type=0x7EADBEEF, width=0x7EADBEEF
  • Fixed: passes cleanly with the same input

@OwenSanzas
Fix undefined behavior in list_format_fuzzer: validate enum values fr…
32705e0 
…om fuzz data

The harness reads UListFormatterType and UListFormatterWidth directly
from fuzz data via memcpy into enum variables without validation.
Loading arbitrary bit patterns into C++ enum types is undefined behavior,
confirmed by UndefinedBehaviorSanitizer:

  runtime error: load of value 2125315823, which is not a valid value
  for type 'UListFormatterType'

The fix reads into int32_t first, then clamps to valid enum ranges before
casting. The redundant third createInstance call (which was the only one
using validated values) is removed since the second call now uses
validated values.
@OwenSanzas OwenSanzas changed the title Fix undefined behavior in list_format_fuzzer: validate enum values ICU-23337 Fix undefined behavior in list_format_fuzzer: validate enum values Mar 7, 2026
@markusicu markusicu self-assigned this Mar 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@markusicu markusicu

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@OwenSanzas @markusicu