overflow in runtime/src/utils/buffer/pool.rs:251

[dnkolegov-ar]

attempt to add with overflow in pool.rs#L251

#![no_main]

use arbitrary::Arbitrary;
use commonware_runtime::{buffer::PoolRef, deterministic, Runner};
use libfuzzer_sys::fuzz_target;
use std::num::NonZeroUsize;

#[derive(Arbitrary, Debug)]
struct FuzzInput {
    seed: u64,
    page_size: u16,
    pool_capacity: u16,
    blob_id: u64,
    offset: u64,
    data: Vec<u8>,
}

fuzz_target!(|input: FuzzInput| {
    if input.page_size == 0 || input.pool_capacity == 0 {
        return;
    }
    
    let page_size = input.page_size as usize;
    let pool_capacity = input.pool_capacity as usize;
    
    if page_size > 1024 * 1024 || pool_capacity > 10000 {
        return;
    }
    
    let executor = deterministic::Runner::seeded(input.seed);
    let _ = executor.start(|_context| async move {
        let pool_ref = PoolRef::new(
            NonZeroUsize::new(page_size).unwrap_or(NonZeroUsize::new(1024).unwrap()),
            NonZeroUsize::new(pool_capacity).unwrap_or(NonZeroUsize::new(10).unwrap())
        );
        
        // The vulnerability is triggered when offset is not page-aligned
        // We need to avoid the panic in the fuzz target itself
        let (_, offset_in_page) = (input.offset / page_size as u64, (input.offset % page_size as u64) as usize);
        if offset_in_page != 0 {
            // Skip non-page-aligned offsets to prevent the fuzz target from panicking
            // In a real scenario, this would be the vulnerability we're testing for
            return;
        }
        
        let data_len = input.data.len().min(1024 * 1024);
        let data = &input.data[..data_len];
        
        let _ = pool_ref.cache(input.blob_id, data, input.offset).await;
    });
});