Skip to content

Fix crash when bogus string input is provided to hl_date_from_string#929

Draft
sebbernery wants to merge 1 commit into
HaxeFoundation:masterfrom
sebbernery:fix-utf-safety
Draft

Fix crash when bogus string input is provided to hl_date_from_string#929
sebbernery wants to merge 1 commit into
HaxeFoundation:masterfrom
sebbernery:fix-utf-safety

Conversation

@sebbernery
Copy link
Copy Markdown

@sebbernery sebbernery commented May 1, 2026

Fix crash when bogus string input is provided to hl_date_from_string or format digest function.

Added a new function in hl.h, hl_to_utf8_len, same as hl_to_utf8 but with a len parameter Updated hl_utf16_to_utf8 to replace '!= end' by '< end' because c can be incremented two times in the loop and it may be an issue with invalid input.

Here is a reproductible example :

segfault_fixed_by_utf8_len.txt

class Main {
    static public function main() {
        final input = Sys.stdin().readLine();
        try {
            var date = Date.fromString(input);
            trace(date);
        } catch (e:haxe.Exception) {
        }
    }
}
$ haxe -main Main -hl out.hl
$ hl out.hl < segfault_fixed_by_utf8_len.txt
SIGNAL 11[Segmentation fault]
$Date.fromString(/usr/share/haxe/std/hl/_std/Date.hx:157)
$ParseDate.main(ParseDate.hx:5)
.init(?:1)
[1]    2231895 segmentation fault

Here is the reproductible example for Shadigest (with the same input):

import haxe.crypto.Sha1;

class Main {
    static function main() {
        final input = Sys.stdin().readLine();
        try {
            trace(Sha1.encode(input));
        } catch (e:haxe.Exception) {
        }
    }
}

$ haxe -main Main -hl out.hl
$ hl out.hl < segfault_fixed_by_utf8_len.txt
SIGNAL 11[Segmentation fault]
haxe.crypto.$Sha1.encode(/usr/share/haxe/std/hl/_std/haxe/crypto/Sha1.hx:28)
$Main.main(Main.hx:8)
.init(?:1)
[1]    2671945 segmentation fault

I found this issue with AFL++ by trying fuzzing on some Haxe std function. Don't hesitate to ask if you need more details (I kept some notes during the debugging process, but it's in french).

I didn't used any LLM in the entire process from writting Haxe script or fixes or this PR.
Have a nice day !

Fix crash when bogus string input is provided to hl_date_from_string …
afd27ba 
…or format digest function.

Added a new function in hl.h, hl_to_utf8_len, same as hl_to_utf8 but with a len parameter
Updated hl_utf16_to_utf8 to replace '!= end' by '< end' because c can be incremented
two times in the loop and it may be an issue with invalid input.
@sebbernery sebbernery marked this pull request as draft May 1, 2026 16:16
@sebbernery
Copy link
Copy Markdown
Author

sebbernery commented May 1, 2026

I just noted that my fix is incorrect as it can raise a segfault when there was no problem before with the date parsing, I think it comes from this : https://github.com/HaxeFoundation/haxe/blob/development/std/hl/_std/Date.hx#L157 . The length of the string given is multiplied by two, so I think it's not coherent with the real size of the buffer. I don't get why.

I switched the PR in draft mode.

@yuxiaomao
Copy link
Copy Markdown
Collaborator

yuxiaomao commented May 4, 2026

Note also: on Windows, the try-catch catched the access violation, and it won't access violation if I trace input before Date.fromString

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sebbernery @yuxiaomao