Skip to content

Fix uregex_open_fuzzer: hardcoded flags and unaligned memory access#3919

Open
OwenSanzas wants to merge 2 commits intounicode-org:mainfrom
OwenSanzas:fix-uregex-open-fuzzer-flags
Open

Fix uregex_open_fuzzer: hardcoded flags and unaligned memory access#3919
OwenSanzas wants to merge 2 commits intounicode-org:mainfrom
OwenSanzas:fix-uregex-open-fuzzer-flags

Conversation

@OwenSanzas
Copy link
Copy Markdown

@OwenSanzas OwenSanzas commented Mar 30, 2026

Summary

Fix two issues in uregex_open_fuzzer.cpp that limit fuzzing effectiveness.

1. Hardcoded flags parameter

The fuzzer always passes 0 for the flags parameter to uregex_open(), meaning it only ever tests regex compilation with default flags. The regex engine supports UREGEX_CASE_INSENSITIVE, UREGEX_MULTILINE, UREGEX_DOTALL, UREGEX_COMMENTS, and other flags that exercise different code paths — none of which are being tested.

Fix: Derive flags from the first byte of fuzzer input instead of hardcoding 0.

2. Unaligned memory access

The fuzzer casts data directly to char16_t* via reinterpret_cast<const char16_t*>(data). Since data is not guaranteed to be 2-byte aligned, this causes undefined behavior and faults on architectures with strict alignment requirements (e.g., ARM).

Fix: Copy the pattern data to a properly aligned buffer using memcpy, consistent with the approach used in other ICU fuzzers.

Coverage comparison (60 seconds, empty seed corpus, ASan, libFuzzer)

Metric Original Fixed Change
Edge coverage 2031 2404 +18.37% (+373 edges)
Feature coverage 6881 9266 +34.66% (+2385 features)

The +18% edge coverage increase confirms that the hardcoded flags were preventing exploration of significant portions of the regex engine.

@OwenSanzas
Fix undefined behavior in list_format_fuzzer: validate enum values fr…
32705e0 
…om fuzz data

The harness reads UListFormatterType and UListFormatterWidth directly
from fuzz data via memcpy into enum variables without validation.
Loading arbitrary bit patterns into C++ enum types is undefined behavior,
confirmed by UndefinedBehaviorSanitizer:

  runtime error: load of value 2125315823, which is not a valid value
  for type 'UListFormatterType'

The fix reads into int32_t first, then clamps to valid enum ranges before
casting. The redundant third createInstance call (which was the only one
using validated values) is removed since the second call now uses
validated values.
@OwenSanzas
Fix uregex_open_fuzzer: hardcoded flags and unaligned memory access
9c44d92
@markusicu
Copy link
Copy Markdown
Member

markusicu commented Apr 2, 2026

Hi @OwenSanzas thanks for your proposed changes -- but we are wondering...

Why are you trying to "fix" the fuzzer harness code? It is not production code, so does not usually come under the same kind of scrutiny.

There are also some things that we probably don't want to change because we would lose fuzzer test coverage of library code, but before doing real reviews we wanted to ask what you were trying to achieve here.

@OwenSanzas
Copy link
Copy Markdown
Author

OwenSanzas commented Apr 8, 2026

Hi @markusicu, thanks for asking!

We're a security research team working on fuzz harness quality. We've found that subtle harness issues can silently waste fuzzing resources or even mask real bugs — for example, the OpenSSL provider fuzzer had an API call order bug that, once fixed, uncovered a stack-buffer-overflow latent for ~20 years (commit 5ba9029).

For this specific fuzzer, the flags parameter to uregex_open() is always hardcoded to 0, so only default-mode regex compilation ever gets tested — case-insensitive, multiline, comments mode, etc. are never explored. Our fix simply derives flags from the fuzz input, so the fuzzer can reach those code paths too. In our testing this gave +18.37% edge coverage (+373 edges, 60s run, empty corpus, same Docker environment).

We're definitely not trying to reduce coverage — flags=0 is still a possible input, so nothing is lost. Happy to adjust anything if you have concerns!

@markusicu markusicu self-assigned this Apr 9, 2026
@markusicu markusicu requested a review from FrankYFTang April 9, 2026 16:02
@markusicu
Copy link
Copy Markdown
Member

markusicu commented Apr 9, 2026

Ok, we will take a look.
It would be great if you didn't delete the entire PR template...

@OwenSanzas
Copy link
Copy Markdown
Author

OwenSanzas commented Apr 9, 2026

Sorry about the template, I'll keep it next time. Thanks for taking a look!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@FrankYFTang FrankYFTang Awaiting requested review from FrankYFTang

At least 1 approving review is required to merge this pull request.

Assignees

@markusicu markusicu

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@OwenSanzas @markusicu