Go support for GDPR v1.12.0 crashes with Go Fuzz test #358

ntframeplay · 2024-01-09T04:39:20Z

Using the fuzz test string below (or similar)

go test fuzz v1
string("C0000000000000000000000000000000000AAdA000000000000")

the following crash & stack trace occurs:

Fuzz test func:

func FuzzTCF(f *testing.F) {
	// Only one function to be tested
	f.Fuzz(func(t *testing.T, tcfStr string) {
		_, _ = tcf(tcfStr)
	})
}

and tcf func

func tcf(tcf_str string) (tcfData, error) {
	if len(tcf_str) == 0 {
		return tcfData{}, nil
	}
	consent, err := vendorconsent.ParseString(tcf_str) // string is base64 encoded
	if err != nil {
		return tcfData{}, err
	}

	return tcfData{
		tcf_str,
		consent.VendorListVersion(),
		consent.VendorConsent(uint16(TCFFramePlayVendorID)),
		consent.PurposeAllowed(3),
	}, nil
}

index out of range occurs in return value of
/go-gdpr/vendorconsent/tcf2.isSet(...)

The text was updated successfully, but these errors were encountered:

HeinzBaumann · 2024-01-09T18:47:03Z

@ntframeplay IAB doesn't support a GO library. Please raise this issue against the respective GO library that you are using. Thanks

ntframeplay · 2024-01-09T23:59:18Z

thanks, moved to proper lib prebid/go-gdpr#40 (comment)

HeinzBaumann · 2024-02-06T18:33:18Z

Closed. Issues is tracked here: prebid/go-gdpr#40 (comment)

HeinzBaumann closed this as completed Feb 6, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Go support for GDPR v1.12.0 crashes with Go Fuzz test #358

Go support for GDPR v1.12.0 crashes with Go Fuzz test #358

ntframeplay commented Jan 9, 2024

HeinzBaumann commented Jan 9, 2024

ntframeplay commented Jan 9, 2024

HeinzBaumann commented Feb 6, 2024

Go support for GDPR v1.12.0 crashes with Go Fuzz test #358

Go support for GDPR v1.12.0 crashes with Go Fuzz test #358

Comments

ntframeplay commented Jan 9, 2024

HeinzBaumann commented Jan 9, 2024

ntframeplay commented Jan 9, 2024

HeinzBaumann commented Feb 6, 2024