Suspected false positive "Heap-buffer-overflow" report in curl

[bagder]

Over in the @curl project we've received this oss-fuzz issue over the last few days: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41258 (limited access). It is said to happen "very frequently".

The stack trace is puzzling. None of us in the project have been able to reproduce it. We've stared at the code in question and we cannot see nor explain how the fuzzer can reach the point where it reports it hits the buffer overflow.

We're starting to lean to the explanation that this is somehow a false positive from the fuzzer. I know this is a tired old explanation that is debunked in almost all cases, but... we cannot see a better explanation!

We've published most details of the issue in curl/curl#8041 to give everyone access and the chance to dig into the details and find the answer.

[DavidKorczynski]

I think this might be an issue with AFL and its instrumentation rather than Curl code, CC @vanhauser-thc

[vanhauser-thc]

there is nothing I can do there.
I need the testcase that produces that crash so I can have a look.
(and I have no permission to the issue on chromium, the curl issue has no content that helps me in any way)

[bagder]

The curl fuzzer runs as part of oss-fuzz since years and is fully public here: https://github.com/curl/curl-fuzzer

[DavidKorczynski]

could you share the testcase (i.e. the crash-* file to trigger the heap overflow) @bagder ?

[bagder]

here it is:
clusterfuzz-testcase-minimized-curl_fuzzer_gopher-4644400603463680

14 bytes

$ hd clusterfuzz-testcase-minimized-curl_fuzzer_gopher-4644400603463680
00000000  00 01 00 00 00 07 46 49  3a 2f 00 01 00 41        |......FI:/...A|
0000000e

[vanhauser-thc]

I cannot reproduce it:

# ./curl_fuzzer_gopher clusterfuzz-testcase-minimized-curl_fuzzer_gopher-4644400603463680 
Warning: AFL++ tools might need to set AFL_MAP_SIZE to 74989 to be able to run this instrumented program if this crashes!
Reading 14 bytes from clusterfuzz-testcase-minimized-curl_fuzzer_gopher-4644400603463680
Execution successful.

but there was a bugfix 2-3 days ago for afl++ in oss-fuzz. could that have fixed it?
otherwise I need the buildlog to be able to build the exact same gopher binary (several instrumentation options are random)

[bagder]

We're several people who fail to repro it. oss-fuzz insists though... 😁

[bagder]

oss-fuzz said "This crash occurs very frequently on linux platform" 14 hours ago most recently

[vanhauser-thc]

:)
if someone can paste the excerpt of a build log that fails (lines that contain "AFL_") then I can have a look

[bagder]

btw, it indicates this as the regression range for AFLplusplus: AFLplusplus/AFLplusplus@7777045

[jonathanmetzman]

Another strong hint this is an AFL++ can be seen on the part of thestcase page:

TESTCASE ANALYSIS ON OTHER JOBS
No reproducible variants found.

"Real" bugs in AFL targets should also be reproducible in the libFuzzer ASAN targets

[jonathanmetzman]

I actually was able to reproduce this with the build linked to from OSS-Fuzz : https://storage.cloud.google.com/clusterfuzz-builds-afl/curl/curl-address-202111210610.zip
I think I know why no one could reproduce this if this is an instrumentation issue.
Since AFL++ builds randomly decide to use cmplog instrumentation, instrumentation crashes may need to be reproduced on the build on which they were found in OSS-Fuzz. This of course is not an issue in 99% cases because 99% of cases are not crashes due to this random instrumentation but are due to actual bugs in the code.

[DavidKorczynski]

I think I know why no one could reproduce this if this is an instrumentation issue. Since AFL++ builds randomly decide to use cmplog instrumentation, instrumentation crashes may need to be reproduced on the build on which they were found in OSS-Fuzz. This of course is not an issue in 99% cases because 99% of cases are not crashes due to this random instrumentation but are due to actual bugs in the code.

There are currently similar issues happening in other projects #6844 (comment)

In the comment I asked your opinion on this, i.e. on the fact that it's not possible to reliably reproduce an issue in this type of event - is it worth addressing this?

[vanhauser-thc]

I actually was able to reproduce this with the build linked to from OSS-Fuzz : https://storage.cloud.google.com/clusterfuzz-builds-afl/curl/curl-address-202111210610.zip

Edit: can reproduce it, just used the wrong binary ...

but I am unable to test if my fix works as I do not know what the binary explicitly needs to be built like that. I will have a look with gdb ...

the rewrite of cmplog was complex and corner cases are an issue sigh ... this did not come up in fuzzbench with is my second line of CI/unittests ;)

[vanhauser-thc]

In the comment I asked your opinion on this, i.e. on the fact that it's not possible to reliably reproduce an issue in this type of event - is it worth addressing this?

for me it is worth it. if there is a bug it should be fixed.

[jonathanmetzman]

I actually was able to reproduce this with the build linked to from OSS-Fuzz : https://storage.cloud.google.com/clusterfuzz-builds-afl/curl/curl-address-202111210610.zip

I tried this - and it does not crash with the testcase that was supplied.

Weird. I thought I cracked the case.

In the comment I asked your opinion on this, i.e. on the fact that it's not possible to reliably reproduce an issue in this type of event - is it worth addressing this?

for me it is worth it. if there is a bug it should be fixed.

+1

[DavidKorczynski]

Just to clarify, I meant addressing the issue of reliably reproducing, i.e. the solution would be creating some added logic in OSS-Fuzz that makes it possibly to build the AFL in the exact same setting as the one where the bug happens.

[vanhauser-thc]

the build log prints the AFL_... settings that were chosen. with that information it is enough - but needs hands on work to edit compile_afl.
because of bash -eu I cannot test for envs that do not exist, so not sure how I could force a config without editing the script :(
(I could do "env | grep ..." but not sure that is an acceptable solution. I did that originally, but Jonathan didnt like it.)

[bagder]

oss-fuzz just closed the original curl issue 41258 now as "verified". I believe we can then also consider this issue closed!

Thanks!

[bagder]

We just got a new oss-fuzz issue filed that looks very similar and also appears to be A) a false positive and B) not possible to reproduce for us. Want us to file a new issue?

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41390

[jonathanmetzman]

Sorry about that (and for the delay in responding, there was a public holiday in the US).
I'll reopen this. IMO there's something wrong with one of AFL++'s modes, lot's of random breakages.

[bagder]

Random, yes. We got two new issues filed (the new one mentioned here and then yet another one) but not too long after, they were both again closed as verified without us doing anything...

[DavidKorczynski]

There are similar stories in Binutils, where we have recently seen a lot (20+) of dynamic-stack-buffer-overflows which are opened and then closed relatively short after, examples include:

• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41362&q=binutils%20Type%3DBug-Security&can=1&sort=-reported
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41137&q=binutils%20Type%3DBug-Security&can=1&sort=-reported
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40969&q=binutils%20Type%3DBug-Security&can=1&sort=-reported

[vanhauser-thc]

I have a fix since last week but I still need the fuzzbench run that was accepted yesterday to complete until I make a PR to ossfuzz.

[vanhauser-thc]

my commit is in for a few days now - are the issues gone?

[bagder]

We had three issues in curl and they're all gone.

[DavidKorczynski]

Thanks @bagder - and sorry for the inconvenience with the false positives. Could you provide links to the false positives?

[DavidKorczynski]

I have one other false positive from apache-httpd:

• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=42715
  The above issue has comments on the false-positive nature of the bug, and these issues are the same (they go from fixed/non-fixed)
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43654
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41230
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43371

[bagder]

Basically all oss-fuzz reported on curl for the last few months (except that we actually got two "real" one this week):

Here are some of them:

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43200
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41403
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41390
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40254
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40824
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36072

I think I missed some of the more recent ones but I can't really figure out how to list them all.

[bagder]

All these have gone verfied/fixed all by themselves.

[DavidKorczynski]

Thanks for the links and info! We'll take a look at these and also monitor if they persist.

I think #7026 might fix these issues and that PR was merged two days ago. As such, it may be that the false positives will stop occurring from now on.

[bagder]

fingers crossed

[vanhauser-thc]

I am not sure this is an afl++ thing because when I check the linked reports several are from libfuzzer:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40254 - Crash Revision: https://oss-fuzz.com/revisions?job=libfuzzer_asan_i386_curl&revision=202110220613
same for https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36072 and https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43200

[DavidKorczynski]

you're right! Thanks @vanhauser-thc !

Looking at the crash state it's also unreproducible and related to mmap. @bagder Could this be some memory allocation exhaustion that is non-deterministic, but is in fact a true positive?

[bagder]

I'm sorry but I don't keep track of what particular thing that trigger the oss-fuzz reports I get. I just know that over the last few months I've basically not gotten any correct reports at all but a lot of those that fixes themselves after a few days of me not doing anything at all.

[inferno-chromium]

@bagder - i am really sorry to hear about these false positive issues. We will work with AFL++ developer and also try to disable any particular instrumentation modes that are causing this. Fuzzing should have zero false positives, so sorry for this experience.

[vanhauser-thc]

@inferno-chromium this is not an afl++ issue. libfuzzer is also reporting crashes.

[inferno-chromium]

@inferno-chromium this is not an afl++ issue. libfuzzer is also reporting crashes.

In that case, we should probably look at the regression range of those filed bugs and see if there is any curl commit that caused this badness. @DavidKorczynski @jonathanmetzman ?

[DavidKorczynski]

I think what has happened is that the AFL++ false positives and unreproducible libfuzzer issues were both conceived as false positives, and from the perspective of @bagder they were both treated as "issues that can't be reproduced". Please correct me if I'm wrong @bagder, but it would be great to hear your thoughts on the user experience. I think libFuzzer issues are true issues - albeit unreproducible issues, which is something that has been debated in the past to keep/not keep if I remember correctly.

With regards to false positives: I believe with #7127 the hope is all should be sorted.

With regards to unreproducible issues: maybe we should add an option that allows users to opt out of receiving those?

[DavidKorczynski]

Basically all oss-fuzz reported on curl for the last few months (except that we actually got two "real" one this week):

Here are some of them:

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43200 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41403 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41390 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40254 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40824 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36072

I think I missed some of the more recent ones but I can't really figure out how to list them all.

Bucketizing these issues, as they are two separate categories (unreproducible/ versus false positive):

• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43200 : libfuzzer: labelled unreproducible issue
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41403 : afl: false positive
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41390 : afl: false positive
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40254 : libFuzzer: labelled unreproducible issue
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36072 : libFuzzer: labelled unreproducible issue
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40824 : I can't access this one

I believe all AFL++ issues have been fixed with @vanhauser-thc recent updates, and I would not expect libfuzzer unreproducible issues to disappear.

[DavidKorczynski]

Speaking on the unreproducible issues, then there looks to be two issues that have been reported multiple times: see this link :

• curl_fuzzer_rtsp: Null-dereference WRITE with empty stacktrace, e.g. https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40254
• curl:curl_fuzzer_rtsp: Sanitizer CHECK failure in "((0 && "unable to mmap")) != (0)" (0x0, 0x0), e.g. https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36072

Both of these have been reported for more than a year on-and-off, and one as early as 2019: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17767&q=Proj%3Dcurl%20Type%3DBug&can=1

The unreproducible curl:curl_fuzzer_rtsp: Sanitizer CHECK failure in "((0 && "unable to mmap")) != (0)" (0x0, 0x0) issue has been reported 15 times since 2019. Perhaps it makes sense to look into improving issue triaging? https://bugs.chromium.org/p/oss-fuzz/issues/list?q=Proj%3Dcurl%20Type%3DBug%20label%3DUnreproducible&can=1

[DavidKorczynski]

In order to improve the user experience and remove noise of false positives/unreproducible issues described in the comments above, I think there are a number of solutions:

• Improving triage of unreproducible issues so they wont be reported repeatedly but rather append comments to issues on monorail.
• allow users to opt out of receiving unreproducible issues, perhaps even make this the default (do we have data on how many unreproducible issues are being investigated/analysed by developers?)
• false positives: I think it would be a good idea to handle fuzzer options at the same level of abstraction as sanitizer/architecture because they change the nature of the build and runtime. This would make triaging + finding erroneous instrumentations + testing in CI + reproducing issues much easier (discussed here)

[ylavic]

Speaking of the httpd reports in #6879 (comment), the latest is from yesterday (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43654) and was auto-closed today (still without anyting done on the httpd side).
I don't know if #7127 was tested against this particular report, in any case the httpd team does not see how it can be valid since the reproducer provided for each of these reports is almost always the same and makes no sense with regard to the reported Heap-buffer-overflow (unless the original code is instrumented somehow..).
Also, if there should be an opt-out option for receiving such issues, I'd suggest that they are not made public either or it might confuse users (which I think is the case already today for the issues being closed/reopened each week).

[ylavic]

Interestingly (possibly?) like for curl/curl#8041 the stacktrace for the httpd case also bypasses a strcasecmp() like function which (supposedly) the tool thinks that it's bypassed by an inner \0, while it's not (absent stray photons and/or multiple pairs of eyes in the httpd team that suddenly went blind).

[DavidKorczynski]

Thanks for the details @ylavic !

In the httpd case the issue does not seem to be unreproducibility but rather the AFL++ issues. Looking at:

• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40990&q=Proj%3Dapache-httpd&can=1
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41230&q=Proj%3Dapache-httpd&can=1
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41469&q=Proj%3Dapache-httpd&can=1
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=42226&q=Proj%3Dapache-httpd&can=1
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=42715&q=Proj%3Dapache-httpd&can=1
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43168&q=Proj%3Dapache-httpd&can=1
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43371&q=Proj%3Dapache-httpd&can=1
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43654&q=Proj%3Dapache-httpd&can=1

They are all related to the same issue and based on AFL++ - they are false positives, i.e. they are reproducible although in this case one has to ensure AFL++ is compiled in the right way for reproducing and if one is not aware of this one might conclude that they are unreproducible. I think several things should be improve based on the httpd case, e.g.

• deduplication should be improved so the same issue is not reported many times - and this should be done independently of whether the on-off-on-off is due to false positives or unreproducibility.
• the afl++ false positives should be solved. It may be that afl++ fixes #7026 did this but am unsure - since the bug came up again the 14th I would assume not. Am not sure if this PR Ignore fuzz setup problem detection during building with afl++ #7127 has updates for false positive fixing.

[oliverchang]

• deduplication should be improved so the same issue is not reported many times - and this should be done independently of whether the on-off-on-off is due to false positives or unreproducibility.
• the afl++ false positives should be solved. It may be that afl++ fixes #7026 did this but am unsure - since the bug came up again the 14th I would assume not. Am not sure if this PR Ignore fuzz setup problem detection during building with afl++ #7127 has updates for false positive fixing.

Re deduplication we usually do account for previously filed bugs: https://github.com/google/clusterfuzz/blob/6420424de00585e01038cb83e7b4d55b31ad64b3/src/appengine/handlers/cron/triage.py#L229 but the window that we look back is 2 days. Perhaps we can be a little smarter here and increase the window exponentially up to a limit based on how many times we've already filed the bug, but this can have other issues.

It appears that disabling instrumentation randomness (#7039) would have prevented this bug opening/closing cycle completely. Randomly choosing instrumentation during build time does not fit well with ClusterFuzz's model for logic for bug filing/closing.

[vanhauser-thc]

@DavidKorczynski can you help me here and point me to an unreproducable testcase plus the build log of the target of the instance that produced that?

@oliverchang #7026 likely wont fix this as this is something different. I first need to check what is actually the issue. without any data (what were the build options and a testcase) I cannot start to check what the issue could be.

Concerning the test infrastructure. We have a CI etc. but the mass and complexity of targets in oss-fuzz cannot catch the many corner cases. we test with fuzzbench but a) it runs a much older llvm and b) doesnt run always reliable (like a current run is not starting).

So not sure what the solution here would be for a thorough test setup (we are individual devs that not make any money with afl++ (and dont want to), so we have no resources for a multimachine test setup for lots of targets.

@inferno-chromium @jonathanmetzman

[DavidKorczynski]

@DavidKorczynski can you help me here and point me to an unreproducable testcase plus the build log of the target of the instance that produced that?

I couldn't get the build log for some reason but I could list the content of the afl_options.txt- does this help? If so I list them in them below. Also, I sent you the stack trace on email.

apache-httpd_apache-httpd-address-202111280605
AFL_LLVM_MODE_WORKAROUND=0
AFL_ENABLE_DICTIONARY=1
AFL_LLVM_INSTRUMENT=CLASSIC,CTX-2
AFL_ENABLE_CMPLOG=0
AFL_LLVM_LAF_ALL=1
AFL_LAF_CHANCE=30
AFL_LLVM_DICT2FILE=/workspace/out/afl-address-x86_64/afl++.dict
AFL_QUIET=1

apache-httpd_apache-httpd-address-202111130610
AFL_LLVM_MODE_WORKAROUND=0
AFL_ENABLE_DICTIONARY=1
AFL_LLVM_INSTRUMENT=CLASSIC,CTX-2
AFL_ENABLE_CMPLOG=0
AFL_LLVM_LAF_ALL=1
AFL_LAF_CHANCE=30
AFL_LLVM_DICT2FILE=/workspace/out/afl-address-x86_64/afl++.dict
AFL_QUIET=1

apache-httpd_apache-httpd-address-202112200604
AFL_LLVM_MODE_WORKAROUND=0
AFL_ENABLE_DICTIONARY=1
AFL_LLVM_INSTRUMENT=CLASSIC,CTX-2
AFL_ENABLE_CMPLOG=0
AFL_LLVM_LAF_ALL=1
AFL_LAF_CHANCE=30
AFL_IGNORE_UNKNOWN_ENVS=1
AFL_LLVM_DICT2FILE=/workspace/out/afl-address-x86_64/afl++.dict
AFL_QUIET=1

apache-httpd_apache-httpd-address-202201140609
AFL_LLVM_MODE_WORKAROUND=0
AFL_ENABLE_DICTIONARY=1
AFL_LLVM_INSTRUMENT=CLASSIC,CTX-2
AFL_ENABLE_CMPLOG=0
AFL_LLVM_LAF_ALL=1
AFL_LAF_CHANCE=20
AFL_IGNORE_UNKNOWN_ENVS=1
AFL_LLVM_DICT2FILE=/workspace/out/afl-address-x86_64/afl++.dict
AFL_QUIET=1

apache-httpd_apache-httpd-address-202112110607
AFL_LLVM_MODE_WORKAROUND=0
AFL_ENABLE_DICTIONARY=0
AFL_LLVM_INSTRUMENT=CLASSIC,CTX-2
AFL_ENABLE_CMPLOG=0
AFL_LLVM_LAF_ALL=1
AFL_LAF_CHANCE=30
AFL_IGNORE_UNKNOWN_ENVS=1
AFL_QUIET=1

apache-httpd_apache-httpd-address-202201060600
AFL_LLVM_MODE_WORKAROUND=0
AFL_ENABLE_DICTIONARY=0
AFL_LLVM_INSTRUMENT=CLASSIC,CTX-2
AFL_ENABLE_CMPLOG=0
AFL_LLVM_LAF_ALL=1
AFL_LAF_CHANCE=30
AFL_IGNORE_UNKNOWN_ENVS=1
AFL_QUIET=1

apache-httpd_apache-httpd-address-202111200609
AFL_LLVM_MODE_WORKAROUND=0
AFL_ENABLE_DICTIONARY=0
AFL_LLVM_INSTRUMENT=CLASSIC,CTX-2
AFL_ENABLE_CMPLOG=0
AFL_LLVM_LAF_ALL=1
AFL_LAF_CHANCE=30
AFL_QUIET=1

apache-httpd_apache-httpd-address-202112310603
AFL_LLVM_MODE_WORKAROUND=0
AFL_ENABLE_DICTIONARY=0
AFL_LLVM_INSTRUMENT=CLASSIC,CTX-2
AFL_ENABLE_CMPLOG=0
AFL_LLVM_LAF_ALL=1
AFL_LAF_CHANCE=30
AFL_IGNORE_UNKNOWN_ENVS=1
AFL_QUIET=1

[vanhauser-thc]

I am looking at the crash - and to me the crash looks correct.

All crashing testcases start with:

00000000:  6368 754e 4b65 4400 2228 33ad 0a0a 46bd    [ chuNKeD."(3...F. ]

./fuzz_utils clusterfuzz-testcase-minimized-fuzz_utils-5008283178500096
Reading 153 bytes from clusterfuzz-testcase-minimized-fuzz_utils-5008283178500096
=================================================================
==989281==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000001f at pc 0x0000004e563a bp 0x7fffffffd3a0 sp 0x7fffffffd398
READ of size 1 at 0x60700000001f thread T0
    #0 0x4e5639 in ap_is_chunked /src/httpd/server/util.c:1820:34
    #1 0x4d7a10 in LLVMFuzzerTestOneInput /src/fuzz_utils.c:148:7
    #2 0x4d60d5 in ExecuteFilesOnyByOne /src/aflplusplus/utils/aflpp_driver/aflpp_driver.c:191:7

The source code with comments that explain the testcase:

AP_DECLARE(int) ap_is_chunked(apr_pool_t *p, const char *line)
{
    const char *s;

    if (!line) 
        return 0;

   // ap_cstr_casecmp("chuNKeD","chunked");
    if (!ap_cstr_casecmp(line, "chunked")) { 
        return 1;
    }

    s = find_last_token(p, line, "chunked");
    // s equals line because it starts with "chuNKeD" and it is the only occurance

    if (!s) return 0;

    /* eat spaces right-to-left to see what precedes "chunked" */
    while (--s > line) {  // as s == line, however --s is performed:
        if (*s != ' ') break;
    }

    /* found delim, or leading ws (input wasn't parsed by httpd as a header) */
    if (*s == ',' || *s == ' ') {     // this is a read off by one, basically a  line[-1] != ' ' and asan intervenes
        return 1;
    }
    return 0;
}

[DavidKorczynski]

@ylavic and I have discussed this bug here, where @ylavic highlights the case you describe is not possible @vanhauser-thc : https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=42715#c1

See the comment:
"Note that s == line is not possible after 1810 unless line points to the "chunked" string exactly (caseless), which would have been caught by 1806 (and "chunked\0..." is the same as "chunked" from ap_cstr_casecmp() point of vue)."

Also, the bug does not reproduce with other fuzzers

[DavidKorczynski]

@ylavic and I have discussed this bug here, where @ylavic highlights the case you describe is not possible @vanhauser-thc : https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=42715#c1

See the comment: "Note that s == line is not possible after 1810 unless line points to the "chunked" string exactly (caseless), which would have been caught by 1806 (and "chunked\0..." is the same as "chunked" from ap_cstr_casecmp() point of vue)."

Also, the bug does not reproduce with other fuzzers

I ran the testcases through a libfuzzer compiled binary and can confirm what @ylavic wrote: the testcases return on https://github.com/apache/httpd/blob/cbf06f48936268222ee0e1433c790e970831c990/server/util.c#L1807

namely here:

   // ap_cstr_casecmp("chuNKeD","chunked");
    if (!ap_cstr_casecmp(line, "chunked")) { 
        return 1;
    }

[ylavic]

I think that ap_cstr_casecmp() is so much instrumented that it loses correctness..

The original version is something like this (gcc -O2):

Dump of assembler code for function ap_cstr_casecmp:
   0x000000000004a000 <+0>:     movzbl (%rdi),%eax
   0x000000000004a003 <+3>:     movzbl (%rsi),%edx
   0x000000000004a006 <+6>:     lea    0x3d533(%rip),%r8        # 0x87540 <ucharmap>
   0x000000000004a00d <+13>:    mov    %rdi,%r9
   0x000000000004a010 <+16>:    mov    %rax,%rcx
   0x000000000004a013 <+19>:    movswl (%r8,%rdx,2),%edx
   0x000000000004a018 <+24>:    movswl (%r8,%rax,2),%eax
   0x000000000004a01d <+29>:    sub    %edx,%eax
   0x000000000004a01f <+31>:    jne    0x4a052 <ap_cstr_casecmp+82>
   0x000000000004a021 <+33>:    mov    $0x1,%edx
   0x000000000004a026 <+38>:    test   %ecx,%ecx
   0x000000000004a028 <+40>:    je     0x4a052 <ap_cstr_casecmp+82>
   0x000000000004a02a <+42>:    nopw   0x0(%rax,%rax,1)
   0x000000000004a030 <+48>:    movzbl (%r9,%rdx,1),%eax
   0x000000000004a035 <+53>:    movzbl (%rsi,%rdx,1),%ecx
   0x000000000004a039 <+57>:    add    $0x1,%rdx
   0x000000000004a03d <+61>:    mov    %rax,%rdi
   0x000000000004a040 <+64>:    movswl (%r8,%rcx,2),%ecx
   0x000000000004a045 <+69>:    movswl (%r8,%rax,2),%eax
   0x000000000004a04a <+74>:    sub    %ecx,%eax
   0x000000000004a04c <+76>:    jne    0x4a052 <ap_cstr_casecmp+82>
   0x000000000004a04e <+78>:    test   %edi,%edi
   0x000000000004a050 <+80>:    jne    0x4a030 <ap_cstr_casecmp+48>
   0x000000000004a052 <+82>:    ret   
End of assembler dump.

The intrumented one is:
(quite hard to follow, it even calls into find_last_token at some point)

Dump of assembler code for function ap_is_chunked:
   0x00000000004fe510 <+0>:	push   %rbp
   0x00000000004fe511 <+1>:	mov    %rsp,%rbp
   0x00000000004fe514 <+4>:	push   %r15
   0x00000000004fe516 <+6>:	push   %r14
   0x00000000004fe518 <+8>:	push   %r13
   0x00000000004fe51a <+10>:	push   %r12
   0x00000000004fe51c <+12>:	push   %rbx
   0x00000000004fe51d <+13>:	sub    $0x18,%rsp
   0x00000000004fe521 <+17>:	mov    0x636a38(%rip),%r8        # 0xb34f60
   0x00000000004fe528 <+24>:	movd   %fs:(%r8),%xmm1
   0x00000000004fe52e <+30>:	movdqa %xmm1,%xmm0
   0x00000000004fe532 <+34>:	psrld  $0x10,%xmm0
   0x00000000004fe537 <+39>:	pxor   %xmm1,%xmm0
   0x00000000004fe53b <+43>:	pextrw $0x0,%xmm0,%r14d
   0x00000000004fe541 <+49>:	movdqa %xmm1,%xmm0
   0x00000000004fe545 <+53>:	pslld  $0x10,%xmm0
   0x00000000004fe54a <+58>:	mov    $0x93c9,%eax
   0x00000000004fe54f <+63>:	pinsrw $0x0,%eax,%xmm0
   0x00000000004fe554 <+68>:	movd   %xmm0,%fs:(%r8)
   0x00000000004fe55a <+74>:	test   %rsi,%rsi
   0x00000000004fe55d <+77>:	je     0x4fe7ab <ap_is_chunked+667>
   0x00000000004fe563 <+83>:	mov    %rsi,%r15
   0x00000000004fe566 <+86>:	mov    0x636a6b(%rip),%r12        # 0xb34fd8
   0x00000000004fe56d <+93>:	mov    %fs:(%r12),%eax
   0x00000000004fe572 <+98>:	xor    %r14d,%eax
   0x00000000004fe575 <+101>:	mov    $0xb65ea8,%r13
   0x00000000004fe57c <+108>:	mov    0x0(%r13),%rcx
   0x00000000004fe580 <+112>:	xor    $0xc2df,%eax
   0x00000000004fe585 <+117>:	cltq   
   0x00000000004fe587 <+119>:	mov    (%rcx,%rax,1),%dl
   0x00000000004fe58a <+122>:	add    $0x1,%dl
   0x00000000004fe58d <+125>:	adc    $0x0,%dl
   0x00000000004fe590 <+128>:	mov    %dl,(%rcx,%rax,1)
   0x00000000004fe593 <+131>:	movl   $0x616f,%fs:(%r12)
   0x00000000004fe59c <+140>:	mov    %rsi,%rax
   0x00000000004fe59f <+143>:	shr    $0x3,%rax
   0x00000000004fe5a3 <+147>:	mov    0x7fff8000(%rax),%al
   0x00000000004fe5a9 <+153>:	test   %al,%al
   0x00000000004fe5ab <+155>:	jne    0x4fea6c <ap_is_chunked+1372>
   0x00000000004fe5b1 <+161>:	mov    (%r15),%al
   0x00000000004fe5b4 <+164>:	add    $0x9d,%al
   0x00000000004fe5b6 <+166>:	jne    0x4fe774 <ap_is_chunked+612>
   0x00000000004fe5bc <+172>:	mov    %fs:(%r12),%eax
   0x00000000004fe5c1 <+177>:	xor    %r14d,%eax
   0x00000000004fe5c4 <+180>:	mov    0x0(%r13),%rcx
   0x00000000004fe5c8 <+184>:	xor    $0x9bc0,%eax
   0x00000000004fe5cd <+189>:	cltq   
   0x00000000004fe5cf <+191>:	mov    (%rcx,%rax,1),%dl
   0x00000000004fe5d2 <+194>:	add    $0x1,%dl
   0x00000000004fe5d5 <+197>:	adc    $0x0,%dl
   0x00000000004fe5d8 <+200>:	mov    %dl,(%rcx,%rax,1)
   0x00000000004fe5db <+203>:	movl   $0x4de0,%fs:(%r12)
   0x00000000004fe5e4 <+212>:	lea    0x1(%r15),%rdi
   0x00000000004fe5e8 <+216>:	mov    %rdi,%rax
   0x00000000004fe5eb <+219>:	shr    $0x3,%rax
   0x00000000004fe5ef <+223>:	mov    0x7fff8000(%rax),%al
   0x00000000004fe5f5 <+229>:	test   %al,%al
   0x00000000004fe5f7 <+231>:	jne    0x4fea82 <ap_is_chunked+1394>
   0x00000000004fe5fd <+237>:	mov    (%rdi),%al
   0x00000000004fe5ff <+239>:	add    $0x98,%al
   0x00000000004fe601 <+241>:	jne    0x4fe774 <ap_is_chunked+612>
   0x00000000004fe607 <+247>:	mov    %fs:(%r12),%eax
   0x00000000004fe60c <+252>:	xor    %r14d,%eax
   0x00000000004fe60f <+255>:	mov    0x0(%r13),%rcx
   0x00000000004fe613 <+259>:	xor    $0xe479,%eax
   0x00000000004fe618 <+264>:	cltq   
   0x00000000004fe61a <+266>:	mov    (%rcx,%rax,1),%dl
   0x00000000004fe61d <+269>:	add    $0x1,%dl
   0x00000000004fe620 <+272>:	adc    $0x0,%dl
   0x00000000004fe623 <+275>:	mov    %dl,(%rcx,%rax,1)
   0x00000000004fe626 <+278>:	movl   $0x723c,%fs:(%r12)
   0x00000000004fe62f <+287>:	lea    0x2(%r15),%rdi
   0x00000000004fe633 <+291>:	mov    %rdi,%rax
   0x00000000004fe636 <+294>:	shr    $0x3,%rax
   0x00000000004fe63a <+298>:	mov    0x7fff8000(%rax),%al
   0x00000000004fe640 <+304>:	test   %al,%al
   0x00000000004fe642 <+306>:	jne    0x4feaa6 <ap_is_chunked+1430>
   0x00000000004fe648 <+312>:	mov    (%rdi),%al
   0x00000000004fe64a <+314>:	add    $0x8b,%al
   0x00000000004fe64c <+316>:	jne    0x4fe774 <ap_is_chunked+612>
   0x00000000004fe652 <+322>:	mov    %fs:(%r12),%eax
   0x00000000004fe657 <+327>:	xor    %r14d,%eax
   0x00000000004fe65a <+330>:	mov    0x0(%r13),%rcx
   0x00000000004fe65e <+334>:	xor    $0x59c2,%eax
   0x00000000004fe663 <+339>:	cltq   
   0x00000000004fe665 <+341>:	mov    (%rcx,%rax,1),%dl
   0x00000000004fe668 <+344>:	add    $0x1,%dl
   0x00000000004fe66b <+347>:	adc    $0x0,%dl
   0x00000000004fe66e <+350>:	mov    %dl,(%rcx,%rax,1)
   0x00000000004fe671 <+353>:	movl   $0x2ce1,%fs:(%r12)
   0x00000000004fe67a <+362>:	lea    0x3(%r15),%rdi
   0x00000000004fe67e <+366>:	mov    %rdi,%rax
   0x00000000004fe681 <+369>:	shr    $0x3,%rax
   0x00000000004fe685 <+373>:	mov    0x7fff8000(%rax),%al
   0x00000000004fe68b <+379>:	test   %al,%al
   0x00000000004fe68d <+381>:	jne    0x4feab8 <ap_is_chunked+1448>
   0x00000000004fe693 <+387>:	mov    (%rdi),%al
   0x00000000004fe695 <+389>:	add    $0x92,%al
   0x00000000004fe697 <+391>:	jne    0x4fe774 <ap_is_chunked+612>
   0x00000000004fe69d <+397>:	mov    %fs:(%r12),%eax
   0x00000000004fe6a2 <+402>:	xor    %r14d,%eax
   0x00000000004fe6a5 <+405>:	mov    0x0(%r13),%rcx
   0x00000000004fe6a9 <+409>:	xor    $0x5d28,%eax
   0x00000000004fe6ae <+414>:	cltq   
   0x00000000004fe6b0 <+416>:	mov    (%rcx,%rax,1),%dl
   0x00000000004fe6b3 <+419>:	add    $0x1,%dl
   0x00000000004fe6b6 <+422>:	adc    $0x0,%dl
   0x00000000004fe6b9 <+425>:	mov    %dl,(%rcx,%rax,1)
   0x00000000004fe6bc <+428>:	movl   $0x2e94,%fs:(%r12)
   0x00000000004fe6c5 <+437>:	lea    0x4(%r15),%rdi
   0x00000000004fe6c9 <+441>:	mov    %rdi,%rax
   0x00000000004fe6cc <+444>:	shr    $0x3,%rax
   0x00000000004fe6d0 <+448>:	mov    0x7fff8000(%rax),%al
   0x00000000004fe6d6 <+454>:	test   %al,%al
   0x00000000004fe6d8 <+456>:	jne    0x4feaca <ap_is_chunked+1466>
   0x00000000004fe6de <+462>:	mov    (%rdi),%al
   0x00000000004fe6e0 <+464>:	add    $0x95,%al
   0x00000000004fe6e2 <+466>:	jne    0x4fe774 <ap_is_chunked+612>
   0x00000000004fe6e8 <+472>:	mov    %fs:(%r12),%eax
   0x00000000004fe6ed <+477>:	xor    %r14d,%eax
   0x00000000004fe6f0 <+480>:	mov    0x0(%r13),%rcx
   0x00000000004fe6f4 <+484>:	xor    $0x7792,%eax
   0x00000000004fe6f9 <+489>:	cltq   
   0x00000000004fe6fb <+491>:	mov    (%rcx,%rax,1),%dl
   0x00000000004fe6fe <+494>:	add    $0x1,%dl
   0x00000000004fe701 <+497>:	adc    $0x0,%dl
   0x00000000004fe704 <+500>:	mov    %dl,(%rcx,%rax,1)
   0x00000000004fe707 <+503>:	movl   $0x3bc9,%fs:(%r12)
   0x00000000004fe710 <+512>:	lea    0x5(%r15),%rdi
   0x00000000004fe714 <+516>:	mov    %rdi,%rax
   0x00000000004fe717 <+519>:	shr    $0x3,%rax
   0x00000000004fe71b <+523>:	mov    0x7fff8000(%rax),%al
   0x00000000004fe721 <+529>:	test   %al,%al
   0x00000000004fe723 <+531>:	jne    0x4feadc <ap_is_chunked+1484>
   0x00000000004fe729 <+537>:	mov    (%rdi),%al
   0x00000000004fe72b <+539>:	add    $0x9b,%al
   0x00000000004fe72d <+541>:	jne    0x4fe774 <ap_is_chunked+612>
   0x00000000004fe72f <+543>:	mov    %fs:(%r12),%eax
   0x00000000004fe734 <+548>:	xor    %r14d,%eax
   0x00000000004fe737 <+551>:	mov    0x0(%r13),%rcx
   0x00000000004fe73b <+555>:	xor    $0x9743,%eax
   0x00000000004fe740 <+560>:	cltq   
   0x00000000004fe742 <+562>:	mov    (%rcx,%rax,1),%dl
   0x00000000004fe745 <+565>:	add    $0x1,%dl
   0x00000000004fe748 <+568>:	adc    $0x0,%dl
   0x00000000004fe74b <+571>:	mov    %dl,(%rcx,%rax,1)
   0x00000000004fe74e <+574>:	movl   $0x4ba1,%fs:(%r12)
   0x00000000004fe757 <+583>:	lea    0x6(%r15),%rdi
   0x00000000004fe75b <+587>:	mov    %rdi,%rax
   0x00000000004fe75e <+590>:	shr    $0x3,%rax
   0x00000000004fe762 <+594>:	mov    0x7fff8000(%rax),%al
   0x00000000004fe768 <+600>:	test   %al,%al
   0x00000000004fe76a <+602>:	jne    0x4feaee <ap_is_chunked+1502>
   0x00000000004fe770 <+608>:	mov    (%rdi),%al
   0x00000000004fe772 <+610>:	add    $0x9c,%al
   0x00000000004fe774 <+612>:	movsbl %al,%esi
   0x00000000004fe777 <+615>:	mov    %fs:(%r12),%ecx
   0x00000000004fe77c <+620>:	xor    %r14d,%ecx
   0x00000000004fe77f <+623>:	mov    0x0(%r13),%rdx
   0x00000000004fe783 <+627>:	xor    $0xb74a,%ecx
   0x00000000004fe789 <+633>:	movslq %ecx,%rcx
   0x00000000004fe78c <+636>:	mov    (%rdx,%rcx,1),%al
   0x00000000004fe78f <+639>:	add    $0x1,%al
   0x00000000004fe791 <+641>:	adc    $0x0,%al
   0x00000000004fe793 <+643>:	mov    %al,(%rdx,%rcx,1)
   0x00000000004fe796 <+646>:	movl   $0x5ba5,%fs:(%r12)
   0x00000000004fe79f <+655>:	test   $0xff000000,%esi
   0x00000000004fe7a5 <+661>:	je     0x4fe7b2 <ap_is_chunked+674>
   0x00000000004fe7a7 <+663>:	xor    %edi,%edi
   0x00000000004fe7a9 <+665>:	jmp    0x4fe7e7 <ap_is_chunked+727>
   0x00000000004fe7ab <+667>:	xor    %eax,%eax
   0x00000000004fe7ad <+669>:	jmp    0x4fea25 <ap_is_chunked+1301>
   0x00000000004fe7b2 <+674>:	mov    %esi,%eax
   0x00000000004fe7b4 <+676>:	shr    $0x10,%eax
   0x00000000004fe7b7 <+679>:	mov    %fs:(%r12),%ecx
   0x00000000004fe7bc <+684>:	xor    %r14d,%ecx
   0x00000000004fe7bf <+687>:	mov    0x0(%r13),%rdi
   0x00000000004fe7c3 <+691>:	xor    $0x4d91,%ecx
   0x00000000004fe7c9 <+697>:	movslq %ecx,%rcx
   0x00000000004fe7cc <+700>:	mov    (%rdi,%rcx,1),%dl
   0x00000000004fe7cf <+703>:	add    $0x1,%dl
   0x00000000004fe7d2 <+706>:	adc    $0x0,%dl
   0x00000000004fe7d5 <+709>:	mov    %dl,(%rdi,%rcx,1)
   0x00000000004fe7d8 <+712>:	movl   $0x26c8,%fs:(%r12)
   0x00000000004fe7e1 <+721>:	test   %al,%al
   0x00000000004fe7e3 <+723>:	sete   %dil
   0x00000000004fe7e7 <+727>:	mov    %fs:(%r12),%eax
   0x00000000004fe7ec <+732>:	xor    %r14d,%eax
   0x00000000004fe7ef <+735>:	mov    0x0(%r13),%rdx
   0x00000000004fe7f3 <+739>:	xor    $0x6a0e,%eax
   0x00000000004fe7f8 <+744>:	cltq   
   0x00000000004fe7fa <+746>:	mov    (%rdx,%rax,1),%cl
   0x00000000004fe7fd <+749>:	add    $0x1,%cl
   0x00000000004fe800 <+752>:	adc    $0x0,%cl
   0x00000000004fe803 <+755>:	mov    %cl,(%rdx,%rax,1)
   0x00000000004fe806 <+758>:	movl   $0x3507,%fs:(%r12)
   0x00000000004fe80f <+767>:	test   %dil,%dil
   0x00000000004fe812 <+770>:	je     0x4fe848 <ap_is_chunked+824>
   0x00000000004fe814 <+772>:	mov    %fs:(%r12),%eax
   0x00000000004fe819 <+777>:	xor    %r14d,%eax
   0x00000000004fe81c <+780>:	mov    0x0(%r13),%rcx
   0x00000000004fe820 <+784>:	xor    $0x7f1a,%eax
   0x00000000004fe825 <+789>:	cltq   
   0x00000000004fe827 <+791>:	mov    (%rcx,%rax,1),%dl
   0x00000000004fe82a <+794>:	add    $0x1,%dl
   0x00000000004fe82d <+797>:	adc    $0x0,%dl
   0x00000000004fe830 <+800>:	mov    %dl,(%rcx,%rax,1)
   0x00000000004fe833 <+803>:	movl   $0x3f8d,%fs:(%r12)
   0x00000000004fe83c <+812>:	test   $0xff00,%esi
   0x00000000004fe842 <+818>:	je     0x4fe84c <ap_is_chunked+828>
   0x00000000004fe844 <+820>:	xor    %esi,%esi
   0x00000000004fe846 <+822>:	jmp    0x4fe87b <ap_is_chunked+875>
   0x00000000004fe848 <+824>:	xor    %esi,%esi
   0x00000000004fe84a <+826>:	jmp    0x4fe8a3 <ap_is_chunked+915>
   0x00000000004fe84c <+828>:	mov    %fs:(%r12),%eax
   0x00000000004fe851 <+833>:	xor    %r14d,%eax
   0x00000000004fe854 <+836>:	mov    0x0(%r13),%rcx
   0x00000000004fe858 <+840>:	xor    $0xe97,%eax
   0x00000000004fe85d <+845>:	cltq   
   0x00000000004fe85f <+847>:	mov    (%rcx,%rax,1),%dl
   0x00000000004fe862 <+850>:	add    $0x1,%dl
   0x00000000004fe865 <+853>:	adc    $0x0,%dl
   0x00000000004fe868 <+856>:	mov    %dl,(%rcx,%rax,1)
   0x00000000004fe86b <+859>:	movl   $0x74b,%fs:(%r12)
   0x00000000004fe874 <+868>:	test   %sil,%sil
   0x00000000004fe877 <+871>:	sete   %sil
   0x00000000004fe87b <+875>:	mov    %fs:(%r12),%eax
   0x00000000004fe880 <+880>:	xor    %r14d,%eax
   0x00000000004fe883 <+883>:	mov    0x0(%r13),%rdx
   0x00000000004fe887 <+887>:	xor    $0x672a,%eax
   0x00000000004fe88c <+892>:	cltq   
   0x00000000004fe88e <+894>:	mov    (%rdx,%rax,1),%cl
   0x00000000004fe891 <+897>:	add    $0x1,%cl
   0x00000000004fe894 <+900>:	adc    $0x0,%cl
   0x00000000004fe897 <+903>:	mov    %cl,(%rdx,%rax,1)
   0x00000000004fe89a <+906>:	movl   $0x3395,%fs:(%r12)
   0x00000000004fe8a3 <+915>:	mov    %fs:(%r12),%eax
   0x00000000004fe8a8 <+920>:	xor    %r14d,%eax
   0x00000000004fe8ab <+923>:	mov    0x0(%r13),%rcx
   0x00000000004fe8af <+927>:	xor    $0xf402,%eax
   0x00000000004fe8b4 <+932>:	cltq   
   0x00000000004fe8b6 <+934>:	mov    (%rcx,%rax,1),%dl
   0x00000000004fe8b9 <+937>:	add    $0x1,%dl
   0x00000000004fe8bc <+940>:	adc    $0x0,%dl
   0x00000000004fe8bf <+943>:	mov    %dl,(%rcx,%rax,1)
   0x00000000004fe8c2 <+946>:	movl   $0x7a01,%fs:(%r12)
   0x00000000004fe8cb <+955>:	mov    $0x1,%eax
   0x00000000004fe8d0 <+960>:	test   %sil,%sil
   0x00000000004fe8d3 <+963>:	jne    0x4fea25 <ap_is_chunked+1301>
   0x00000000004fe8d9 <+969>:	movdqa %xmm1,-0x40(%rbp)
   0x00000000004fe8de <+974>:	mov    %fs:(%r12),%eax
   0x00000000004fe8e3 <+979>:	xor    %r14d,%eax
   0x00000000004fe8e6 <+982>:	mov    0x0(%r13),%rcx
   0x00000000004fe8ea <+986>:	xor    $0x9d28,%eax
   0x00000000004fe8ef <+991>:	cltq   
   0x00000000004fe8f1 <+993>:	mov    (%rcx,%rax,1),%dl
   0x00000000004fe8f4 <+996>:	add    $0x1,%dl
   0x00000000004fe8f7 <+999>:	adc    $0x0,%dl
   0x00000000004fe8fa <+1002>:	mov    %dl,(%rcx,%rax,1)
   0x00000000004fe8fd <+1005>:	movl   $0x4e94,%fs:(%r12)
   0x00000000004fe906 <+1014>:	mov    $0xa90da0,%esi
   0x00000000004fe90b <+1019>:	mov    %r15,%rdi
   0x00000000004fe90e <+1022>:	call   0x4fdd50 <find_last_token>
   0x00000000004fe913 <+1027>:	test   %rax,%rax
   0x00000000004fe916 <+1030>:	je     0x4fea17 <ap_is_chunked+1287>
   0x00000000004fe91c <+1036>:	add    $0xffffffffffffffff,%rax
   0x00000000004fe920 <+1040>:	mov    %rax,%rdx
   0x00000000004fe923 <+1043>:	movdqa -0x40(%rbp),%xmm1
   0x00000000004fe928 <+1048>:	nopl   0x0(%rax,%rax,1)
   0x00000000004fe930 <+1056>:	mov    %fs:(%r12),%ecx
   0x00000000004fe935 <+1061>:	xor    %r14d,%ecx
   0x00000000004fe938 <+1064>:	mov    0x0(%r13),%rsi
   0x00000000004fe93c <+1068>:	xor    $0x508b,%ecx
   0x00000000004fe942 <+1074>:	movslq %ecx,%rbx
   0x00000000004fe945 <+1077>:	movzbl (%rsi,%rbx,1),%ecx
   0x00000000004fe949 <+1081>:	add    $0x1,%cl
   0x00000000004fe94c <+1084>:	adc    $0x0,%cl
   0x00000000004fe94f <+1087>:	mov    %rdx,%rdi
   0x00000000004fe952 <+1090>:	mov    %rax,%r8
   0x00000000004fe955 <+1093>:	mov    %cl,(%rsi,%rbx,1)
   0x00000000004fe958 <+1096>:	movl   $0x2845,%fs:(%r12)
   0x00000000004fe961 <+1105>:	cmp    %r15,%rax
   0x00000000004fe964 <+1108>:	jbe    0x4fe9bf <ap_is_chunked+1199>
   0x00000000004fe966 <+1110>:	mov    %fs:(%r12),%eax
   0x00000000004fe96b <+1115>:	xor    %r14d,%eax
   0x00000000004fe96e <+1118>:	mov    0x0(%r13),%rcx
   0x00000000004fe972 <+1122>:	xor    $0x403a,%eax
   0x00000000004fe977 <+1127>:	cltq   
   0x00000000004fe979 <+1129>:	movzbl (%rcx,%rax,1),%edx
   0x00000000004fe97d <+1133>:	add    $0x1,%dl
   0x00000000004fe980 <+1136>:	adc    $0x0,%dl
   0x00000000004fe983 <+1139>:	mov    %dl,(%rcx,%rax,1)
   0x00000000004fe986 <+1142>:	movl   $0x201d,%fs:(%r12)
   0x00000000004fe98f <+1151>:	mov    %rdi,%rax
   0x00000000004fe992 <+1154>:	shr    $0x3,%rax
   0x00000000004fe996 <+1158>:	movzbl 0x7fff8000(%rax),%eax
   0x00000000004fe99d <+1165>:	test   %al,%al
   0x00000000004fe99f <+1167>:	jne    0x4fe9b1 <ap_is_chunked+1185>
   0x00000000004fe9a1 <+1169>:	lea    -0x1(%rdi),%rdx
   0x00000000004fe9a5 <+1173>:	lea    -0x1(%r8),%rax
   0x00000000004fe9a9 <+1177>:	cmpb   $0x20,(%r8)
   0x00000000004fe9ad <+1181>:	je     0x4fe930 <ap_is_chunked+1056>
   0x00000000004fe9af <+1183>:	jmp    0x4fe9bf <ap_is_chunked+1199>
   0x00000000004fe9b1 <+1185>:	mov    %edi,%ecx
   0x00000000004fe9b3 <+1187>:	and    $0x7,%cl
   0x00000000004fe9b6 <+1190>:	cmp    %al,%cl
   0x00000000004fe9b8 <+1192>:	jl     0x4fe9a1 <ap_is_chunked+1169>
   0x00000000004fe9ba <+1194>:	call   0x4a6d60 <__asan_report_load1>
   0x00000000004fe9bf <+1199>:	mov    %fs:(%r12),%eax
   0x00000000004fe9c4 <+1204>:	xor    %r14d,%eax
   0x00000000004fe9c7 <+1207>:	mov    0x0(%r13),%rcx
   0x00000000004fe9cb <+1211>:	xor    $0xe8b,%eax
   0x00000000004fe9d0 <+1216>:	cltq   
   0x00000000004fe9d2 <+1218>:	mov    (%rcx,%rax,1),%dl
   0x00000000004fe9d5 <+1221>:	add    $0x1,%dl
   0x00000000004fe9d8 <+1224>:	adc    $0x0,%dl
   0x00000000004fe9db <+1227>:	mov    %dl,(%rcx,%rax,1)
   0x00000000004fe9de <+1230>:	movl   $0x745,%fs:(%r12)
   0x00000000004fe9e7 <+1239>:	mov    %rdi,%rax
   0x00000000004fe9ea <+1242>:	shr    $0x3,%rax
   0x00000000004fe9ee <+1246>:	mov    0x7fff8000(%rax),%al
   0x00000000004fe9f4 <+1252>:	test   %al,%al
   0x00000000004fe9f6 <+1254>:	jne    0x4fea94 <ap_is_chunked+1412>
   0x00000000004fe9fc <+1260>:	mov    (%r8),%al
   0x00000000004fe9ff <+1263>:	cmp    $0x2c,%al
   0x00000000004fea01 <+1265>:	sete   %cl
   0x00000000004fea04 <+1268>:	cmp    $0x20,%al
   0x00000000004fea06 <+1270>:	sete   %al
   0x00000000004fea09 <+1273>:	or     %cl,%al
   0x00000000004fea0b <+1275>:	movzbl %al,%eax
   0x00000000004fea0e <+1278>:	mov    0x63654b(%rip),%r8        # 0xb34f60
   0x00000000004fea15 <+1285>:	jmp    0x4fea25 <ap_is_chunked+1301>
   0x00000000004fea17 <+1287>:	xor    %eax,%eax
   0x00000000004fea19 <+1289>:	mov    0x636540(%rip),%r8        # 0xb34f60
   0x00000000004fea20 <+1296>:	movdqa -0x40(%rbp),%xmm1
   0x00000000004fea25 <+1301>:	mov    0x6365ac(%rip),%rcx        # 0xb34fd8
   0x00000000004fea2c <+1308>:	xor    %fs:(%rcx),%r14d
   0x00000000004fea30 <+1312>:	mov    $0xb65ea8,%rdx
   0x00000000004fea37 <+1319>:	mov    (%rdx),%rdx
   0x00000000004fea3a <+1322>:	xor    $0xb99,%r14d
   0x00000000004fea41 <+1329>:	movslq %r14d,%rsi
   0x00000000004fea44 <+1332>:	mov    (%rdx,%rsi,1),%bl
   0x00000000004fea47 <+1335>:	add    $0x1,%bl
   0x00000000004fea4a <+1338>:	adc    $0x0,%bl
   0x00000000004fea4d <+1341>:	mov    %bl,(%rdx,%rsi,1)
   0x00000000004fea50 <+1344>:	movl   $0x5cc,%fs:(%rcx)
   0x00000000004fea57 <+1351>:	movd   %xmm1,%fs:(%r8)
   0x00000000004fea5d <+1357>:	add    $0x18,%rsp
   0x00000000004fea61 <+1361>:	pop    %rbx
   0x00000000004fea62 <+1362>:	pop    %r12
   0x00000000004fea64 <+1364>:	pop    %r13
   0x00000000004fea66 <+1366>:	pop    %r14
   0x00000000004fea68 <+1368>:	pop    %r15
   0x00000000004fea6a <+1370>:	pop    %rbp
   0x00000000004fea6b <+1371>:	ret    
   0x00000000004fea6c <+1372>:	mov    %r15d,%ecx
   0x00000000004fea6f <+1375>:	and    $0x7,%cl
   0x00000000004fea72 <+1378>:	cmp    %al,%cl
   0x00000000004fea74 <+1380>:	jl     0x4fe5b1 <ap_is_chunked+161>
   0x00000000004fea7a <+1386>:	mov    %r15,%rdi
   0x00000000004fea7d <+1389>:	call   0x4a6d60 <__asan_report_load1>
   0x00000000004fea82 <+1394>:	mov    %edi,%ecx
   0x00000000004fea84 <+1396>:	and    $0x7,%cl
   0x00000000004fea87 <+1399>:	cmp    %al,%cl
   0x00000000004fea89 <+1401>:	jl     0x4fe5fd <ap_is_chunked+237>
   0x00000000004fea8f <+1407>:	call   0x4a6d60 <__asan_report_load1>
   0x00000000004fea94 <+1412>:	mov    %edi,%ecx
   0x00000000004fea96 <+1414>:	and    $0x7,%cl
   0x00000000004fea99 <+1417>:	cmp    %al,%cl
   0x00000000004fea9b <+1419>:	jl     0x4fe9fc <ap_is_chunked+1260>
   0x00000000004feaa1 <+1425>:	call   0x4a6d60 <__asan_report_load1>
   0x00000000004feaa6 <+1430>:	mov    %edi,%ecx
   0x00000000004feaa8 <+1432>:	and    $0x7,%cl
   0x00000000004feaab <+1435>:	cmp    %al,%cl
   0x00000000004feaad <+1437>:	jl     0x4fe648 <ap_is_chunked+312>
   0x00000000004feab3 <+1443>:	call   0x4a6d60 <__asan_report_load1>
   0x00000000004feab8 <+1448>:	mov    %edi,%ecx
   0x00000000004feaba <+1450>:	and    $0x7,%cl
   0x00000000004feabd <+1453>:	cmp    %al,%cl
   0x00000000004feabf <+1455>:	jl     0x4fe693 <ap_is_chunked+387>
   0x00000000004feac5 <+1461>:	call   0x4a6d60 <__asan_report_load1>
   0x00000000004feaca <+1466>:	mov    %edi,%ecx
   0x00000000004feacc <+1468>:	and    $0x7,%cl
   0x00000000004feacf <+1471>:	cmp    %al,%cl
   0x00000000004fead1 <+1473>:	jl     0x4fe6de <ap_is_chunked+462>
   0x00000000004fead7 <+1479>:	call   0x4a6d60 <__asan_report_load1>
   0x00000000004feadc <+1484>:	mov    %edi,%ecx
   0x00000000004feade <+1486>:	and    $0x7,%cl
   0x00000000004feae1 <+1489>:	cmp    %al,%cl
   0x00000000004feae3 <+1491>:	jl     0x4fe729 <ap_is_chunked+537>
   0x00000000004feae9 <+1497>:	call   0x4a6d60 <__asan_report_load1>
   0x00000000004feaee <+1502>:	mov    %edi,%ecx
   0x00000000004feaf0 <+1504>:	and    $0x7,%cl
   0x00000000004feaf3 <+1507>:	cmp    %al,%cl
   0x00000000004feaf5 <+1509>:	jl     0x4fe770 <ap_is_chunked+608>
   0x00000000004feafb <+1515>:	call   0x4a6d60 <__asan_report_load1>
End of assembler dump.

[vanhauser-thc]

yes @ylavic I think you are right, it is not instrumented correctly as the string is not checked for the null byte.
I added this to strcmp like functions to ensure the null byte is checked too.
(we had that in before, but in some context that crashed, but as I implemented that differently now this hopefully wont happen again :) )

I am looking at a different issue and then push a fix to oss-fuzz.

[jonathanmetzman]

@bagder

I'm sorry but I don't keep track of what particular thing that trigger the oss-fuzz reports I get. I just know that over the last few months I've basically not gotten any correct reports at all but a lot of those that fixes themselves after a few days of me not doing anything at all.

We've disabled some of the AFL++ features that we think were causing these False positives.
I'll watch the curl crashes for a few weeks to see if this issue is still happening so we can get things back to a state where you find oss-fuzz useful again.
Sorry for the trouble.