Fuzzing Crash: unknown in file_io

[github-actions]

Fuzzing Crash Report

Analysis

Crash Location: /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/fastlanes-0.5.0/src/rle.rs:58:rle_decompress

Error Message:

unsafe precondition(s) violated: slice::get_unchecked requires that the index is within the slice

Stack Trace

stack backtrace:
   0: __rustc::rust_begin_unwind
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panicking.rs:689:5
   1: core::panicking::panic_nounwind_fmt::runtime
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/panicking.rs:122:22
   2: core::panicking::panic_nounwind_fmt
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/intrinsics/mod.rs:2435:9
   3: precondition_check
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/ub_checks.rs:73:21
   4: get_unchecked<half::binary16::f16>
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/ub_checks.rs:78:17
   5: get_unchecked<half::binary16::f16, usize>
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/slice/mod.rs:646:26
   6: decode<half::binary16::f16, u8>
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/fastlanes-0.5.0/src/rle.rs:58:42
   7: rle_decode_typed<i16, u8, u8>
             at ./encodings/fastlanes/src/rle/array/rle_decompress.rs:89:9
   8: rle_decompress
             at ./encodings/fastlanes/src/rle/array/rle_decompress.rs:33:30
   9: execute
             at ./encodings/fastlanes/src/rle/vtable/mod.rs:241:13
  10: execute<vortex_fastlanes::rle::vtable::RLE>
             at ./vortex-array/src/vtable/dyn_.rs:157:22
  11: execute_step
             at ./vortex-array/src/executor.rs:338:12
  12: execute_until<vortex_array::canonical::AnyCanonical>
             at ./vortex-array/src/executor.rs:147:26
  13: execute
             at ./vortex-array/src/canonical.rs:530:28
  14: execute
             at ./vortex-array/src/canonical.rs:801:30
  15: execute<vortex_array::arrays::primitive::array::PrimitiveArray>
             at ./vortex-array/src/executor.rs:56:9
  16: to_arrow_primitive<arrow_array::types::Int16Type>
             at ./vortex-array/src/arrow/executor/primitive.rs:42:27
  17: execute_arrow
             at ./vortex-array/src/arrow/executor/mod.rs:102:32
  18: into_arrow
             at ./vortex-array/src/arrow/mod.rs:44:14
  19: try_new_with_target_datatype
   ... (52 more frames truncated)

Root Cause Analysis

The crash is an out-of-bounds access in fastlanes::rle::decode (fastlanes-0.5.0/src/rle.rs:58), where slice::get_unchecked is called with an index beyond the slice length during RLE decompression of f16 values. The root cause is that the chunk_values slice passed to V::decode in rle_decompress.rs:89-93 is too short for the number of distinct values referenced by the chunk's indices, meaning the values_idx_offsets do not correctly bound the values slice for the given chunk. The fix should add a bounds check on chunk_values length before calling V::decode, or ensure that the values slice is correctly sized by computing the end offset from values_idx_offsets[chunk_idx + 1] and validating it does not exceed the values array length.

Summary

• Target: file_io
• Crash File: crash-136b2324496031c335f6a2f41a94731f3c0473d1
• Branch: develop
• Commit: 04776cc
• Crash Artifact: https://github.com/vortex-data/vortex/actions/runs/23494547611/artifacts/6083140156

Reproduce

cargo +nightly fuzz run -D --sanitizer=none file_io ./fuzz/artifacts/file_io/crash-136b2324496031c335f6a2f41a94731f3c0473d1 -- -rss_limit_mb=0

Reproduction Steps

1. Download the crash artifact: https://github.com/vortex-data/vortex/actions/runs/23494547611/artifacts/6083140156

2. Assuming you download the zipfile to ~/Downloads, and your working directory is the repository root:

# Create the artifacts directory if you haven't already.
mkdir -p ./fuzz/artifacts

# Move the zipfile.
mv ~/Downloads/file_io-crash-artifacts.zip ./fuzz/artifacts/

# Unzip the zipfile.
unzip ./fuzz/artifacts/file_io-crash-artifacts.zip -d ./fuzz/artifacts/

# You can remove the zipfile now if you want to.
rm ./fuzz/artifacts/file_io-crash-artifacts.zip

3. Reproduce the crash:

cargo +nightly fuzz run -D --sanitizer=none file_io ./fuzz/artifacts/file_io/crash-136b2324496031c335f6a2f41a94731f3c0473d1 -- -rss_limit_mb=0

If you want a backtrace:

RUST_BACKTRACE=1 cargo +nightly fuzz run -D --sanitizer=none file_io ./fuzz/artifacts/file_io/crash-136b2324496031c335f6a2f41a94731f3c0473d1 -- -rss_limit_mb=0

RUST_BACKTRACE=full cargo +nightly fuzz run -D --sanitizer=none file_io ./fuzz/artifacts/file_io/crash-136b2324496031c335f6a2f41a94731f3c0473d1 -- -rss_limit_mb=0

Single command to get a backtrace

mkdir -p ./fuzz/artifacts
mv ~/Downloads/file_io-crash-artifacts.zip ./fuzz/artifacts/
unzip ./fuzz/artifacts/file_io-crash-artifacts.zip -d ./fuzz/artifacts/
rm ./fuzz/artifacts/file_io-crash-artifacts.zip
RUST_BACKTRACE=1 cargo +nightly fuzz run -D --sanitizer=none file_io ./fuzz/artifacts/file_io/crash-136b2324496031c335f6a2f41a94731f3c0473d1 -- -rss_limit_mb=0

---

Auto-created by fuzzing workflow

[github-actions]

Seen 1 time