Skip to content

Fix a double free in the fuzzing harness when input is of size 0.

Denis Kasak requested to merge fix-harness-double-free into master

Consider the case when the input is size 0. In this case, count and buffer_pos will be 0 as well. The realloc call in the count == 0 branch will then effectively become a free.

However, realloc can sometimes return NULL when a 0 is passed for the size. The current code assumes that this only happens on a memory allocation error and breaks out of the loop. This then becomes a double free because the buffer is freed a second time, causing an abort.

The intent of the realloc is probably to downsize the buffer to fit the data exactly in order to make incorrect memory access more obvious. This changes the code to skip this downsizing if the size of the input data is 0.

Signed-off-by: Denis Kasak

Merge request reports