Skip to content
Snippets Groups Projects

Fix a double free in the fuzzing harness when input is of size 0.

Merged Denis Kasak requested to merge fix-harness-double-free into master

Consider the case when the input is size 0. In this case, count and buffer_pos will be 0 as well. The realloc call in the count == 0 branch will then effectively become a free.

However, realloc can sometimes return NULL when a 0 is passed for the size. The current code assumes that this only happens on a memory allocation error and breaks out of the loop. This then becomes a double free because the buffer is freed a second time, causing an abort.

The intent of the realloc is probably to downsize the buffer to fit the data exactly in order to make incorrect memory access more obvious. This changes the code to skip this downsizing if the size of the input data is 0.

Signed-off-by: Denis Kasak dkasak@termina.org.uk

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
Please register or sign in to reply
Loading