Fix a double free in the fuzzing harness when input is of size 0.
Consider the case when the input is size 0. In this case, count
and
buffer_pos
will be 0 as well. The realloc
call in the count == 0
branch will then effectively become a free.
However, realloc
can sometimes return NULL
when a 0 is passed for
the size. The current code assumes that this only happens on a memory
allocation error and breaks out of the loop. This then becomes a double
free because the buffer is freed a second time, causing an abort.
The intent of the realloc
is probably to downsize the buffer to fit
the data exactly in order to make incorrect memory access more obvious.
This changes the code to skip this downsizing if the size of the input data
is 0.
Signed-off-by: Denis Kasak dkasak@termina.org.uk
Merge request reports
Activity
Filter activity
Please register or sign in to reply