Fix a double free in the fuzzing harness when input is of size 0. (!25) · Merge requests · matrix-org / Olm

Consider the case when the input is size 0. In this case, count and buffer_pos will be 0 as well. The realloc call in the count == 0 branch will then effectively become a free.

However, realloc can sometimes return NULL when a 0 is passed for the size. The current code assumes that this only happens on a memory allocation error and breaks out of the loop. This then becomes a double free because the buffer is freed a second time, causing an abort.

The intent of the realloc is probably to downsize the buffer to fit the data exactly in order to make incorrect memory access more obvious. This changes the code to skip this downsizing if the size of the input data is 0.

Signed-off-by: Denis Kasak dkasak@termina.org.uk

Fix a double free in the fuzzing harness when input is of size 0.

Merge request reports