From 8d1cfd207afc1edc9df7c8cc62347137210e5862 Mon Sep 17 00:00:00 2001 From: Denis Kasak Date: Mon, 10 May 2021 13:05:57 +0200 Subject: [PATCH] Fix a fuzzing harness double free when input is of size 0. Consider the case when the input is size 0. In this case, `count` and `buffer_pos` will be 0 as well. The `realloc` call in the `count == 0` branch will then effectively become a free. However, `realloc` can sometimes return `NULL` when a 0 is passed for the size. The current code assumes that this only happens on a memory allocation error and breaks out of the loop. This then becomes a double free because the buffer is freed a second time, causing an abort. The intent of the `realloc` is probably to downsize the buffer to fit the data exactly in order to make incorrect memory access more obvious. This commit skips this downsizing if the size of the input data is 0. --- fuzzers/include/fuzzing.hh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/fuzzers/include/fuzzing.hh b/fuzzers/include/fuzzing.hh index b27c396..3dd394f 100644 --- a/fuzzers/include/fuzzing.hh +++ b/fuzzers/include/fuzzing.hh @@ -24,9 +24,11 @@ ssize_t read_file( ); if (count < 0) break; if (count == 0) { - uint8_t * return_buffer = (uint8_t *) realloc(current_buffer, buffer_pos); - if (return_buffer == NULL) break; - *buffer = return_buffer; + if (buffer_pos != 0) { + current_buffer = (uint8_t *) realloc(current_buffer, buffer_pos); + if (current_buffer == NULL) break; + } + *buffer = current_buffer; return buffer_pos; } buffer_pos += count;