8d1cfd207a
Consider the case when the input is size 0. In this case, `count` and `buffer_pos` will be 0 as well. The `realloc` call in the `count == 0` branch will then effectively become a free. However, `realloc` can sometimes return `NULL` when a 0 is passed for the size. The current code assumes that this only happens on a memory allocation error and breaks out of the loop. This then becomes a double free because the buffer is freed a second time, causing an abort. The intent of the `realloc` is probably to downsize the buffer to fit the data exactly in order to make incorrect memory access more obvious. This commit skips this downsizing if the size of the input data is 0. |
||
|---|---|---|
| .. | ||
| include | ||
| fuzz_decode_message.cpp | ||
| fuzz_decrypt.cpp | ||
| fuzz_group_decrypt.cpp | ||
| fuzz_unpickle_account.cpp | ||
| fuzz_unpickle_session.cpp | ||
| README.rst | ||
Fuzzers
=======
This directory contains a collection of fuzzing tools. Each tests a different
entry point to the code.
Usage notes:
1. Install AFL:
.. code::
apt-get install afl
2. Build the fuzzers:
.. code::
make fuzzers
3. Some of the tests (eg ``fuzz_decrypt`` and ``fuzz_group_decrypt``) require a
session file. You can create one by pickling an Olm session.
4. Make some work directories:
.. code::
mkdir -p fuzzing/in fuzzing/out
5. Generate starting input:
.. code::
echo "Test" > fuzzing/in/test
6. Run the test under ``afl-fuzz``:
.. code::
afl-fuzz -i fuzzing/in -o fuzzing/out -- \
./build/fuzzers/fuzz_<fuzzing_tool> [<test args>]
7. To resume with the data produced by an earlier run:
.. code::
afl-fuzz -i- -o existing_output_dir [...etc...]
8. If it shows failures, pipe the failure case into
``./build/fuzzers/debug_<fuzzing_tool>``, fix, and repeat.