diff options
author | Daniel Stenberg <daniel@haxx.se> | 2017-09-08 10:20:36 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2017-09-08 13:15:24 +0200 |
commit | f2ede512a29471ed3ed6b94fe67eaff819c30b5f (patch) | |
tree | a5b31ecbeb1c8f61dbc3732fa83de8fca01d0ee8 | |
parent | 1ae2704d6edf02c218b7e30fc2e13ce52a991bea (diff) | |
download | curl-bagder/oss-fuzz-3327.tar.gz |
rtsp: do not call fwrite() with NULL pointer FILE *bagder/oss-fuzz-3327
If the default write callback is used and no destination has been set, a
NULL pointer would be passed to fwrite()'s 4th argument.
OSS-fuzz bug https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3327 (not publicly open yet)
Detected by OSS-fuzz
-rw-r--r-- | lib/rtsp.c | 9 | ||||
-rw-r--r-- | tests/fuzz/curl_fuzz_data/oss-fuzz-3327 | bin | 0 -> 27 bytes |
2 files changed, 9 insertions, 0 deletions
diff --git a/lib/rtsp.c b/lib/rtsp.c index 9bd935fd5..4bca11459 100644 --- a/lib/rtsp.c +++ b/lib/rtsp.c @@ -756,6 +756,15 @@ CURLcode rtp_client_write(struct connectdata *conn, char *ptr, size_t len) } writeit = data->set.fwrite_rtp?data->set.fwrite_rtp:data->set.fwrite_func; + + if(!data->set.fwrite_rtp && !data->set.is_fwrite_set && + !data->set.rtp_out) { + /* if no callback is set for either RTP or default, the default function + fwrite() is utilized and that can't handle a NULL input */ + failf(data, "No destination to default data callback!"); + return CURLE_WRITE_ERROR; + } + wrote = writeit(ptr, 1, len, data->set.rtp_out); if(CURL_WRITEFUNC_PAUSE == wrote) { diff --git a/tests/fuzz/curl_fuzz_data/oss-fuzz-3327 b/tests/fuzz/curl_fuzz_data/oss-fuzz-3327 Binary files differnew file mode 100644 index 000000000..064cc623a --- /dev/null +++ b/tests/fuzz/curl_fuzz_data/oss-fuzz-3327 |