diff options
author | Philip Withnall <withnall@endlessm.com> | 2020-06-29 11:52:40 +0100 |
---|---|---|
committer | Philip Withnall <withnall@endlessm.com> | 2020-06-29 11:52:40 +0100 |
commit | b2a6a9a434b29a70807dc9f811056318ff490bfa (patch) | |
tree | 2c3efda325ee38ff43a437ba61c330296263e5bf /fuzzing/fuzz_uri_parse.c | |
parent | 1cf3ae63434195b89d976b46044316c816552c95 (diff) | |
download | glib-b2a6a9a434b29a70807dc9f811056318ff490bfa.tar.gz |
fuzzing: Ensure input to g_uri_parse() is nul-terminated
The fuzzer will produce arbitrary binary blobs, which might not be
nul-terminated. `g_uri_parse()` has no length argument, so relies on
receiving a nul-terminated string as input. Guarantee that.
This should fix fuzzing build failures like
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23750.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Diffstat (limited to 'fuzzing/fuzz_uri_parse.c')
-rw-r--r-- | fuzzing/fuzz_uri_parse.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/fuzzing/fuzz_uri_parse.c b/fuzzing/fuzz_uri_parse.c index 5c2934f1a..e4687091b 100644 --- a/fuzzing/fuzz_uri_parse.c +++ b/fuzzing/fuzz_uri_parse.c @@ -3,14 +3,18 @@ int LLVMFuzzerTestOneInput (const unsigned char *data, size_t size) { + unsigned char *nul_terminated_data = NULL; GUri *uri = NULL; gchar *uri_string = NULL; const GUriFlags flags = G_URI_FLAGS_NONE; fuzz_set_logging_func (); - /* ignore @size */ + /* ignore @size (g_uri_parse() doesn’t support it); ensure @data is nul-terminated */ + nul_terminated_data = (unsigned char *) g_strndup ((const gchar *) data, size); uri = g_uri_parse ((const gchar *) data, flags, NULL); + g_free (nul_terminated_data); + if (uri == NULL) return 0; |