fuzzing: Ensure input to g_uri_parse() is nul-terminated

The fuzzer will produce arbitrary binary blobs, which might not be nul-terminated. `g_uri_parse()` has no length argument, so relies on receiving a nul-terminated string as input. Guarantee that. This should fix fuzzing build failures like https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23750. Signed-off-by: Philip Withnall <withnall@endlessm.com>
author: Philip Withnall <withnall@endlessm.com> 2020-06-29 11:52:40 +0100
committer: Philip Withnall <withnall@endlessm.com> 2020-06-29 11:52:40 +0100
commit: b2a6a9a434b29a70807dc9f811056318ff490bfa (patch)
tree: 2c3efda325ee38ff43a437ba61c330296263e5bf /fuzzing/fuzz_uri_parse.c
parent: 1cf3ae63434195b89d976b46044316c816552c95 (diff)
download: glib-b2a6a9a434b29a70807dc9f811056318ff490bfa.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/fuzzing/fuzz_uri_parse.c b/fuzzing/fuzz_uri_parse.c
index 5c2934f1a..e4687091b 100644
--- a/fuzzing/fuzz_uri_parse.c
+++ b/fuzzing/fuzz_uri_parse.c
@@ -3,14 +3,18 @@
 int
 LLVMFuzzerTestOneInput (const unsigned char *data, size_t size)
 {
+  unsigned char *nul_terminated_data = NULL;
   GUri *uri = NULL;
   gchar *uri_string = NULL;
   const GUriFlags flags = G_URI_FLAGS_NONE;
 
   fuzz_set_logging_func ();
 
-  /* ignore @size */
+  /* ignore @size (g_uri_parse() doesn’t support it); ensure @data is nul-terminated */
+  nul_terminated_data = (unsigned char *) g_strndup ((const gchar *) data, size);
   uri = g_uri_parse ((const gchar *) data, flags, NULL);
+  g_free (nul_terminated_data);
+
   if (uri == NULL)
     return 0;
author	Philip Withnall <withnall@endlessm.com>	2020-06-29 11:52:40 +0100
committer	Philip Withnall <withnall@endlessm.com>	2020-06-29 11:52:40 +0100
commit	b2a6a9a434b29a70807dc9f811056318ff490bfa (patch)
tree	2c3efda325ee38ff43a437ba61c330296263e5bf /fuzzing/fuzz_uri_parse.c
parent	1cf3ae63434195b89d976b46044316c816552c95 (diff)
download	glib-b2a6a9a434b29a70807dc9f811056318ff490bfa.tar.gz