From 7d34567444304ea0acec7ed3c44c09bb65cea32c Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Wed, 7 Dec 2022 09:06:48 +0900
Subject: [PATCH] hexdecoct: fix NULL pointer dereferences in hexmem()

Fixes oss-fuzz#54090 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54090).

Fixes #25655.
---
 src/basic/hexdecoct.c                         |   4 +++-
 src/test/test-hexdecoct.c                     |  19 ++++++++++++++++++
 test/fuzz/fuzz-resource-record/oss-fuzz-54090 | Bin 0 -> 110 bytes
 3 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100644 test/fuzz/fuzz-resource-record/oss-fuzz-54090

diff --git a/src/basic/hexdecoct.c b/src/basic/hexdecoct.c
index b9de5bfcdaf..0ff8eb3256e 100644
--- a/src/basic/hexdecoct.c
+++ b/src/basic/hexdecoct.c
@@ -59,11 +59,13 @@ char *hexmem(const void *p, size_t l) {
         const uint8_t *x;
         char *r, *z;
 
+        assert(p || l == 0);
+
         z = r = new(char, l * 2 + 1);
         if (!r)
                 return NULL;
 
-        for (x = p; x < (const uint8_t*) p + l; x++) {
+        for (x = p; x && x < (const uint8_t*) p + l; x++) {
                 *(z++) = hexchar(*x >> 4);
                 *(z++) = hexchar(*x & 15);
         }
diff --git a/src/test/test-hexdecoct.c b/src/test/test-hexdecoct.c
index 4657307580b..afdc3b54368 100644
--- a/src/test/test-hexdecoct.c
+++ b/src/test/test-hexdecoct.c
@@ -73,6 +73,25 @@ TEST(undecchar) {
         assert_se(undecchar('9') == 9);
 }
 
+static void test_hexmem_one(const char *in, const char *expected) {
+        _cleanup_free_ char *result = NULL;
+        _cleanup_free_ void *mem = NULL;
+        size_t len;
+
+        assert_se(result = hexmem(in, strlen_ptr(in)));
+        log_debug("hexmem(\"%s\") → \"%s\" (expected: \"%s\")", strnull(in), result, expected);
+        assert_se(streq(result, expected));
+
+        assert_se(unhexmem(result, SIZE_MAX, &mem, &len) >= 0);
+        assert_se(memcmp_safe(mem, in, len) == 0);
+}
+
+TEST(hexmem) {
+        test_hexmem_one(NULL, "");
+        test_hexmem_one("", "");
+        test_hexmem_one("foo", "666f6f");
+}
+
 static void test_unhexmem_one(const char *s, size_t l, int retval) {
         _cleanup_free_ char *hex = NULL;
         _cleanup_free_ void *mem = NULL;
diff --git a/test/fuzz/fuzz-resource-record/oss-fuzz-54090 b/test/fuzz/fuzz-resource-record/oss-fuzz-54090
new file mode 100644
index 0000000000000000000000000000000000000000..994d908d0f3753c12a3084576224086cab94cde4
GIT binary patch
literal 110
zc-muNFk)fgnDgI}A(nxGNt=O@5r{YhuY!RV0|UeM{~*BpUQY9znVFHf83PFXU}R*4
lsR2v>|1YO$00I^!dD{PhD*gcpEv+S5T4`yFAOP0J000+eBsc&7

literal 0
Hc-jL100001

-- 
2.47.3