From be44e091621a71525b850c84fc149c644a63f779 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 17 May 2019 13:35:18 +0200 Subject: [PATCH] shared/varlink: add missing setting of output_buffer_allocated Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14708, https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14735, https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14725, https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14720, and probably others. --- src/shared/varlink.c | 5 +++-- test/fuzz/fuzz-varlink/oss-fuzz-14708 | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) create mode 100644 test/fuzz/fuzz-varlink/oss-fuzz-14708 diff --git a/src/shared/varlink.c b/src/shared/varlink.c index 7719a7d0214..3256a934901 100644 --- a/src/shared/varlink.c +++ b/src/shared/varlink.c @@ -1235,15 +1235,16 @@ static int varlink_enqueue_json(Varlink *v, JsonVariant *m) { } else { char *n; + const size_t new_size = v->output_buffer_size + r + 1; - n = new(char, v->output_buffer_size + r + 1); + n = new(char, new_size); if (!n) return -ENOMEM; memcpy(mempcpy(n, v->output_buffer + v->output_buffer_index, v->output_buffer_size), text, r + 1); free_and_replace(v->output_buffer, n); - v->output_buffer_size += r + 1; + v->output_buffer_allocated = v->output_buffer_size = new_size; v->output_buffer_index = 0; } diff --git a/test/fuzz/fuzz-varlink/oss-fuzz-14708 b/test/fuzz/fuzz-varlink/oss-fuzz-14708 new file mode 100644 index 00000000000..d4391cd336f --- /dev/null +++ b/test/fuzz/fuzz-varlink/oss-fuzz-14708 @@ -0,0 +1 @@ + {"method":" "} { "method": " "} { "method": " "} vvvvvvvv \ No newline at end of file -- 2.47.3