lib/fuzzing: fuzz_stable_sort_r_unstable tries to catch overrun

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/lib/fuzzing/fuzz_stable_sort_r_unstable.c b/lib/fuzzing/fuzz_stable_sort_r_unstable.c
index 45abc6a535c868117139abdca81eee332c213f29..68174ee460ef7bff12e00f6058fd35ff99d08389 100644 (file)
--- a/lib/fuzzing/fuzz_stable_sort_r_unstable.c
+++ b/lib/fuzzing/fuzz_stable_sort_r_unstable.c
@@ -85,9 +85,18 @@ int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len)
        len--;
 
        memcpy(buf2, buf, len);
-
-       stable_sort_r(buf2, aux, len, 1,
+       stable_sort_r(buf2, aux, len - 1, 1,
                      (samba_compare_with_context_fn_t)cmp_int8,
                      &context);
+
+       /*
+        * We sorted all but the last element, which should remain unchanged.
+        * buf2[-1] should also be unchanged, but the sanitizers will catch
+        * that one.
+        */
+       if (buf2[len - 1] != buf[len - 1]) {
+               abort();
+       }
+
        return 0;
 }