From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 7 Nov 2019 02:08:18 +0000 (+1300)
Subject: lib/fuzzing: Avoid NULL pointer de-ref from 0-length input
X-Git-Tag: ldb-2.1.0~700
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=43bc0b2c763284ec63ca1e750602f6a9b354f9ae;p=thirdparty%2Fsamba.git

lib/fuzzing: Avoid NULL pointer de-ref from 0-length input

fmemopen() does not like 0-length input.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---

diff --git a/lib/fuzzing/fuzz_oLschema2ldif.c b/lib/fuzzing/fuzz_oLschema2ldif.c
index 4dd5668e673..a983f48d660 100644
--- a/lib/fuzzing/fuzz_oLschema2ldif.c
+++ b/lib/fuzzing/fuzz_oLschema2ldif.c
@@ -34,6 +34,14 @@ int LLVMFuzzerTestOneInput(uint8_t *buf, size_t len)
 	TALLOC_CTX *mem_ctx;
 	struct conv_options opt;
 
+	if (len == 0) {
+		/*
+		 * Otherwise fmemopen() will return null and set errno
+		 * to EINVAL
+		 */
+		return 0;
+	}
+
 	mem_ctx = talloc_init(__FUNCTION__);
 
 	opt.in = fmemopen(buf, len, "r");
diff --git a/lib/fuzzing/fuzz_tiniparser.c b/lib/fuzzing/fuzz_tiniparser.c
index a6e2ef7c2fe..ccc50da183a 100644
--- a/lib/fuzzing/fuzz_tiniparser.c
+++ b/lib/fuzzing/fuzz_tiniparser.c
@@ -27,7 +27,15 @@ int LLVMFuzzerInitialize(int *argc, char ***argv)
 
 int LLVMFuzzerTestOneInput(uint8_t *buf, size_t len)
 {
-	FILE *fp;
+	FILE *fp = NULL;
+
+	if (len == 0) {
+		/*
+		 * Otherwise fmemopen() will return null and set errno
+		 * to EINVAL
+		 */
+		return 0;
+	}
 
 	fp = fmemopen(buf, len, "r");