From: Zbigniew Jędrzejewski-Szmek Date: Fri, 17 May 2019 11:35:18 +0000 (+0200) Subject: shared/varlink: add missing setting of output_buffer_allocated X-Git-Tag: v243-rc1~417 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=be44e091621a71525b850c84fc149c644a63f779;p=thirdparty%2Fsystemd.git shared/varlink: add missing setting of output_buffer_allocated Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14708, https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14735, https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14725, https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14720, and probably others. --- diff --git a/src/shared/varlink.c b/src/shared/varlink.c index 7719a7d0214..3256a934901 100644 --- a/src/shared/varlink.c +++ b/src/shared/varlink.c @@ -1235,15 +1235,16 @@ static int varlink_enqueue_json(Varlink *v, JsonVariant *m) { } else { char *n; + const size_t new_size = v->output_buffer_size + r + 1; - n = new(char, v->output_buffer_size + r + 1); + n = new(char, new_size); if (!n) return -ENOMEM; memcpy(mempcpy(n, v->output_buffer + v->output_buffer_index, v->output_buffer_size), text, r + 1); free_and_replace(v->output_buffer, n); - v->output_buffer_size += r + 1; + v->output_buffer_allocated = v->output_buffer_size = new_size; v->output_buffer_index = 0; } diff --git a/test/fuzz/fuzz-varlink/oss-fuzz-14708 b/test/fuzz/fuzz-varlink/oss-fuzz-14708 new file mode 100644 index 00000000000..d4391cd336f --- /dev/null +++ b/test/fuzz/fuzz-varlink/oss-fuzz-14708 @@ -0,0 +1 @@ + {"method":" "} { "method": " "} { "method": " "} vvvvvvvv \ No newline at end of file