fuzzing: Ensure input to g_uri_parse() is nul-terminated

The fuzzer will produce arbitrary binary blobs, which might not be nul-terminated. `g_uri_parse()` has no length argument, so relies on receiving a nul-terminated string as input. Guarantee that. This should fix fuzzing build failures like https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23750. Signed-off-by: Philip Withnall <withnall@endlessm.com>

fuzzing: Ensure input to g_uri_parse() is nul-terminated
The fuzzer will produce arbitrary binary blobs, which might not be nul-terminated. `g_uri_parse()` has no length argument, so relies on receiving a nul-terminated string as input. Guarantee that. This should fix fuzzing build failures like https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23750. Signed-off-by: Philip Withnall <withnall@endlessm.com>
b2a6a9a4 · Philip Withnall · 1cf3ae63 · b2a6a9a4
Commit b2a6a9a4 authored Jun 29, 2020 by Philip Withnall
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

fuzzing/fuzz_uri_parse.c fuzzing/fuzz_uri_parse.c +5 -1

No files found.
--- a/fuzzing/fuzz_uri_parse.c
+++ b/fuzzing/fuzz_uri_parse.c
@@ -3,14 +3,18 @@
 int
 LLVMFuzzerTestOneInput (const unsigned char *data, size_t size)
 {
+  unsigned char *nul_terminated_data = NULL;
  GUri *uri = NULL;
  gchar *uri_string = NULL;
  const GUriFlags flags = G_URI_FLAGS_NONE;

  fuzz_set_logging_func ();

-  /* ignore @size */
+  /* ignore @size (g_uri_parse() doesn’t support it); ensure @data is nul-terminated */
+  nul_terminated_data = (unsigned char *) g_strndup ((const gchar *) data, size);
  uri = g_uri_parse ((const gchar *) data, flags, NULL);
+  g_free (nul_terminated_data);
+
  if (uri == NULL)
    return 0;