[libfreerdp] Pass a zero-terminated string to freerdp_assistance_parse_file_buffer
``` READ of size 2 at 0x602000000091 thread T0 SCARINESS: 14 (2-byte-read-heap-buffer-overflow) #0 0x4c6fb9 in StrstrCheck(void*, char*, char const*, char const*) /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:580:5 #1 0x4c6df1 in strstr /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:597:5 #2 0x56c9ba in freerdp_assistance_parse_file_buffer /src/FreeRDP/libfreerdp/common/assistance.c:743:6 #3 0x56b58e in parse_file_buffer /src/FreeRDP/libfreerdp/common/test/TestFuzzCommonAssistanceParseFileBuffer.c:11:11 #4 0x56b58e in LLVMFuzzerTestOneInput /src/FreeRDP/libfreerdp/common/test/TestFuzzCommonAssistanceParseFileBuffer.c:20:2 #5 0x43f5e3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #6 0x440994 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:804:3 ```
This commit is contained in:
parent
3266dc984a
commit
62697e58d9
@ -7,9 +7,19 @@ static int parse_file_buffer(const uint8_t* Data, size_t Size)
|
|||||||
rdpAssistanceFile* file = freerdp_assistance_file_new();
|
rdpAssistanceFile* file = freerdp_assistance_file_new();
|
||||||
if (!file)
|
if (!file)
|
||||||
return -1;
|
return -1;
|
||||||
status = freerdp_assistance_parse_file_buffer(file, (char*)Data, Size,
|
|
||||||
|
char* buf = calloc(Size + 1, sizeof(char));
|
||||||
|
if (buf == NULL)
|
||||||
|
goto err;
|
||||||
|
memcpy(buf, Data, Size);
|
||||||
|
buf[Size] = '\0';
|
||||||
|
|
||||||
|
status = freerdp_assistance_parse_file_buffer(file, (char*)buf, Size + 1,
|
||||||
TEST_MSRC_INCIDENT_PASSWORD_TYPE2);
|
TEST_MSRC_INCIDENT_PASSWORD_TYPE2);
|
||||||
|
|
||||||
|
err:
|
||||||
freerdp_assistance_file_free(file);
|
freerdp_assistance_file_free(file);
|
||||||
|
free(buf);
|
||||||
|
|
||||||
return status >= 0 ? TRUE : FALSE;
|
return status >= 0 ? TRUE : FALSE;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user