[libfreerdp] Fix msan's use-of-uninitialized-value

Uninitialized bytes in __interceptor_strlen at offset 0 inside [0x701000000040, 1)
==220==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x535c13 in freerdp_assistance_hex_string_to_bin /src/FreeRDP/libfreerdp/common/assistance.c:711:11
    #1 0x533deb in LLVMFuzzerTestOneInput /src/FreeRDP/libfreerdp/common/test/TestFuzzCommonAssistanceHexStringToBin.c:5:15
    #2 0x43f5f3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #3 0x4409a4 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:804:3
    #4 0x440e79 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:857:3
    #5 0x4304df in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6
    #6 0x459b32 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #7 0x7effc08bb082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #8 0x420f1d in _start (/tmp/not-out/tmpu5o6go0a/TestFuzzCommonAssistanceHexStringToBin+0x420f1d)
This commit is contained in:
Sergey Bronnikov 2023-06-06 12:39:03 +03:00 committed by akallabeth
parent a4c6b36a19
commit d8254c5ff3

View File

@ -704,15 +704,14 @@ fail:
BYTE* freerdp_assistance_hex_string_to_bin(const void* raw, size_t* size)
{
BYTE* buffer = NULL;
size_t length, rc;
if (!raw || !size)
return NULL;
*size = 0;
length = strlen(raw);
const size_t length = strlen(raw);
buffer = calloc(length, sizeof(BYTE));
if (!buffer)
return NULL;
rc = winpr_HexStringToBinBuffer(raw, length, buffer, length);
const size_t rc = winpr_HexStringToBinBuffer(raw, length, buffer, length);
if (rc == 0)
{
free(buffer);