[SCM] Samba Shared Repository - branch master updated

Mon Nov 18 21:03:02 UTC 2019

The branch, master has been updated
       via  d6fbfb276ce lib/fuzzing: Free memory after successful load in fuzz_tiniparser
       via  43bc0b2c763 lib/fuzzing: Avoid NULL pointer de-ref from 0-length input
      from  4aea5c0972d tevent: Release tevent 0.10.2

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit d6fbfb276ce89ad40f47784300fb99cee9d4aac9
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Nov 7 16:52:48 2019 +1300

    lib/fuzzing: Free memory after successful load in fuzz_tiniparser
    
    Otherwise we have a memory leak and so fail the Google oss-fuzz check_build test.
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Mon Nov 18 21:02:52 UTC 2019 on sn-devel-184

commit 43bc0b2c763284ec63ca1e750602f6a9b354f9ae
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Nov 7 15:08:18 2019 +1300

    lib/fuzzing: Avoid NULL pointer de-ref from 0-length input
    
    fmemopen() does not like 0-length input.
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 lib/fuzzing/fuzz_oLschema2ldif.c |  8 ++++++++
 lib/fuzzing/fuzz_tiniparser.c    | 16 ++++++++++++++--
 2 files changed, 22 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/fuzzing/fuzz_oLschema2ldif.c b/lib/fuzzing/fuzz_oLschema2ldif.c
index 4dd5668e673..a983f48d660 100644
--- a/lib/fuzzing/fuzz_oLschema2ldif.c
+++ b/lib/fuzzing/fuzz_oLschema2ldif.c
@@ -34,6 +34,14 @@ int LLVMFuzzerTestOneInput(uint8_t *buf, size_t len)
 	TALLOC_CTX *mem_ctx;
 	struct conv_options opt;
 
+	if (len == 0) {
+		/*
+		 * Otherwise fmemopen() will return null and set errno
+		 * to EINVAL
+		 */
+		return 0;
+	}
+
 	mem_ctx = talloc_init(__FUNCTION__);
 
 	opt.in = fmemopen(buf, len, "r");
diff --git a/lib/fuzzing/fuzz_tiniparser.c b/lib/fuzzing/fuzz_tiniparser.c
index a6e2ef7c2fe..6908f1815d7 100644
--- a/lib/fuzzing/fuzz_tiniparser.c
+++ b/lib/fuzzing/fuzz_tiniparser.c
@@ -27,11 +27,23 @@ int LLVMFuzzerInitialize(int *argc, char ***argv)
 
 int LLVMFuzzerTestOneInput(uint8_t *buf, size_t len)
 {
-	FILE *fp;
+	FILE *fp = NULL;
+	struct tiniparser_dictionary *d = NULL;
+
+	if (len == 0) {
+		/*
+		 * Otherwise fmemopen() will return null and set errno
+		 * to EINVAL
+		 */
+		return 0;
+	}
 
 	fp = fmemopen(buf, len, "r");
 
-	tiniparser_load_stream(fp);
+	d = tiniparser_load_stream(fp);
+	if (d != NULL) {
+		tiniparser_freedict(d);
+	}
 
 	fclose(fp);
 


-- 
Samba Shared Repository

