From: Petr Štetiar Date: Sun, 11 Oct 2020 11:57:10 +0000 (+0200) Subject: Fix off-by-one in postdecode_fields X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=09f9ac5066ee71f7cc1d5a6401dfa7f49d1dd677;p=project%2Fcgi-io.git Fix off-by-one in postdecode_fields Fixes following error found by fuzzer: ERROR: AddressSanitizer: SEGV on unknown address 0x60c000120000 (pc 0x00000054f64f bp 0x000000000008 sp 0x7ffe4fc2c120 T0) The signal is caused by a READ memory access. #0 0x54f64f in postdecode_fields cgi-io/util.c:93:7 #1 0x54f382 in LLVMFuzzerTestOneInput cgi-io/tests/fuzz/test-fuzz.c:36:6 That is caused by reading 1 byte past the size of the buffer. Signed-off-by: Petr Štetiar --- diff --git a/tests/fuzz/corpus/crash-9adc1b00fe9189d66d3bfd8b7759b003cf3f5427 b/tests/fuzz/corpus/crash-9adc1b00fe9189d66d3bfd8b7759b003cf3f5427 new file mode 100644 index 0000000..7122f99 Binary files /dev/null and b/tests/fuzz/corpus/crash-9adc1b00fe9189d66d3bfd8b7759b003cf3f5427 differ diff --git a/tests/fuzz/corpus/crash-c1e3b9cd71f83cc0de5ab4c0e3db39316cd5c6c0 b/tests/fuzz/corpus/crash-c1e3b9cd71f83cc0de5ab4c0e3db39316cd5c6c0 new file mode 100644 index 0000000..264f4b1 --- /dev/null +++ b/tests/fuzz/corpus/crash-c1e3b9cd71f83cc0de5ab4c0e3db39316cd5c6c0 @@ -0,0 +1 @@ +±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± diff --git a/util.c b/util.c index e862758..419ed16 100644 --- a/util.c +++ b/util.c @@ -88,7 +88,7 @@ postdecode_fields(char *postbuf, ssize_t len, char **fields, int n_fields) char *p; int i, field, found = 0; - for (p = postbuf, i = 0; i <= len; i++) + for (p = postbuf, i = 0; i < len; i++) { if (postbuf[i] == '=') {