[llvm-bugs] [Bug 36148] New: Suspicious use of sizeof(pointer) in FuzzerMutate.cpp

[via llvm-bugs]

https://bugs.llvm.org/show_bug.cgi?id=36148

            Bug ID: 36148
           Summary: Suspicious use of sizeof(pointer) in FuzzerMutate.cpp
           Product: new-bugs
           Version: 5.0
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: new bugs
          Assignee: unassignedbugs at nondot.org
          Reporter: wolf at behrenhoff.de
                CC: llvm-bugs at lists.llvm.org

In file lib/Fuzzer/FuzzerMutate.cpp, the function RandCh (lines 63--67) looks
like this:


static char RandCh(Random &Rand) {
  if (Rand.RandBool()) return Rand(256);
  const char *Special = "!*'();:@&=+$,/?%#[]012Az-`~.\xff\x00";
  return Special[Rand(sizeof(Special) - 1)];
}

Special is thus a pointer to char. In the return line sizeof(pointer)-1 is used
as index. I think the intention was to return any of the predefined characters,
not any of the first 4-1=3 or 8-1=7 characters (or whatever size a pointer is
on the target platform).

I suggest using an array instead of a pointer:

  const char Special[] = "!*'();:@&=+$,/?%#[]012Az-`~.\xff\x00";


I haven't tested this, but surely the sizeof(pointer) is wrong :-)

This bug is at least present in the 5.0.1 download. If it is also in 6 or
trunk: I don't know. Please check!

Cheers!

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20180130/e6acbf0b/attachment.html>