[llvm] [llvm-dwarfdump-fuzzer] fix out of bounds potential (PR #76408)

via llvm-commits llvm-commits at lists.llvm.org
Tue Dec 26 12:23:52 PST 2023 

https://github.com/DavidKorczynski created https://github.com/llvm/llvm-project/pull/76408

The fuzzer relies on MemoryBuffer to hold fuzz data, and MemoryBuffer guarantees that "In addition to basic access to the characters in the file, this interface guarantees you can read one character past the end of the file, and that this character will read as '\0'." The current fuzzing set up does not support this, which causes potential false positives. This PR fixes it.

Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65114

>From 099388778dd5c5184b48dc02a2378244b0654670 Mon Sep 17 00:00:00 2001
From: David Korczynski <david at adalogics.com>
Date: Tue, 26 Dec 2023 12:26:48 -0800
Subject: [PATCH] [llvm-dwarfdump-fuzzer] fix out of bounds potential

The fuzzer relies on MemoryBuffer to hold fuzz data, and MemoryBuffer
guarantees that "In addition to basic access to the characters in the
file, this interface guarantees you can read one character past the end
of the file, and that this character will read as '\0'." The current
fuzzing set up does not support this, which causes potential false
positives. This PR fixes it.

Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65114

Signed-off-by: David Korczynski <david at adalogics.com>
---
 llvm/tools/llvm-dwarfdump/fuzzer/llvm-dwarfdump-fuzzer.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/llvm/tools/llvm-dwarfdump/fuzzer/llvm-dwarfdump-fuzzer.cpp b/llvm/tools/llvm-dwarfdump/fuzzer/llvm-dwarfdump-fuzzer.cpp
index 1d74856c0fb8a6..0e74d0be76f11c 100644
--- a/llvm/tools/llvm-dwarfdump/fuzzer/llvm-dwarfdump-fuzzer.cpp
+++ b/llvm/tools/llvm-dwarfdump/fuzzer/llvm-dwarfdump-fuzzer.cpp
@@ -20,8 +20,8 @@ using namespace llvm;
 using namespace object;
 
 extern "C" int LLVMFuzzerTestOneInput(uint8_t *data, size_t size) {
-  std::unique_ptr<MemoryBuffer> Buff = MemoryBuffer::getMemBuffer(
-      StringRef((const char *)data, size), "", false);
+  std::string Payload(reinterpret_cast<const char *>(data), size);
+  std::unique_ptr<MemoryBuffer> Buff = MemoryBuffer::getMemBuffer(Payload);
 
   Expected<std::unique_ptr<ObjectFile>> ObjOrErr =
       ObjectFile::createObjectFile(Buff->getMemBufferRef());

More information about the llvm-commits mailing list