hexdecoct: fix NULL pointer dereferences in hexmem()

Fixes oss-fuzz#54090 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54090). Fixes #25655.
2024-07-22 10:44:58 +00:00 · 2022-12-07 09:06:48 +09:00 · 2022-12-07 09:06:48 +09:00 · 7d34567444
parent 45655e776f
commit 7d34567444
3 changed files with 22 additions and 1 deletions
--- a/src/basic/hexdecoct.c
+++ b/src/basic/hexdecoct.c
@ -59,11 +59,13 @@ char *hexmem(const void *p, size_t l) {
        const uint8_t *x;
        char *r, *z;

+        assert(p || l == 0);
+
        z = r = new(char, l * 2 + 1);
        if (!r)
                return NULL;

-        for (x = p; x < (const uint8_t*) p + l; x++) {
+        for (x = p; x && x < (const uint8_t*) p + l; x++) {
                *(z++) = hexchar(*x >> 4);
                *(z++) = hexchar(*x & 15);
        }
--- a/src/test/test-hexdecoct.c
+++ b/src/test/test-hexdecoct.c
@ -73,6 +73,25 @@ TEST(undecchar) {
        assert_se(undecchar('9') == 9);
 }

+static void test_hexmem_one(const char *in, const char *expected) {
+        _cleanup_free_ char *result = NULL;
+        _cleanup_free_ void *mem = NULL;
+        size_t len;
+
+        assert_se(result = hexmem(in, strlen_ptr(in)));
+        log_debug("hexmem(\"%s\") → \"%s\" (expected: \"%s\")", strnull(in), result, expected);
+        assert_se(streq(result, expected));
+
+        assert_se(unhexmem(result, SIZE_MAX, &mem, &len) >= 0);
+        assert_se(memcmp_safe(mem, in, len) == 0);
+}
+
+TEST(hexmem) {
+        test_hexmem_one(NULL, "");
+        test_hexmem_one("", "");
+        test_hexmem_one("foo", "666f6f");
+}
+
 static void test_unhexmem_one(const char *s, size_t l, int retval) {
        _cleanup_free_ char *hex = NULL;
        _cleanup_free_ void *mem = NULL;
--- a/test/fuzz/fuzz-resource-record/oss-fuzz-54090
+++ b/test/fuzz/fuzz-resource-record/oss-fuzz-54090