Skip to content

Commit

Permalink
Check enable_environment for NULL before copying
Browse files Browse the repository at this point in the history
The enable_environment was missing NULL pointer checks before trying to
copy the string. This issue was found by fuzz testing, so the fuzz test
has been included as a reproducible case.
  • Loading branch information
charles-lunarg committed Dec 12, 2024
1 parent eab3603 commit 037ed53
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 1 deletion.
3 changes: 2 additions & 1 deletion loader/loader.c
Original file line number Diff line number Diff line change
Expand Up @@ -2744,7 +2744,8 @@ VkResult loader_read_layer_json(const struct loader_instance *inst, struct loade
cJSON *enable_environment = loader_cJSON_GetObjectItem(layer_node, "enable_environment");

// enable_environment is optional
if (enable_environment && enable_environment->child && enable_environment->child->type == cJSON_String) {
if (enable_environment && enable_environment->child && enable_environment->child->type == cJSON_String &&
enable_environment->child->string && enable_environment->child->valuestring) {
result = loader_copy_to_new_str(inst, enable_environment->child->string, &(props.enable_env_var.name));
if (VK_SUCCESS != result) goto out;
result = loader_copy_to_new_str(inst, enable_environment->child->valuestring, &(props.enable_env_var.value));
Expand Down
Binary file not shown.
6 changes: 6 additions & 0 deletions tests/loader_fuzz_tests.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,12 @@ TEST(BadJsonInput, ClusterFuzzTestCase_6308459683315712) {
// combine_settings_layers_with_regular_layers
execute_instance_enumerate_fuzzer("clusterfuzz-testcase-instance_enumerate_fuzzer-6308459683315712");
}
TEST(BadJsonInput, ClusterFuzzTestCase_6583684169269248) {
// Crashes ASAN
// Nullptr dereference in loader_copy_to_new_str
execute_instance_enumerate_fuzzer("clusterfuzz-testcase-minimized-instance_enumerate_fuzzer-6583684169269248");
}

TEST(BadJsonInput, ClusterFuzzTestCase_5258042868105216) {
// Doesn't crash with ASAN or UBSAN
// Doesn't reproducibly crash - json_load_fuzzer: Abrt in loader_cJSON_Delete
Expand Down

0 comments on commit 037ed53

Please sign in to comment.