From 7b29c8d35ccb370ab76ffc7237cecfee7ac7ac77 Mon Sep 17 00:00:00 2001
From: Charles Giessen <charles@lunarg.com>
Date: Thu, 12 Dec 2024 11:30:33 -0600
Subject: [PATCH] Check enable_environment for NULL before copying

The enable_environment was missing NULL pointer checks before trying to
copy the string. This issue was found by fuzz testing, so the fuzz test
has been included as a reproducible case.
---
 loader/loader.c                                  |   3 ++-
 ...ed-instance_enumerate_fuzzer-6583684169269248 | Bin 0 -> 7793 bytes
 tests/loader_fuzz_tests.cpp                      |   6 ++++++
 3 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 tests/framework/data/fuzz_test_minimized_test_cases/clusterfuzz-testcase-minimized-instance_enumerate_fuzzer-6583684169269248

diff --git a/loader/loader.c b/loader/loader.c
index 44c232fad..c35ecf2d4 100644
--- a/loader/loader.c
+++ b/loader/loader.c
@@ -2744,7 +2744,8 @@ VkResult loader_read_layer_json(const struct loader_instance *inst, struct loade
         cJSON *enable_environment = loader_cJSON_GetObjectItem(layer_node, "enable_environment");
 
         // enable_environment is optional
-        if (enable_environment && enable_environment->child && enable_environment->child->type == cJSON_String) {
+        if (enable_environment && enable_environment->child && enable_environment->child->type == cJSON_String &&
+            enable_environment->child->string && enable_environment->child->valuestring) {
             result = loader_copy_to_new_str(inst, enable_environment->child->string, &(props.enable_env_var.name));
             if (VK_SUCCESS != result) goto out;
             result = loader_copy_to_new_str(inst, enable_environment->child->valuestring, &(props.enable_env_var.value));
diff --git a/tests/framework/data/fuzz_test_minimized_test_cases/clusterfuzz-testcase-minimized-instance_enumerate_fuzzer-6583684169269248 b/tests/framework/data/fuzz_test_minimized_test_cases/clusterfuzz-testcase-minimized-instance_enumerate_fuzzer-6583684169269248
new file mode 100644
index 0000000000000000000000000000000000000000..474b8d3f98dbebb533df34147d3c9160990d02d2
GIT binary patch
literal 7793
zcmeHM-D=w~6z&+i$?aaiXt%8^#qv*f*TL9D1A{RNV+5f#%4*`+#&!Z}$P?^|_H>z~
zIF2nhaXsUb4C^Y1t&?-4?;L&S)2gTO0Vb};$RvnnG$9KX#ctq(j~YNaTD@fGA2x5m
z<<^u(m)roK{j;~~fn*snVM&ueYkh=m>=+id($~emivc|MenF!p32E{uCh+ff)1k0M
zrjJqJ2QgVt&mGf*`=-Z%I{zV<g@MofgzOyvceiAC^W*b3lCU^^KoGdpo_){<qiqOV
zkGM}`H>US|VVJ*gxeGIHox8S@aqeD{&P(%CwiJ%b&)n5H1BDmYdE<pAE&dM=g841Q
zz-`koBs^@n+u%BwC)Y7c64(C~lga$)iA7+PMVgDhxPri^Gl`M>ZvEbFBk8OAyaUvi
z;nz<$o2Fx^nx~;#OaMbieOrCYorN9~aFA%sPbm32X7NMhh61$$9k*L7YYXa*Jvm#o
z&4C{^Nrd)5+Z;^q^I4MvgiNCLz?7xFgRx~}3~dKOY$9g>2kP<{@Kps5s2jQ{X(k>Z
z2dkzIqlDL>EH7m22T`)Cc<O|cMhQL3l9QoCUF%wqKmrm*X@d`Ap{inh=SNp}dKQX>
zk~^)P(#;EA!P7zvt)8AcD3`ER3(8RMNL#*67dEpaZU0Kzst#3AK|9WsF{Nh+{6$-%
zYo9c=NS|l>bnF0_i#|lQPgR)+bzCnKOSI?z;<aapg^PDW_+Uatu}sr28*y9N?$qJ7
zRd_fPZi_l)NXR@dR<~Y-+m_nxn%vf~5rR5Y6XI~ARt4t0w9``4{#q)Dx+Jw07U@@g
zU6h&{qFFmD+f*AoI=_xIeaeblp{G%~Py348RcY&Mfh|uj@|_wlKu7X8QvnSd4onkS
zsB{~VH(XF{TT1Pd>Lxj3IJs)i<<(TWO*hT4oQ8F(rcPHnDHM#H376?^xlRz>&2%~`
znAi|ugd77~5L*MTK-&hg9NU1L=a`Oz5#0ZfZ~n5|x3mWGJH5gUSej%9>gndKAceak
W4wRJOjK~LqwXEeaGwQAXtp5TZ<ziC+

literal 0
HcmV?d00001

diff --git a/tests/loader_fuzz_tests.cpp b/tests/loader_fuzz_tests.cpp
index 8df012b08..897e69a35 100644
--- a/tests/loader_fuzz_tests.cpp
+++ b/tests/loader_fuzz_tests.cpp
@@ -109,6 +109,12 @@ TEST(BadJsonInput, ClusterFuzzTestCase_6308459683315712) {
     // combine_settings_layers_with_regular_layers
     execute_instance_enumerate_fuzzer("clusterfuzz-testcase-instance_enumerate_fuzzer-6308459683315712");
 }
+TEST(BadJsonInput, ClusterFuzzTestCase_6583684169269248) {
+    // Crashes ASAN
+    // Nullptr dereference in loader_copy_to_new_str
+    execute_instance_enumerate_fuzzer("clusterfuzz-testcase-minimized-instance_enumerate_fuzzer-6583684169269248");
+}
+
 TEST(BadJsonInput, ClusterFuzzTestCase_5258042868105216) {
     // Doesn't crash with ASAN or UBSAN
     // Doesn't reproducibly crash - json_load_fuzzer: Abrt in loader_cJSON_Delete