Bug 1464069 - Check error code in stun_parser_libfuzz.cpp; r=drno
authorDan Minor <dminor@mozilla.com>
Tue, 29 May 2018 13:04:28 -0400
changeset 420688 66c01f311f4adfaef3e2412a5b9aa4916b57b5b2
parent 420687 0336998b51de99bb534c82dfb0fe854f03e4e3a0
child 420689 b671b92bea186c1f5659425f6e048d555df415d7
push id34077
push usernerli@mozilla.com
push dateThu, 31 May 2018 21:51:59 +0000
treeherdermozilla-central@42880a726964 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdrno
bugs1464069
milestone62.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1464069 - Check error code in stun_parser_libfuzz.cpp; r=drno MozReview-Commit-ID: Lx32Mx8KmRm
media/mtransport/fuzztest/stun_parser_libfuzz.cpp
media/mtransport/third_party/nICEr/src/stun/stun_codec.c
--- a/media/mtransport/fuzztest/stun_parser_libfuzz.cpp
+++ b/media/mtransport/fuzztest/stun_parser_libfuzz.cpp
@@ -21,18 +21,17 @@ int FuzzingInitStunParser(int *argc, cha
 }
 
 static int
 RunStunParserFuzzing(const uint8_t* data, size_t size) {
   nr_stun_message *req = 0;
 
   UCHAR* mes = (UCHAR*)data;
 
-  nr_stun_message_create2(&req, mes, size);
-
-  nr_stun_decode_message(req, nullptr, nullptr);
-
-  nr_stun_message_destroy(&req);
+  if (!nr_stun_message_create2(&req, mes, size)) {
+    nr_stun_decode_message(req, nullptr, nullptr);
+    nr_stun_message_destroy(&req);
+  }
 
   return 0;
 }
 
 MOZ_FUZZING_INTERFACE_RAW(FuzzingInitStunParser, RunStunParserFuzzing, StunParser);
--- a/media/mtransport/third_party/nICEr/src/stun/stun_codec.c
+++ b/media/mtransport/third_party/nICEr/src/stun/stun_codec.c
@@ -1410,19 +1410,16 @@ nr_stun_decode_message(nr_stun_message *
     int r,_status;
     int offset;
     int size;
     int padding_bytes;
     nr_stun_message_attribute *attr;
     nr_stun_attr_info *attr_info;
     Data *password;
 
-    if (!msg)
-        ABORT(R_BAD_ARGS);
-
     r_log(NR_LOG_STUN, LOG_DEBUG, "Parsing STUN message of %d bytes", msg->length);
 
     if (!TAILQ_EMPTY(&msg->attributes))
         ABORT(R_BAD_ARGS);
 
     if (sizeof(nr_stun_message_header) > msg->length) {
        r_log(NR_LOG_STUN, LOG_WARNING, "Message too small");
        ABORT(R_FAILED);