From f147373a324a22383f86684ef87c3ea0f3ea5da2 Mon Sep 17 00:00:00 2001 From: MarcoFalke Date: Mon, 28 Feb 2022 08:34:27 +0100 Subject: [PATCH] Merge bitcoin/bitcoin#24449: fuzz: FuzzedFileProvider::write should not return negative value fc471814dc34abb4d5479803ebb1033b572eda43 fuzz: FuzzedFileProvider::write should not return negative value (eugene) Pull request description: Doing so can lead to a glibc crash (from 2005 but I think it's relevant https://sourceware.org/bugzilla/show_bug.cgi?id=2074). Also the manpage for fopencookie warns against this: https://man7.org/linux/man-pages/man3/fopencookie.3.html. This would invalidate the autofile seeds (and maybe others?) in qa-assets. On another note, I noticed that FuzzedFileProvider::seek has some confusing behavior with SEEK_END. It seems to me that if these handlers are supposed to mimic the real functions, that SEEK_END would use the offset from the end of the stream, rather than changing the offset with a random value between 0 and 4096. I could also open a PR to fix SEEK_END, but it would invalidate the seeds. ACKs for top commit: MarcoFalke: cr ACK fc471814dc34abb4d5479803ebb1033b572eda43 Tree-SHA512: 9db41637f0df7f2b2407b82531cbc34f4ba9393063b63ec6786372e808fe991f7f24df45936c203fe0f9fc49686180c65ad57c2ce7d49e0c5402240616bcfede --- src/test/fuzz/util.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/test/fuzz/util.cpp b/src/test/fuzz/util.cpp index bd55d99f97..ddfbc97dbf 100644 --- a/src/test/fuzz/util.cpp +++ b/src/test/fuzz/util.cpp @@ -456,7 +456,7 @@ ssize_t FuzzedFileProvider::write(void* cookie, const char* buf, size_t size) SetFuzzedErrNo(fuzzed_file->m_fuzzed_data_provider); const ssize_t n = fuzzed_file->m_fuzzed_data_provider.ConsumeIntegralInRange(0, size); if (AdditionOverflow(fuzzed_file->m_offset, (int64_t)n)) { - return fuzzed_file->m_fuzzed_data_provider.ConsumeBool() ? 0 : -1; + return 0; } fuzzed_file->m_offset += n; return n;