tests: [fuzz] fix potential null dereference

There is a possibility that zstate.msg = NULL, which is set in inflateInit2() function. In that case, we should not compare against another string. Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2025-12-21 12:49:42 +01:00 · 2025-08-11 11:09:33 +00:00
parent 768b77219f
commit fa32879c2d
1 changed files with 5 additions and 4 deletions
--- a/tests/fuzz/igzip_checked_inflate_fuzz_test.c
+++ b/tests/fuzz/igzip_checked_inflate_fuzz_test.c
@@ -59,10 +59,11 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
                        /* If zlib errors, assert isal errors, excluding a few
                         * cases where zlib is overzealous and when zlib notices
                         * an error faster than isal */
-                        assert(iret < 0 || strcmp(zstate.msg, z_msg_invalid_code_set) == 0 ||
-                               strcmp(zstate.msg, z_msg_invalid_dist_set) == 0 ||
-                               strcmp(zstate.msg, z_msg_invalid_lit_len_set) == 0 ||
-                               (iret == ISAL_END_INPUT && zstate.avail_in < 3));
+                        assert(iret < 0 || (iret == ISAL_END_INPUT && zstate.avail_in < 3) ||
+                               (zstate.msg != NULL &&
+                                (strcmp(zstate.msg, z_msg_invalid_code_set) == 0 ||
+                                 strcmp(zstate.msg, z_msg_invalid_dist_set) == 0 ||
+                                 strcmp(zstate.msg, z_msg_invalid_lit_len_set) == 0)));

        } else
                /* If zlib did not finish or error, assert isal did not finish