From 2436e38a72de9df938f7f35f9222e7752ddb9d32 Mon Sep 17 00:00:00 2001 From: Martijn van Beurden Date: Fri, 11 Feb 2022 20:08:42 +0100 Subject: [PATCH] Fix infinite loop in fuzzer_exo (#7265) readBuffer returns -1 in return type size_t, which wraps. Because of that, the comparison was not triggering when it should Credit: Oss-Fuzz Issue: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24002 --- projects/flac/fuzzer_exo.cpp | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/projects/flac/fuzzer_exo.cpp b/projects/flac/fuzzer_exo.cpp index 9c0eac673..cb92d4617 100644 --- a/projects/flac/fuzzer_exo.cpp +++ b/projects/flac/fuzzer_exo.cpp @@ -466,11 +466,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { int buffer_size = streamInfo.max_blocksize * streamInfo.channels * 2; assert(buffer_size >= 0); // Not expected auto buffer = new uint8_t[buffer_size]; - int runs = 0; - while (parser.readBuffer(buffer, buffer_size) >= buffer_size) { - runs++; - continue; - } + + while (parser.readBuffer(buffer, buffer_size) < ((size_t)-1)); delete[] buffer; return 0;