From 8b1c72c8cd001d2997e4912e5e52ec5d709e7357 Mon Sep 17 00:00:00 2001 From: Oliver Chang Date: Fri, 20 Jan 2017 12:54:04 -0800 Subject: [PATCH] Prevent argv[0] from being modified in magic and chewing fuzzers. (#303) dirname() may modify the input argument. Changing argv[0] breaks any libFuzzer functionality that requires it to invoke itself (e.g. failure-resistant merge, minimize). --- projects/file/magic_fuzzer.cc | 5 ++++- projects/libchewing/chewing_fuzzer_common.c | 8 +++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/projects/file/magic_fuzzer.cc b/projects/file/magic_fuzzer.cc index 1f5b5f095..4132a109d 100644 --- a/projects/file/magic_fuzzer.cc +++ b/projects/file/magic_fuzzer.cc @@ -38,8 +38,11 @@ static Environment* env; extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) { char* exe_path = (*argv)[0]; - char* dir = dirname(exe_path); + // dirname() can modify its argument. + char* exe_path_copy = strdup(exe_path); + char* dir = dirname(exe_path_copy); env = new Environment(dir); + free(exe_path_copy); return 0; } diff --git a/projects/libchewing/chewing_fuzzer_common.c b/projects/libchewing/chewing_fuzzer_common.c index de249df67..34426ea37 100644 --- a/projects/libchewing/chewing_fuzzer_common.c +++ b/projects/libchewing/chewing_fuzzer_common.c @@ -3,14 +3,20 @@ #include #include #include +#include static char userphrase_path[] = "/tmp/chewing_userphrase.db.XXXXXX"; int LLVMFuzzerInitialize(int* argc, char*** argv) { char* exe_path = (*argv)[0]; - char* dir = dirname(exe_path); + + // dirname() can modify its argument. + char* exe_path_copy = strdup(exe_path); + char* dir = dirname(exe_path_copy); + // Assume data files are at the same location as executable. setenv("CHEWING_PATH", dir, 0); + free(exe_path_copy); // Specify user db of this process. So we can run multiple fuzzers at the // same time.