From bdb0b339d045edd49846e7b691d85e84ff861337 Mon Sep 17 00:00:00 2001
From: Ravi Jotwani <rjotwani@google.com>
Date: Wed, 22 Jul 2020 14:24:05 -0700
Subject: [PATCH] [uriparser] Fix null dereference in
 uri_dissect_query_malloc_fuzzer (#4174)

* fixed null dereference in uri_dissect_query_malloc_fuzzer

* removed unused include

* initialized chars_required, freed query_list if check unsuccessful, and used buf.data() instead of &buf[0]
---
 .../uriparser/uri_dissect_query_malloc_fuzzer.cc    | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/projects/uriparser/uri_dissect_query_malloc_fuzzer.cc b/projects/uriparser/uri_dissect_query_malloc_fuzzer.cc
index 32e815555..3714f8571 100644
--- a/projects/uriparser/uri_dissect_query_malloc_fuzzer.cc
+++ b/projects/uriparser/uri_dissect_query_malloc_fuzzer.cc
@@ -42,17 +42,20 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   if (query_list == nullptr || result != URI_SUCCESS || item_count < 0)
     return 0;
 
-  int chars_required;
+  int chars_required = 0;
   if (uriComposeQueryCharsRequiredA(query_list, &chars_required) != URI_SUCCESS)
     return 0;
-    
+
+  if (!chars_required) {
+    uriFreeQueryListA(query_list);
+    return 0;
+  }
+
   std::vector<char> buf(chars_required, 0);
   int written = -1;
-  char *dest = &buf[0];
   // Reverse the process of uriDissectQueryMallocA.
-  result = uriComposeQueryA(dest, query_list, chars_required, &written);
+  result = uriComposeQueryA(buf.data(), query_list, chars_required, &written);
 
   uriFreeQueryListA(query_list);
-
   return 0;
 }