From 19a351dad895003a37e3eeea53edb1f11ba9710b Mon Sep 17 00:00:00 2001 From: Dmitry Volyntsev Date: Tue, 11 Jan 2022 13:02:33 +0000 Subject: [PATCH] Fixed fuzzing target bug introduced in 4d4657128baf (0.7.1). Previously, njs_process_script() took vm pointer from console object, but after 4d4657128baf the object is not initialized in LLVMFuzzerTestOneInput(). The fix is to always pass vm pointer explicitly. This also closes #456 issue on Github. --- src/njs_shell.c | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/src/njs_shell.c b/src/njs_shell.c index 3fdd256a..8fb3cf14 100644 --- a/src/njs_shell.c +++ b/src/njs_shell.c @@ -88,8 +88,8 @@ typedef struct { static njs_int_t njs_console_init(njs_vm_t *vm, njs_console_t *console); static njs_int_t njs_externals_init(njs_vm_t *vm); static njs_vm_t *njs_create_vm(njs_opts_t *opts, njs_vm_opt_t *vm_options); -static njs_int_t njs_process_script(njs_opts_t *opts, - njs_console_t *console, const njs_str_t *script); +static njs_int_t njs_process_script(njs_vm_t *vm, njs_opts_t *opts, + void *runtime, const njs_str_t *script); #ifndef NJS_FUZZER_TARGET @@ -307,7 +307,7 @@ main(int argc, char **argv) if (vm != NULL) { command.start = (u_char *) opts.command; command.length = njs_strlen(opts.command); - ret = njs_process_script(&opts, vm_options.external, &command); + ret = njs_process_script(vm, &opts, vm_options.external, &command); njs_vm_destroy(vm); } @@ -612,7 +612,7 @@ njs_process_file(njs_opts_t *opts, njs_vm_opt_t *vm_options) } } - ret = njs_process_script(opts, vm_options->external, &script); + ret = njs_process_script(vm, opts, vm_options->external, &script); if (ret != NJS_OK) { ret = NJS_ERROR; goto done; @@ -662,7 +662,6 @@ LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) vm_options.init = 1; vm_options.backtrace = 0; vm_options.ops = &njs_console_ops; - vm_options.external = &njs_console; vm = njs_create_vm(&opts, &vm_options); @@ -670,7 +669,7 @@ LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) script.length = size; script.start = (u_char *) data; - (void) njs_process_script(&opts, vm_options.external, &script); + (void) njs_process_script(vm, &opts, NULL, &script); njs_vm_destroy(vm); } @@ -834,12 +833,20 @@ njs_output(njs_opts_t *opts, njs_vm_t *vm, njs_int_t ret) static njs_int_t -njs_process_events(njs_console_t *console) +njs_process_events(void *runtime) { njs_ev_t *ev; njs_queue_t *events; + njs_console_t *console; njs_queue_link_t *link; + if (runtime == NULL) { + njs_stderror("njs_process_events(): no runtime\n"); + return NJS_ERROR; + } + + console = runtime; + events = &console->posted_events; for ( ;; ) { @@ -863,14 +870,12 @@ njs_process_events(njs_console_t *console) static njs_int_t -njs_process_script(njs_opts_t *opts, njs_console_t *console, +njs_process_script(njs_vm_t *vm, njs_opts_t *opts, void *runtime, const njs_str_t *script) { u_char *start, *end; - njs_vm_t *vm; njs_int_t ret; - vm = console->vm; start = script->start; end = start + script->length; @@ -897,7 +902,7 @@ njs_process_script(njs_opts_t *opts, njs_console_t *console, break; } - ret = njs_process_events(console); + ret = njs_process_events(runtime); if (njs_slow_path(ret != NJS_OK)) { njs_stderror("njs_process_events() failed\n"); ret = NJS_ERROR; @@ -962,7 +967,7 @@ njs_interactive_shell(njs_opts_t *opts, njs_vm_opt_t *vm_options) if (line.length != 0) { add_history((char *) line.start); - njs_process_script(opts, vm_options->external, &line); + njs_process_script(vm, opts, vm_options->external, &line); } /* editline allocs a new buffer every time. */ -- 2.47.3