From: Oliver Chang <ochang@google.com>
To: linux-bluetooth@vger.kernel.org
Cc: hadess@hadess.net, Oliver Chang <ochang@google.com>
Subject: [PATCH BlueZ 0/1] *** Fixed heap-buffer-overflow in `compute_seq_size` ***
Date: Sun, 10 Aug 2025 06:46:56 +0000 [thread overview]
Message-ID: <20250810064656.1810093-2-ochang@google.com> (raw)
The change from the last patch I submitted is the removal of the memory leak fix.
This patch focuses on fixing the buffer overflow.
This fixes an ASan crash discovered by OSS-Fuzz:
```
==402==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x502000000218 at pc 0x564763e67877 bp 0x7ffc1a9f92b0 sp 0x7ffc1a9f92a8
READ of size 4 at 0x502000000218 thread T0
#0 0x564763e67876 in compute_seq_size bluez/src/sdp-xml.c:62:21
#1 0x564763e67876 in element_end bluez/src/sdp-xml.c:548:42
#2 0x564763ea5416 in emit_end_element glib/glib/gmarkup.c:1045:5
#3 0x564763ea4978 in g_markup_parse_context_parse glib/glib/gmarkup.c:1603:19
#4 0x564763e65c55 in sdp_xml_parse_record bluez/src/sdp-xml.c:621:6
#5 0x564763e6acf1 in LLVMFuzzerTestOneInput /src/fuzz_xml.c:30:9
#6 0x564763d1a730 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
#7 0x564763d059a5 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
#8 0x564763d0b43f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
#9 0x564763d366e2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#10 0x79ed69692082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/libc-start.c:308:16
#11 0x564763cfdb8d in _start
```
Oliver Chang (1):
Fixed heap-buffer-overflow in `compute_seq_size`.
src/sdp-xml.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--
2.50.1.703.g449372360f-goog
next reply other threads:[~2025-08-10 6:47 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-10 6:46 Oliver Chang [this message]
2025-08-10 6:46 ` [PATCH BlueZ 1/1] Fixed heap-buffer-overflow in `compute_seq_size` Oliver Chang
2025-08-10 7:22 ` Paul Menzel
2025-08-10 8:20 ` Oliver Chang
2025-08-10 20:20 ` Paul Menzel
2025-08-10 8:09 ` *** Fixed heap-buffer-overflow in `compute_seq_size` *** bluez.test.bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250810064656.1810093-2-ochang@google.com \
--to=ochang@google.com \
--cc=hadess@hadess.net \
--cc=linux-bluetooth@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.