SEGV on unknown address in picohttpparser/picohttpparser.c: line 204 #89
Description
version
latest
crash description
Neither the function phr_parse_request nor the function is_complete validates the buf parameter: When parsing an HTTP request, if the input buffer pointer buf is NULL, the function does not correctly validate the pointer, which will lead to access to an illegal memory address and trigger a crash.
crash position
static const char *is_complete(const char *buf, const char *buf_end, size_t last_len, int *ret)
{
int ret_cnt = 0;
buf = last_len < 3 ? buf : buf + last_len - 3;
while (1) {
CHECK_EOF();
if (*buf == '\015') { //crash
...
}}}
poc
#include <stdlib.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include "picohttpparser.h"
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
const char *request = (const char *)data;
size_t request_length = size;
const char *method = NULL;
size_t method_len = 0;
const char *url = NULL;
size_t url_len = 0;
int version = 0;
struct phr_header headers[10];
size_t num_headers = 10;
size_t pos = 0;
int ret = phr_parse_request(request, request_length, &method, &method_len, &url, &url_len, &version, headers, &num_headers, &pos);
return 0;
}