Merge pull request #6643 from rouault/fuzzer_coverity_scan

fuzzer code: fix issues spotted by coverity scan
MapServer · Oct 2, 2022 · 545b44a · 545b44a
2 parents ae65a28 + ce2980b
commit 545b44a
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/fuzzers/mapfuzzer.c b/fuzzers/mapfuzzer.c
@@ -41,6 +41,7 @@ extern int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
   char* filename = msStrdup(CPLSPrintf("%s.map", CPLGenerateTempFilename(NULL)));
   FILE *fp = fopen(filename, "wb");
   if (!fp) {
+    msFree(filename);
     return 1;
   }
   fwrite(Data, Size, 1, fp);

diff --git a/fuzzers/reproducer_main.cpp b/fuzzers/reproducer_main.cpp
@@ -26,6 +26,7 @@
  * DEALINGS IN THE SOFTWARE.
  ****************************************************************************/
 
+#include <limits.h>
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
@@ -50,14 +51,19 @@ int main(int argc, char* argv[])
 
     int nRet = 0;
     void* buf = nullptr;
-    int nLen = 0;
+    size_t nLen = 0;
     int nLoops = 1;
     const char* pszFilename = nullptr;
     for(int i = 1; i < argc; i++ )
     {
         if( i + 1 < argc && strcmp(argv[i], "-repeat") == 0 )
         {
             nLoops = atoi(argv[i+1]);
+            // Limit to INT_MAX - 1 :-)
+            // to make fun of coverity scan that complains about tainted data
+            // being used as a loop boundary.
+            if( nLoops > INT_MAX - 1 )
+                nLoops = INT_MAX - 1;
             i++;
         }
         else if( strcmp(argv[i], "-dummy") == 0 )
@@ -90,7 +96,7 @@ int main(int argc, char* argv[])
         exit(1);
     }
     fseek(f, 0, SEEK_END);
-    nLen = (int)ftell(f);
+    nLen = (size_t)ftell(f);
     fseek(f, 0, SEEK_SET);
     buf = malloc(nLen);
     if( !buf )