curl_fuzzer_rtsp: /src/curl/lib/rtsp.c:784: Assertion `rtp_len < rtspc->rtp_len' failed.

[DavidKorczynski]

I did this

curl_crash_input.txt

The curl fuzzer reached an assert (attached reproducer, which is a binary file, not a .txt):

# 1. Clone oss-fuzz (or use existing checkout)
git clone https://github.com/google/oss-fuzz.git
cd oss-fuzz

# 2. Build the curl fuzzers (requires Docker)
python3 infra/helper.py build_fuzzers curl

# 3. Replay against the attached payload
python3 infra/helper.py reproduce curl curl_fuzzer_rtsp /tmp/curl_crash_input.txt
...
Running: /testcase
curl_fuzzer_rtsp: /src/curl/lib/rtsp.c:784: CURLcode rtsp_filter_rtp(struct Curl_easy *, struct rtsp_conn *, const char *, size_t, size_t *): Assertion `rtp_len < rtspc->rtp_len' failed.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==14==ERROR: AddressSanitizer: ABRT on unknown address 0x00000000000e (pc 0x7fde2c69eb2c bp 0x7fff96291630 sp 0x7fff962915f0 T0)
SCARINESS: 10 (signal)
    #0 0x7fde2c69eb2c in pthread_kill (/lib/x86_64-linux-gnu/libc.so.6+0x9eb2c) (BuildId: 8e9fd827446c24067541ac5390e6f527fb5947bb)
    #1 0x7fde2c64527d in raise (/lib/x86_64-linux-gnu/libc.so.6+0x4527d) (BuildId: 8e9fd827446c24067541ac5390e6f527fb5947bb)
    #2 0x7fde2c6288fe in abort (/lib/x86_64-linux-gnu/libc.so.6+0x288fe) (BuildId: 8e9fd827446c24067541ac5390e6f527fb5947bb)
    #3 0x7fde2c62881a  (/lib/x86_64-linux-gnu/libc.so.6+0x2881a) (BuildId: 8e9fd827446c24067541ac5390e6f527fb5947bb)
    #4 0x7fde2c63b516 in __assert_fail (/lib/x86_64-linux-gnu/libc.so.6+0x3b516) (BuildId: 8e9fd827446c24067541ac5390e6f527fb5947bb)
    #5 0x5564d89cb51e in rtsp_filter_rtp /src/curl/lib/rtsp.c:784:7
    #6 0x5564d89c8c8f in rtsp_rtp_write_resp /src/curl/lib/rtsp.c:893:16
    #7 0x5564d8893930 in Curl_xfer_write_resp /src/curl/lib/transfer.c:772:14
    #8 0x5564d888fd2a in sendrecv_dl /src/curl/lib/transfer.c:298:14
    #9 0x5564d888fd2a in Curl_sendrecv /src/curl/lib/transfer.c:370:14
    #10 0x5564d88572a6 in state_performing /src/curl/lib/multi.c:1938:12
    #11 0x5564d88572a6 in multi_runsingle /src/curl/lib/multi.c:2672:17
    #12 0x5564d884e9a2 in multi_perform /src/curl/lib/multi.c:2775:17
    #13 0x5564d87fef55 in fuzz_handle_transfer(fuzz_data*) /src/curl_fuzzer/curl_fuzzer.cc:341:3
    #14 0x5564d87fe317 in LLVMFuzzerTestOneInput /src/curl_fuzzer/curl_fuzzer.cc:97:3
    #15 0x5564d869a57d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:619:13
    #16 0x5564d8685302 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:329:6
    #17 0x5564d868b1d0 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:865:9
    #18 0x5564d86b6cf2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #19 0x7fde2c62a1c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 8e9fd827446c24067541ac5390e6f527fb5947bb)
    #20 0x7fde2c62a28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 8e9fd827446c24067541ac5390e6f527fb5947bb)
    #21 0x5564d867e3e4 in _start (/out/curl_fuzzer_rtsp+0x6723e4)

DEDUP_TOKEN: pthread_kill--raise--abort
==14==Register values:
rax = 0x0000000000000000  rbx = 0x000000000000000e  rcx = 0x00007fde2c69eb2c  rdx = 0x0000000000000006  
rdi = 0x000000000000000e  rsi = 0x000000000000000e  rbp = 0x00007fff96291630  rsp = 0x00007fff962915f0  
 r8 = 0x00000000000000bc   r9 = 0x00007e1e2b7e0000  r10 = 0x0000000000000008  r11 = 0x0000000000000246  
r12 = 0x0000000000000006  r13 = 0x00005564d955a520  r14 = 0x0000000000000016  r15 = 0x00005564d955b200  
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: ABRT (/lib/x86_64-linux-gnu/libc.so.6+0x9eb2c) (BuildId: 8e9fd827446c24067541ac5390e6f527fb5947bb) in pthread_kill

I expected the following

Happy fuzzer (am following the approach of this issue: #12701)

curl/libcurl version

git master

operating system

Ubuntu Linux, but I doubt it matters.

[benslimanh]

Zero-length payload. RTP_PKT_LENGTH evaluates to 0, making rtspc->rtp_len = 4.
The state machine blindly transitions to RTP_PARSE_DATA where the buffered header rtp_len is already 4, tripping the assert (4 < 4 is false). In release builds, rtspc->rtp_len - rtp_len simply underflows.

Fix: catch rtspc->rtp_len == 4 at the end of RTP_PARSE_LEN, dispatch via rtp_client_write immediately, and skip RTP_PARSE_DATA entirely.

[bagder]

@benslimanh feel free to make a PR to that effect and we can take it from there!