syz-fuzzer: fix nil deref in deserializeInput

We build choice table only after we received the initial corpus, so we don't check the initial corpus in deserializeInput, we check it later in BuildChoiceTable.
google · May 10, 2021 · ca87309 · ca87309
1 parent 86e1b94
commit ca87309
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/syz-fuzzer/fuzzer.go b/syz-fuzzer/fuzzer.go
@@ -457,7 +457,11 @@ func (fuzzer *Fuzzer) deserializeInput(inp []byte) *prog.Prog {
 	if err != nil {
 		log.Fatalf("failed to deserialize prog: %v\n%s", err, inp)
 	}
-	fuzzer.checkDisabledCalls(p)
+	// We build choice table only after we received the initial corpus,
+	// so we don't check the initial corpus here, we check it later in BuildChoiceTable.
+	if fuzzer.choiceTable != nil {
+		fuzzer.checkDisabledCalls(p)
+	}
 	if len(p.Calls) > prog.MaxCalls {
 		return nil
 	}