aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2017-09-08 10:20:36 +0200
committerDaniel Stenberg <daniel@haxx.se>2017-09-08 23:56:02 +0200
commita14f7152ce1c25cf110d3ccf640f9d4ce17dacd3 (patch)
tree533ca5485d80c3f5f4d9e1e842e75e129d3f1481
parentf8548e84adc4cc55c274beb23690b8a5f5b827bf (diff)
rtsp: do not call fwrite() with NULL pointer FILE *
If the default write callback is used and no destination has been set, a NULL pointer would be passed to fwrite()'s 4th argument. OSS-fuzz bug https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3327 (not publicly open yet) Detected by OSS-fuzz Closes #1874
-rw-r--r--lib/rtsp.c9
-rw-r--r--tests/fuzz/curl_fuzz_data/oss-fuzz-3327bin0 -> 27 bytes
2 files changed, 9 insertions, 0 deletions
diff --git a/lib/rtsp.c b/lib/rtsp.c
index 9bd935fd5..4bca11459 100644
--- a/lib/rtsp.c
+++ b/lib/rtsp.c
@@ -756,6 +756,15 @@ CURLcode rtp_client_write(struct connectdata *conn, char *ptr, size_t len)
}
writeit = data->set.fwrite_rtp?data->set.fwrite_rtp:data->set.fwrite_func;
+
+ if(!data->set.fwrite_rtp && !data->set.is_fwrite_set &&
+ !data->set.rtp_out) {
+ /* if no callback is set for either RTP or default, the default function
+ fwrite() is utilized and that can't handle a NULL input */
+ failf(data, "No destination to default data callback!");
+ return CURLE_WRITE_ERROR;
+ }
+
wrote = writeit(ptr, 1, len, data->set.rtp_out);
if(CURL_WRITEFUNC_PAUSE == wrote) {
diff --git a/tests/fuzz/curl_fuzz_data/oss-fuzz-3327 b/tests/fuzz/curl_fuzz_data/oss-fuzz-3327
new file mode 100644
index 000000000..064cc623a
--- /dev/null
+++ b/tests/fuzz/curl_fuzz_data/oss-fuzz-3327
Binary files differ