File tree 1 file changed +20
-12
lines changed
1 file changed +20
-12
lines changed Original file line number Diff line number Diff line change 2828
2929#include "fuzzer-sapi.h"
3030
31- zend_long char_to_size_t (char * c ) {
32- zend_long ret = 0 ;
33- if (* c >= '0' && * c <= '9' ) {
34- ret *= 10 ;
35- ret += * c - '0' ;
31+ bool char_to_zend_long (const char * c , size_t scale_len , zend_long * ret ) {
32+ * ret = 0 ;
33+ zend_long old_ret = 0 ;
34+ for (size_t i = 0 ; i < scale_len ; i ++ ) {
35+ if (* c >= '0' && * c <= '9' ) {
36+ * ret *= 10 ;
37+ * ret += * c - '0' ;
38+ }
39+ if (* ret > old_ret ) {
40+ old_ret = * ret ;
41+ } else {
42+ return false;
43+ }
3644 }
37- return ret ;
45+ return true ;
3846}
3947
4048int LLVMFuzzerTestOneInput (const uint8_t * Data , size_t Size ) {
@@ -60,12 +68,12 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
6068 Data = comma2 + 1 ;
6169 Size -= divisor_len + 1 ;
6270
63- char * scale_str = malloc ( Size + 1 ) ;
64- memcpy ( scale_str , Data , Size );
65- scale_str [ Size ] = '\0' ;
66-
67- zend_long scale = char_to_size_t ( scale_str ) ;
68- free ( scale_str );
71+ zend_long scale = 0 ;
72+ if (! char_to_zend_long (( char * ) Data , Size , & scale )) {
73+ efree ( dividend_str ) ;
74+ efree ( divisor_str );
75+ return 0 ;
76+ }
6977
7078 if (fuzzer_request_startup () == FAILURE ) {
7179 return 0 ;
You can’t perform that action at this time.
0 commit comments