diff options
author | Calder Kitagawa <ckitagawa@chromium.org> | 2018-05-24 21:38:49 +0000 |
---|---|---|
committer | Edward Lesmes <ehmaldonado@google.com> | 2021-07-23 22:40:26 +0000 |
commit | 984b1815afc913c3021ce6a83a1fafd9da61c802 (patch) | |
tree | 8026361ba26b794683afb31575a7ee723f584e67 /disassembler_ztf.cc | |
parent | c4290b536703a052b79fa321fcdecd73bc99d484 (diff) | |
download | zucchini-984b1815afc913c3021ce6a83a1fafd9da61c802.tar.gz |
[Zucchini]: Fix bugs found by Apply fuzzer
Located by fuzzing ZTF Apply (WIP):
https://chromium-review.googlesource.com/c/chromium/src/+/1072231
Found two fatal errors:
- OffsetForKey always assumes a key is valid however, the validity of
the key is not checked prior to the caller invoking the method. The
caller also had no way to check validity if it was external to
TargetPool.
Fix: Add a method to check for key validity ahead of calling
OffsetForKey.
- ConvertToTargetLineCol for absolute references had a logic bug that
resulted in attempting to dereference an invalid base::Optional
Fix: Change the logic to avoid issue.
Bug: 835341
Change-Id: I99c91741eef41dfaa3036af8e708eb3f0d5ca84a
Reviewed-on: https://chromium-review.googlesource.com/1072272
Commit-Queue: Calder Kitagawa <ckitagawa@chromium.org>
Reviewed-by: Samuel Huang <huangs@chromium.org>
Cr-Commit-Position: refs/heads/master@{#561642}
NOKEYCHECK=True
GitOrigin-RevId: 4e3e49f97119d48ba6c048e46aa9671d1cd21d17
Diffstat (limited to 'disassembler_ztf.cc')
-rw-r--r-- | disassembler_ztf.cc | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/disassembler_ztf.cc b/disassembler_ztf.cc index f938d42..9f3c318 100644 --- a/disassembler_ztf.cc +++ b/disassembler_ztf.cc @@ -351,7 +351,7 @@ class ZtfReferenceWriter : public ReferenceWriter { // Returns true on success. bool ConvertToTargetLineCol(Reference reference, ztf::LineCol* out_lc) { auto temp_lc = translator_.OffsetToLineCol(reference.target); - if (!temp_lc.has_value() && translator_.IsValid(temp_lc.value())) + if (!temp_lc.has_value() || !translator_.IsValid(temp_lc.value())) return false; *out_lc = temp_lc.value(); |