[GNUnet-SVN] [gnurl] 178/256: rtsp: do not call fwrite() with NULL pointer FILE *

[gnunet]

This is an automated email from the git hooks/post-receive script.

ng0 pushed a commit to branch master
in repository gnurl.

commit a14f7152ce1c25cf110d3ccf640f9d4ce17dacd3
Author: Daniel Stenberg <address@hidden>
AuthorDate: Fri Sep 8 10:20:36 2017 +0200

    rtsp: do not call fwrite() with NULL pointer FILE *
    
    If the default write callback is used and no destination has been set, a
    NULL pointer would be passed to fwrite()'s 4th argument.
    
    OSS-fuzz bug https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3327
    (not publicly open yet)
    
    Detected by OSS-fuzz
    Closes #1874
---
 lib/rtsp.c                              |   9 +++++++++
 tests/fuzz/curl_fuzz_data/oss-fuzz-3327 | Bin 0 -> 27 bytes
 2 files changed, 9 insertions(+)

diff --git a/lib/rtsp.c b/lib/rtsp.c
index 9bd935fd5..4bca11459 100644
--- a/lib/rtsp.c
+++ b/lib/rtsp.c
@@ -756,6 +756,15 @@ CURLcode rtp_client_write(struct connectdata *conn, char 
*ptr, size_t len)
   }
 
   writeit = data->set.fwrite_rtp?data->set.fwrite_rtp:data->set.fwrite_func;
+
+  if(!data->set.fwrite_rtp && !data->set.is_fwrite_set &&
+     !data->set.rtp_out) {
+    /* if no callback is set for either RTP or default, the default function
+       fwrite() is utilized and that can't handle a NULL input */
+    failf(data, "No destination to default data callback!");
+    return CURLE_WRITE_ERROR;
+  }
+
   wrote = writeit(ptr, 1, len, data->set.rtp_out);
 
   if(CURL_WRITEFUNC_PAUSE == wrote) {
diff --git a/tests/fuzz/curl_fuzz_data/oss-fuzz-3327 
b/tests/fuzz/curl_fuzz_data/oss-fuzz-3327
new file mode 100644
index 000000000..064cc623a
Binary files /dev/null and b/tests/fuzz/curl_fuzz_data/oss-fuzz-3327 differ

-- 
To stop receiving notification emails like this one, please contact
address@hidden