From 6a69685728e7dbc862ab3ff16eb3055acf6e9bbd Mon Sep 17 00:00:00 2001 From: Charles Giessen Date: Wed, 27 Aug 2025 15:55:04 -0500 Subject: [PATCH 1/3] Fix uninitialized fuzz test executor --- tests/loader_fuzz_tests.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/loader_fuzz_tests.cpp b/tests/loader_fuzz_tests.cpp index 13936d316..e23e479a2 100644 --- a/tests/loader_fuzz_tests.cpp +++ b/tests/loader_fuzz_tests.cpp @@ -40,7 +40,7 @@ void execute_instance_enumerate_fuzzer(std::filesystem::path const& filename) { env.write_file_from_source((std::filesystem::path(CLUSTERFUZZ_TESTCASE_DIRECTORY) / filename).string().c_str(), ManifestCategory::settings, ManifestLocation::settings_location, "vk_loader_settings.json"); - uint32_t pPropertyCount; + uint32_t pPropertyCount = 1; VkExtensionProperties pProperties = {0}; env.vulkan_functions.vkEnumerateInstanceExtensionProperties("test_auto", &pPropertyCount, &pProperties); From 1bc958aa0abf2b5339f5b9a59471c042bb59f5d8 Mon Sep 17 00:00:00 2001 From: Charles Giessen Date: Wed, 27 Aug 2025 15:55:46 -0500 Subject: [PATCH 2/3] Add fuzz test memory leak case --- ...d-instance_enumerate_fuzzer-6470575830925312 | Bin 0 -> 64485 bytes tests/loader_fuzz_tests.cpp | 4 +++- 2 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 tests/framework/data/fuzz_test_minimized_test_cases/clusterfuzz-testcase-minimized-instance_enumerate_fuzzer-6470575830925312 diff --git a/tests/framework/data/fuzz_test_minimized_test_cases/clusterfuzz-testcase-minimized-instance_enumerate_fuzzer-6470575830925312 b/tests/framework/data/fuzz_test_minimized_test_cases/clusterfuzz-testcase-minimized-instance_enumerate_fuzzer-6470575830925312 new file mode 100644 index 0000000000000000000000000000000000000000..a38496a709bed09eb13196e8c10873e4fea694c5 GIT binary patch literal 64485 zcmeHQ&63-=5#F;OAlImPc6P?I_NFGUV!Kp~E!iq-MiYs$Yu1&jWUslTa?ELux#R(I z${XYv_8s;CHfTsBy3qg#L4-&Sn+Fl1Kmurd{q+w>>g%(a+KT0By_hdI+q<%we_m{N ztId7!hgtFB+naB%i|2s-Iu$<8c1hrlhY{{^?=J7+ zimT1Ox@s=A-2d>yVtZ`kP~-4fTz%PWKe39WrMHK!)u$D^>iuH7ov$|^py{GquZ!oi zVs*dV!2Zj}?LF)tRGsZcwK*%^FaEgy0EKn=2)$58wkst7D19#1tM_FEqOjXh4X8%m z=^tT~vuCgCJ{DPUEw}3j88q7RY@u93f))jphtF{Y;xpFsO-94;V z?^f0PuDo9@)uq*$ugq4ru13wf)jl3IiTpIUWI)` z_k%fZ%edO^7fKF8kZKPjXHBNbVY!Thm%kpx7wZ-~ps_n%P+V1WzuL6OBLC2tv?Ec0 zSs_G>gcm{;PnLwO-G)G4f!GdPj z&gSm~zW)X`Kt`hP%-W8`j+g#wE;;U>D5VrF4A@A4z{X3cZecl4M#ULY+K3KPm%?V2 z>+6@d-(7!y`|A3p8OQYofMD^lHG{lq~;8OtM~f@Y`AvLiwwm?6heXb$ui{BN7gH?UKTN zKJFHiT(7iEXi07qCRryKy7(Y0We1z*q_MP7vVtCOq-_~4#&_ys*q;tX*o4zV6;Eb$ zTRO4~;+m(-OCqevH1;=0v>@t@)F@mC9Q~dH0i(Yfy*3*ns1nTz5v|2v5*-ZHK$;xA z;u_1ynXuF3VDJQ!g*FRb{(3DKVEu$PMhpsZt;Dq&@Y+qAYqk4WZWnEp>fb-t1@~S! z8(T1|Y&%`zl8)xy#(o1SFptCukyv0>_+3yUDu1;WFJb5 zGigUAviiuYW4Taj4tbva#uIsGPe~+lz7&qI7E1#5!0Lvj;sKS%Ix|T@K~Vk%99D?>(LSRb2*LFl%CCxe%msj7YZm-*e_|S*_oo; z)!RRM7ChBtr?0vv z=ELf`8I!4^OIF`mi|hcLHDUngzmw$)U^P*9nY1H)L5zuz^(2NkR521s(h_7_PN8S}48R9R3;$*$LefviSgzjuj7^>7r9Y3J?&zo2>_u>((s zLy0QKCNxsk!?SqJi&Yy2&q&j3joV8q6dc}a z6dS@lQ{m%kpx7o!?>0J_p2_h3Qjo?s&O>JXBJq{1)r>H-M|8mNv~ zTO=H4X3-QZ|3^&n6iu>$gDT-{3<@tv9aRgNA*EPil8=^1O!8$+vRRy#fBuQf(D4*- z;t`TIc4gU_n;ji&0{wJEEEbc6B5cxPsA5Za0TfC7BU?Jjs3oKv6B-P}*%|U$JT-Np zc^?5l0DIJQpO2DLmfES>hJ@Ll66KJQtf1$XDzhdU>2WqMF=5P_j5c6|r~OVbArx_* z>;Kyo=UJTRQ*)pLadg~^yo##QsN;O&jSUmyvk_7#bueOYJnPOSa?22-Rp{RQ!McBb zkm(b;7rMs^G#t`P%#0+Rmgu9ln3mrH#n&70N{1um){#s0pq{~cpDDehFW)grPRSk| zhu3c7X$?s;$a|D)%`kh45x*yLaw3W(zVVk>m*|6?HfbRd&L_-jY{25K<$#jvpft( zQc%l6MS!_+D*rK{r+F#up~Y898B{iF{i|6Fq)whn{~y-a4Cdc@kWuo z1KITbwr@7op&2^a1F?f72?LtxH?DsUS4}k&t?gJp$M2q}vmTLyaXu|3jC9Wl>zyT4 zHXwkIr>_mV4h5_0W=wXy7R7dVA?pp?s)zXioZq3A*Q^igKcH-fMy#Ctfwx71@YN#B zNUraJ9$AxVWN9oy+Q_LL@`@`W!NmrorvpU}C=F>%oYi$RCcBxJEsS9`GWfHz5!2l z;>k0ed*sZ7rOCnXa1tLR;J~(Efb|pfrz<1i7EM-AbeMk0h< z+lUo%&`;nq_B)rQsSo4N%~Mtut1s_WoN_uU#!)@+V3d?<(xfhuBY39TDiMb~FM5Oy z+EI+eGCDIXaK*ebe<|o)+`bW>MT-$hs(@I+r$a7Y3okq>EBL`n;RN zy;IZ6!fG9AQy-`lY0Xf!BYUxRRl-fMSv51BV6$?PtjB0z*B_??e0oekZLLH{5*^jr zWA+py5*;b4xY#Mm7svGYSXGD7QH=Xg&F{+l)l$uYYX6+ariZs2BF{H8w9|*{DNm4D zH(J$S6P<46?M4U33I>+hNoHHP6v{hoSf3RP@Le*uUoey8VIf()YWPJwD7_~JQ1 zso%>YqViWe8KJeRvwfoOt7(nacC4TNA&q6^>8wZOU=OhDa)kkp@0@L+-UbW1!CeV^{V8SarYhcC?+^QTpa4-!bz zwCD=!C+IqjyqQB<9~h$fyYPx-gp&}eGK9PJu&MKBASv9uAwnk8pbd~kl^D6Wtn21S zF>CT%1*hiEKND1;J2e=M=#GW7E-}gEpA6MPn)tmyj>bEF{=0{fvnJEzVC+oVoOcSt zfTA}D9kGcTw8z#to|+ju6fAfd+}ZUg&9QE=18{zSpooF29wD)|{?SwVS^m!VR-G0p zaiQ3^E4c5nBGP@^d_&ywwK=HUC?6i?pB9fhl{tG&e$l^vF4r#{BPi7I8_)6YtmCvj zElTx4qTA5z3vqLHz*p$Q8{GT78 JeB6pR{|8XvoB;p; literal 0 HcmV?d00001 diff --git a/tests/loader_fuzz_tests.cpp b/tests/loader_fuzz_tests.cpp index e23e479a2..4298ecf33 100644 --- a/tests/loader_fuzz_tests.cpp +++ b/tests/loader_fuzz_tests.cpp @@ -135,7 +135,9 @@ TEST(BadJsonInput, ClusterFuzzTestCase_6583684169269248) { // Nullptr dereference in loader_copy_to_new_str execute_instance_enumerate_fuzzer("clusterfuzz-testcase-minimized-instance_enumerate_fuzzer-6583684169269248"); } - +TEST(BadJsonInput, ClusterFuzzTestCase_6470575830925312) { + execute_instance_enumerate_fuzzer("clusterfuzz-testcase-minimized-instance_enumerate_fuzzer-6470575830925312"); +} TEST(BadJsonInput, ClusterFuzzTestCase_5258042868105216) { // Doesn't crash with ASAN or UBSAN // Doesn't reproducibly crash - json_load_fuzzer: Abrt in loader_cJSON_Delete From 0fcdb81b6545443e5b394e7f11a29efb6f0cba82 Mon Sep 17 00:00:00 2001 From: Charles Giessen Date: Wed, 27 Aug 2025 15:55:58 -0500 Subject: [PATCH 3/3] Fix unused settings causing memory leaks --- loader/settings.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/loader/settings.c b/loader/settings.c index 0e5c8681a..d1a9afcc5 100644 --- a/loader/settings.c +++ b/loader/settings.c @@ -763,14 +763,14 @@ VkResult get_loader_settings(const struct loader_instance* inst, loader_settings cJSON_ArrayForEach(log_element, logs_to_use) { // bool is_valid = true; struct loader_string_list log_destinations = {0}; - res = loader_parse_json_array_of_strings(inst, log_element, "destinations", &log_destinations); - if (res != VK_SUCCESS) { + VkResult parse_dest_res = loader_parse_json_array_of_strings(inst, log_element, "destinations", &log_destinations); + if (parse_dest_res != VK_SUCCESS) { // is_valid = false; } free_string_list(inst, &log_destinations); struct loader_string_list log_filters = {0}; - res = loader_parse_json_array_of_strings(inst, log_element, "filters", &log_filters); - if (res != VK_SUCCESS) { + VkResult parse_filters_res = loader_parse_json_array_of_strings(inst, log_element, "filters", &log_filters); + if (parse_filters_res != VK_SUCCESS) { // is_valid = false; } free_string_list(inst, &log_filters);