afl-fuzz: Fix double free This crash was found by running afl-fuzz. When a compile error is found, we would sometimes free the block list twice, once in compile_file() and once again in compile_filter(). This change sets |*arg_blocks| to NULL after freeing it to avoid that. Bug: None Test: make tests Change-Id: I048e0008acd6bf386b96d2f895953bd646af156a

commit: d38280c2b0bbe4827f7fbd22c3e7b85ab54a9d9d [log] [tgz]
author: lhchavez <lhchavez@lhchavez.com> Fri Sep 01 14:00:05 2017 +0000
committer: Treehugger Robot <treehugger-gerrit@google.com> Fri Sep 01 21:28:49 2017 +0000
tree: 18b1c29668e6d8d85d7b22e0c144d20b41d2d30b
parent: d0b40703c240612db7648a971af72dc67b3ae78e [diff] [blame]
diff --git a/syscall_filter_unittest.cc b/syscall_filter_unittest.cc
index 776f7db..a1f546c 100644
--- a/syscall_filter_unittest.cc
+++ b/syscall_filter_unittest.cc

@@ -963,6 +963,23 @@
   ASSERT_EQ(res, -1);
 }
 
+TEST_F(FileTest, double_free_on_compile_error) {
+  const char *policy =
+      "read:arg0 == 0\n"
+      "write:0";
+
+  FILE *policy_file = write_policy_to_pipe(policy, strlen(policy));
+  ASSERT_NE(policy_file, nullptr);
+  int res = compile_file(
+      policy_file, head_, &arg_blocks_, &labels_, USE_RET_KILL, NO_LOGGING, 0);
+  fclose(policy_file);
+
+  /*
+   * Policy is malformed, but process should not crash.
+   */
+  ASSERT_EQ(res, -1);
+}
+
 TEST_F(FileTest, seccomp_mode1) {
   const char *policy =
       "read: 1\n"
commit	d38280c2b0bbe4827f7fbd22c3e7b85ab54a9d9d	[log] [tgz]
author	lhchavez <lhchavez@lhchavez.com>	Fri Sep 01 14:00:05 2017 +0000
committer	Treehugger Robot <treehugger-gerrit@google.com>	Fri Sep 01 21:28:49 2017 +0000
tree	18b1c29668e6d8d85d7b22e0c144d20b41d2d30b
parent	d0b40703c240612db7648a971af72dc67b3ae78e [diff] [blame]