Skip to content

Fix issues found by fuzz testing #6508

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Antwy wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fix issues found by fuzz testing #6508

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9dd2cde
Fix issues found by fuzz testing
Antwy Jan 13, 2026
a8da911
Merge branch 'Tencent:master' into fix_fuzz_issues
Antwy Feb 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/stb_image.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1677,6 +1677,7 @@ static void stbi__skip(stbi__context *s, int n)
#else
static int stbi__getn(stbi__context *s, stbi_uc *buffer, int n)
{
if (!buffer) return 1;
Copy link

Copilot AI Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The early return value for a null buffer is incorrect. When buffer is null, the function returns 1, which indicates success in this codebase (see line 1698 where successful reading returns 1, and line 1700 where failure returns 0). Returning 1 for a null buffer would indicate that the read operation succeeded when it actually failed. The function should return 0 when buffer is null to properly indicate an error condition.

Suggested change
if (!buffer) return 1;
if (!buffer) return 0;

Copilot uses AI. Check for mistakes.
if (s->io.read) {
int blen = (int) (s->img_buffer_end - s->img_buffer);
if (blen < n) {
Expand Down
8 changes: 7 additions & 1 deletion tools/darknet/darknet2ncnn.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -224,7 +224,7 @@ void load_cfg(const char* filename, std::deque<Section*>& dnet)
section->original_layer_count = section_count++;
dnet.push_back(section);
}
else if ((pos = line.find_first_of('=')) != std::string::npos)
else if (section && (pos = line.find_first_of('=')) != std::string::npos)
{
std::string key = line.substr(0, pos);
std::string value = line.substr(pos + 1, line.length() - 1);
Expand Down Expand Up @@ -950,5 +950,11 @@ int main(int argc, char** argv)
printf("NOTE: Make sure your pre-processing and post-processing support letter_box.\n");
printf("NOTE: Remember to use ncnnoptimize for better performance.\n");

for (auto it = dnet.begin(); it != dnet.end(); it++)
{
auto s = *it;
delete s;
}
Comment on lines +953 to +957
Copy link

Copilot AI Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Memory cleanup for dnet sections is missing on error paths. If fopen fails for ncnn_param at line 905 or ncnn_bin at line 909, file_error is called which exits the program without freeing the Section objects allocated in dnet. Similarly, if update_field encounters an unsupported option at line 193, it exits without cleanup. These error paths should clean up the dnet sections before exiting to avoid memory leaks.

Copilot uses AI. Check for mistakes.

return 0;
}
2 changes: 1 addition & 1 deletion tools/mxnet/mxnet2ncnn.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -438,7 +438,7 @@ static bool read_mxnet_json(const char* jsonpath, std::vector<MXNetNode>& nodes)
{
// workaround for potential duplicated _plus0
char underscorename[256];
sprintf(underscorename, "underscorencnn_%d%s", internal_underscore, n.name.c_str());
snprintf(underscorename, 256, "underscorencnn_%d%s", internal_underscore, n.name.c_str());
Copy link

Copilot AI Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The sprintf call at line 431 in the same function has the same buffer overflow vulnerability as the one fixed here. Line 431 uses sprintf(unknownname, "unknownncnn_%d", internal_unknown) which could overflow the 256-byte buffer if internal_unknown is a very large integer. This should also be changed to use snprintf for consistency and safety.

Copilot uses AI. Check for mistakes.

n.name = underscorename;

Expand Down
Loading