Always memset newly reallocated memory

charles-lunarg · charles-lunarg · commit d1239269c224 · 2025-01-06T14:04:28.000-07:00
Fuzz testing found a case where memory was left uninitialized after
calling loader_realloc, causing a crash due to reading of that memory.
The fix is to *always* memset newly reallocated memory, since a value of
zero is a good default value, especially if that memory is for a list.
This commit removes the redundant memsets, since realloc now has the
responsibility to initialize memory.
diff --git a/loader/allocation.c b/loader/allocation.c
@@ -98,6 +98,10 @@ void *loader_realloc(const VkAllocationCallbacks *pAllocator, void *pMemory, siz
 #endif
     } else {
         pNewMem = realloc(pMemory, size);
+        // Clear out the newly allocated memory
+        if (size > orig_size) {
+            memset((uint8_t *)pNewMem + orig_size, 0, size - orig_size);
+        }
     }
     return pNewMem;
 }
diff --git a/loader/loader.c b/loader/loader.c
@@ -323,8 +323,6 @@ VkResult append_str_to_string_list(const struct loader_instance *inst, struct lo
             loader_instance_heap_free(inst, str);  // Must clean up in case of failure
             return VK_ERROR_OUT_OF_HOST_MEMORY;
         }
-        // Null out the new space
-        memset(string_list->list + string_list->allocated_count, 0, string_list->allocated_count);
         string_list->allocated_count *= 2;
     }
     string_list->list[string_list->count++] = str;
@@ -439,7 +437,6 @@ VkResult loader_append_layer_property(const struct loader_instance *inst, struct
             goto out;
         }
         layer_list->list = new_ptr;
-        memset((uint8_t *)layer_list->list + layer_list->capacity, 0, layer_list->capacity);
         layer_list->capacity *= 2;
     }
     memcpy(&layer_list->list[layer_list->count], layer_property, sizeof(struct loader_layer_properties));
diff --git a/tests/framework/data/fuzz_test_minimized_test_cases/clusterfuzz-testcase-instance_create_fuzzer-5817896795701248 b/tests/framework/data/fuzz_test_minimized_test_cases/clusterfuzz-testcase-instance_create_fuzzer-5817896795701248
diff --git a/tests/loader_fuzz_tests.cpp b/tests/loader_fuzz_tests.cpp
@@ -200,6 +200,9 @@ TEST(BadJsonInput, ClusterFuzzTestCase_6353004288081920) {
     // Stack overflow due to recursive meta layers
     execute_instance_create_fuzzer("clusterfuzz-testcase-minimized-instance_create_fuzzer-6353004288081920");
 }
+TEST(BadJsonInput, ClusterFuzzTestCase_5817896795701248) {
+    execute_instance_create_fuzzer("clusterfuzz-testcase-instance_create_fuzzer-5817896795701248");
+}
 TEST(BadJsonInput, ClusterFuzzTestCase_6465902356791296) {
     // Does crash with UBSAN
     // Doesn't crash with ASAN

Original file line number	Diff line number	Diff line change
`@@ -98,6 +98,10 @@ void loader_realloc(const VkAllocationCallbacks pAllocator, void *pMemory, siz`
`98`	`98`	`#endif`
`99`	`99`	`} else {`
`100`	`100`	`pNewMem = realloc(pMemory, size);`
	`101`	`+ // Clear out the newly allocated memory`
	`102`	`+ if (size > orig_size) {`
	`103`	`+ memset((uint8_t *)pNewMem + orig_size, 0, size - orig_size);`
	`104`	`+ }`
`101`	`105`	`}`
`102`	`106`	`return pNewMem;`
`103`	`107`	`}`
Original file line number	Diff line number	Diff line change
`@@ -323,8 +323,6 @@ VkResult append_str_to_string_list(const struct loader_instance *inst, struct lo`
`323`	`323`	`loader_instance_heap_free(inst, str); // Must clean up in case of failure`
`324`	`324`	`return VK_ERROR_OUT_OF_HOST_MEMORY;`
`325`	`325`	`}`
`326`		`- // Null out the new space`
`327`		`- memset(string_list->list + string_list->allocated_count, 0, string_list->allocated_count);`
`328`	`326`	`string_list->allocated_count *= 2;`
`329`	`327`	`}`
`330`	`328`	`string_list->list[string_list->count++] = str;`
`@@ -439,7 +437,6 @@ VkResult loader_append_layer_property(const struct loader_instance *inst, struct`
`439`	`437`	`goto out;`
`440`	`438`	`}`
`441`	`439`	`layer_list->list = new_ptr;`
`442`		`- memset((uint8_t *)layer_list->list + layer_list->capacity, 0, layer_list->capacity);`
`443`	`440`	`layer_list->capacity *= 2;`
`444`	`441`	`}`
`445`	`442`	`memcpy(&layer_list->list[layer_list->count], layer_property, sizeof(struct loader_layer_properties));`