tests: [fuzz] fix potential null dereference

pablodelara · pablodelara · commit fa32879c2dd0 · 2025-08-11T17:37:49.000+01:00
There is a possibility that zstate.msg = NULL, which is set
in inflateInit2() function. In that case, we should not
compare against another string.

Signed-off-by: Pablo de Lara &lt;pablo.de.lara.guarch@intel.com&gt;
diff --git a/tests/fuzz/igzip_checked_inflate_fuzz_test.c b/tests/fuzz/igzip_checked_inflate_fuzz_test.c
@@ -59,10 +59,11 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
                         /* If zlib errors, assert isal errors, excluding a few
                          * cases where zlib is overzealous and when zlib notices
                          * an error faster than isal */
-                        assert(iret < 0 || strcmp(zstate.msg, z_msg_invalid_code_set) == 0 ||
-                               strcmp(zstate.msg, z_msg_invalid_dist_set) == 0 ||
-                               strcmp(zstate.msg, z_msg_invalid_lit_len_set) == 0 ||
-                               (iret == ISAL_END_INPUT && zstate.avail_in < 3));
+                        assert(iret < 0 || (iret == ISAL_END_INPUT && zstate.avail_in < 3) ||
+                               (zstate.msg != NULL &&
+                                (strcmp(zstate.msg, z_msg_invalid_code_set) == 0 ||
+                                 strcmp(zstate.msg, z_msg_invalid_dist_set) == 0 ||
+                                 strcmp(zstate.msg, z_msg_invalid_lit_len_set) == 0)));
 
         } else
                 /* If zlib did not finish or error, assert isal did not finish
