From f3d9b4808a5645ad2ff5d0fee4085bb06cb83419 Mon Sep 17 00:00:00 2001
From: yang-g <yangg@google.com>
Date: Wed, 12 Apr 2017 15:21:56 -0700
Subject: [PATCH] Fix buffer overflow
 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=973

---
 src/core/lib/channel/http_server_filter.c     |   6 ++---
 .../clusterfuzz-testcase-5595941564317696     | Bin 0 -> 92 bytes
 tools/run_tests/generated/tests.json          |  23 ++++++++++++++++++
 3 files changed, 26 insertions(+), 3 deletions(-)
 create mode 100644 test/core/end2end/fuzzers/server_fuzzer_corpus/clusterfuzz-testcase-5595941564317696

diff --git a/src/core/lib/channel/http_server_filter.c b/src/core/lib/channel/http_server_filter.c
index c1e49ffacc..ebcde5315f 100644
--- a/src/core/lib/channel/http_server_filter.c
+++ b/src/core/lib/channel/http_server_filter.c
@@ -240,9 +240,9 @@ static grpc_error *server_filter_incoming_metadata(grpc_exec_ctx *exec_ctx,
       const int k_url_safe = 1;
       grpc_slice_buffer_add(
           &calld->read_slice_buffer,
-          grpc_base64_decode(exec_ctx,
-                             (const char *)GRPC_SLICE_START_PTR(query_slice),
-                             k_url_safe));
+          grpc_base64_decode_with_len(
+              exec_ctx, (const char *)GRPC_SLICE_START_PTR(query_slice),
+              GRPC_SLICE_LENGTH(query_slice), k_url_safe));
       grpc_slice_buffer_stream_init(&calld->read_stream,
                                     &calld->read_slice_buffer, 0);
       calld->seen_path_with_query = true;
diff --git a/test/core/end2end/fuzzers/server_fuzzer_corpus/clusterfuzz-testcase-5595941564317696 b/test/core/end2end/fuzzers/server_fuzzer_corpus/clusterfuzz-testcase-5595941564317696
new file mode 100644
index 0000000000000000000000000000000000000000..335ce87196fbdab771bab219b3d0e42d497ca59a
GIT binary patch
literal 92
zcmWFt@>I}L@CXSB&^OXE;N{}w3ibt&3=BLh3}C<vBDsMW#7JWVarm297B9K#vn74<
a^`D7>+>Sxsy1GCe3@i#j0tC1~LR<id#SWnW

literal 0
HcmV?d00001

diff --git a/tools/run_tests/generated/tests.json b/tools/run_tests/generated/tests.json
index 12d48f219d..188b77586e 100644
--- a/tools/run_tests/generated/tests.json
+++ b/tools/run_tests/generated/tests.json
@@ -150787,6 +150787,29 @@
     ], 
     "uses_polling": false
   }, 
+  {
+    "args": [
+      "test/core/end2end/fuzzers/server_fuzzer_corpus/clusterfuzz-testcase-5595941564317696"
+    ], 
+    "ci_platforms": [
+      "linux"
+    ], 
+    "cpu_cost": 0.1, 
+    "exclude_configs": [
+      "tsan"
+    ], 
+    "exclude_iomgrs": [
+      "uv"
+    ], 
+    "flaky": false, 
+    "language": "c", 
+    "name": "server_fuzzer_one_entry", 
+    "platforms": [
+      "mac", 
+      "linux"
+    ], 
+    "uses_polling": false
+  }, 
   {
     "args": [
       "test/core/end2end/fuzzers/server_fuzzer_corpus/clusterfuzz-testcase-6312731374256128"
-- 
GitLab