This is a follow up to my first patch attempt. After scrutinizing this a
bit more, it turns out my previous patch wasn't actually addresing the
root cause.
The ASan stacktrace (found by OSS-Fuzz) for this issue is:
```
==399==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x502000000218 at pc 0x5cffda946877 bp 0x7ffe90702810 sp 0x7ffe90702808
READ of size 4 at 0x502000000218 thread T0
#0 0x5cffda946876 in compute_seq_size bluez/src/sdp-xml.c:62:21
#1 0x5cffda946876 in element_end bluez/src/sdp-xml.c:548:42
#2 0x5cffda984416 in emit_end_element glib/glib/gmarkup.c:1045:5
#3 0x5cffda983978 in g_markup_parse_context_parse glib/glib/gmarkup.c:1603:19
#4 0x5cffda944c55 in sdp_xml_parse_record bluez/src/sdp-xml.c:621:6
#5 0x5cffda949cf1 in LLVMFuzzerTestOneInput /src/fuzz_xml.c:30:9
#6 0x5cffda7f9730 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
#7 0x5cffda7e49a5 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
#8 0x5cffda7ea43f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
#9 0x5cffda8156e2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#10 0x7e0ccb446082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/libc-start.c:308:16
#11 0x5cffda7dcb8d in _start
```
This patch should address this issue properly. Please see the commit
message for more details.
Oliver Chang (1):
Fix heap-buffer-overflow in sdp_xml.c:compute_seq_size
src/sdp-xml.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--
2.51.0.rc0.205.g4a044479a3-goog
