rtsp: do not call fwrite() with NULL pointer FILE *

If the default write callback is used and no destination has been set, a
NULL pointer would be passed to fwrite()'s 4th argument.

OSS-fuzz bug https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3327
(not publicly open yet)

Detected by OSS-fuzz
Closes #1874

diff --git a/lib/rtsp.c b/lib/rtsp.c
index 9bd935fd518cccaf051d0d4abf099f0f7f58506b..4bca114593cacae39168a52ef888779de457b05f 100644 (file)
--- a/lib/rtsp.c
+++ b/lib/rtsp.c
@@ -756,6 +756,15 @@ CURLcode rtp_client_write(struct connectdata *conn, char *ptr, size_t len)
   }
 
   writeit = data->set.fwrite_rtp?data->set.fwrite_rtp:data->set.fwrite_func;
+
+  if(!data->set.fwrite_rtp && !data->set.is_fwrite_set &&
+     !data->set.rtp_out) {
+    /* if no callback is set for either RTP or default, the default function
+       fwrite() is utilized and that can't handle a NULL input */
+    failf(data, "No destination to default data callback!");
+    return CURLE_WRITE_ERROR;
+  }
+
   wrote = writeit(ptr, 1, len, data->set.rtp_out);
 
   if(CURL_WRITEFUNC_PAUSE == wrote) {

diff --git a/tests/fuzz/curl_fuzz_data/oss-fuzz-3327 b/tests/fuzz/curl_fuzz_data/oss-fuzz-3327
new file mode 100644 (file)
index 0000000..064cc62
Binary files /dev/null and b/tests/fuzz/curl_fuzz_data/oss-fuzz-3327 differ