Fuzzing Harness Leads to False Positives on Bad Format Strings

[clesmian]

The fuzzing harness used for OSS-Fuzz does not do any sanity check on the input to determine whether it contains any format characters. As it does not supply any arguments to redisFormatCommand this leads to crashes for numerous format strings like, for example, %s%s that require dereferencing pointers supplied as arguments.

Crashes like this are however not actual issues, because they do not result from a bug in the tested code, but rather a bug in the fuzzer, namely failing to supply the correct number of arguments to the function.

Possible Ways Forward

To improve the situation I see two ways forward:

1. 'Defuse' the format strings by replacing % with a different character OR
2. Count the amount of format specifiers and supply a sufficient amount of arguments (potentially taken from the fuzzing input)

Doing so would improve the quality of the harness, because it no longer crashes for obvious non-issues.

[michael-grunder]

I noticed this some time ago and had planned on fixing it but other things got in the way.

My instinct is to just diffuse the format strings. We could attempt to count and provide sufficient arguments, but the logic would need to both count the specifiers and be completely aware of what a valid argument would look like. For example %s' would require a null terminated string and %b` requires the input length.