From 0e0dd95ca240799a78bce4588bdf109f02a8d38e Mon Sep 17 00:00:00 2001
From: David Korczynski <david@adalogics.com>
Date: Mon, 28 Aug 2023 12:28:55 -0700
Subject: [PATCH 1/3] decode: fix possible NULL dereference

Found by a recently added fuzzer.

Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61743

Signed-off-by: David Korczynski <david@adalogics.com>
---
 src/cmt_decode_msgpack.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/cmt_decode_msgpack.c b/src/cmt_decode_msgpack.c
index 2e1cf31..009ac4a 100644
--- a/src/cmt_decode_msgpack.c
+++ b/src/cmt_decode_msgpack.c
@@ -1006,7 +1006,12 @@ static int unpack_basic_type_meta(mpack_reader_t *reader, size_t index, void *co
         }
         else if(decode_context->map->type == CMT_COUNTER) {
             counter = (struct cmt_counter *) decode_context->map->parent;
-            counter->aggregation_type = decode_context->aggregation_type;
+            if (counter == NULL) {
+                result = CMT_DECODE_MSGPACK_ALLOCATION_ERROR;
+            }
+            else {
+                counter->aggregation_type = decode_context->aggregation_type;
+            }
         }
     }
 

From 77b4c9d01a7b4859e213e18c296a56b810a09ded Mon Sep 17 00:00:00 2001
From: David Korczynski <david@adalogics.com>
Date: Sat, 14 Oct 2023 14:54:02 +0100
Subject: [PATCH 2/3] decode: adjust NULL-dereference fix

Signed-off-by: David Korczynski <david@adalogics.com>
---
 src/cmt_decode_msgpack.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/src/cmt_decode_msgpack.c b/src/cmt_decode_msgpack.c
index 009ac4a..e0daec6 100644
--- a/src/cmt_decode_msgpack.c
+++ b/src/cmt_decode_msgpack.c
@@ -978,6 +978,9 @@ static int unpack_basic_type_meta(mpack_reader_t *reader, size_t index, void *co
 
     if (CMT_DECODE_MSGPACK_SUCCESS == result) {
         decode_context->map->label_count = cfl_list_size(&decode_context->map->label_keys);
+	if (decode_context->map == NULL || decode_context->map->parent == NULL) {
+            return CMT_DECODE_MSGPACK_INVALID_ARGUMENT_ERROR;
+	}
 
         if (decode_context->map->type == CMT_HISTOGRAM) {
             histogram = (struct cmt_histogram *) decode_context->map->parent;
@@ -1006,12 +1009,7 @@ static int unpack_basic_type_meta(mpack_reader_t *reader, size_t index, void *co
         }
         else if(decode_context->map->type == CMT_COUNTER) {
             counter = (struct cmt_counter *) decode_context->map->parent;
-            if (counter == NULL) {
-                result = CMT_DECODE_MSGPACK_ALLOCATION_ERROR;
-            }
-            else {
-                counter->aggregation_type = decode_context->aggregation_type;
-            }
+            counter->aggregation_type = decode_context->aggregation_type;
         }
     }
 

From 5bd68b7d1162856c98448a362e09406734414e13 Mon Sep 17 00:00:00 2001
From: David Korczynski <david@adalogics.com>
Date: Wed, 18 Oct 2023 15:16:24 +0100
Subject: [PATCH 3/3] decode: adjust NULL check

Signed-off-by: David Korczynski <david@adalogics.com>
---
 src/cmt_decode_msgpack.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/cmt_decode_msgpack.c b/src/cmt_decode_msgpack.c
index e0daec6..4ede1bd 100644
--- a/src/cmt_decode_msgpack.c
+++ b/src/cmt_decode_msgpack.c
@@ -977,11 +977,11 @@ static int unpack_basic_type_meta(mpack_reader_t *reader, size_t index, void *co
     result = cmt_mpack_unpack_map(reader, callbacks, context);
 
     if (CMT_DECODE_MSGPACK_SUCCESS == result) {
-        decode_context->map->label_count = cfl_list_size(&decode_context->map->label_keys);
 	if (decode_context->map == NULL || decode_context->map->parent == NULL) {
             return CMT_DECODE_MSGPACK_INVALID_ARGUMENT_ERROR;
 	}
 
+        decode_context->map->label_count = cfl_list_size(&decode_context->map->label_keys);
         if (decode_context->map->type == CMT_HISTOGRAM) {
             histogram = (struct cmt_histogram *) decode_context->map->parent;