Patch issue in the openssl that might cause false positive

sobomax · sobomax · commit 61400c4743ad · 2025-03-22T11:21:45.000-07:00
running sanitizer.
diff --git a/scripts/fuzz/libssl-dev.patch b/scripts/fuzz/libssl-dev.patch
@@ -99,3 +99,23 @@ Last-Update: 2024-08-16
      int i, ret = 0;
      enum {
          i_1 = 0, i_10,     i_11,     i_101, i_111, i_1010, i_1111,
+--- openssl-1.1.1f.orig/ssl/ssl_lib.c	2025/03/22 18:19:03	1.1
++++ openssl-1.1.1f/ssl/ssl_lib.c	2025/03/22 18:19:09
+@@ -929,7 +929,7 @@
+      * any new session built out of this id/id_len and the ssl_version in use
+      * by this SSL.
+      */
+-    SSL_SESSION r, *p;
++    SSL_SESSION r = {0}, *p;
+ 
+     if (id_len > sizeof(r.session_id))
+         return 0;
+@@ -5415,7 +5415,7 @@
+     STACK_OF(SSL_CIPHER) *scsvs = NULL;
+     int n;
+     /* 3 = SSLV2_CIPHER_LEN > TLS_CIPHER_LEN = 2. */
+-    unsigned char cipher[SSLV2_CIPHER_LEN];
++    unsigned char cipher[SSLV2_CIPHER_LEN] = {0};
+ 
+     n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN;
+ 
