From https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60906 $ valgrind bin/fuzz_ndr_spoolss_TYPE_OUT ~/Downloads/clusterfuzz-testcase-minimized-fuzz_ndr_spoolss_TYPE_OUT-5223912281079808.fuzz ==2100925== Memcheck, a memory error detector ==2100925== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==2100925== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info ==2100925== Command: bin/fuzz_ndr_spoolss_TYPE_OUT /home/douglasb/Downloads/clusterfuzz-testcase-minimized-fuzz_ndr_spoolss_TYPE_OUT-5223912281079808.fuzz ==2100925== ==2100925== Invalid read of size 8 ==2100925== at 0x1FCA3C: ndr_push_spoolss_PrinterEnumValues (ndr_spoolss.c:22939) ==2100925== by 0x25CE41: ndr_push___spoolss_EnumPrinterDataEx (ndr_spoolss.c:35251) ==2100925== by 0x15F1C3: ndr_push_spoolss_EnumPrinterDataEx (ndr_spoolss_buf.c:628) ==2100925== by 0x165EF7: LLVMFuzzerTestOneInput (fuzz_ndr_spoolss_TYPE_OUT.c:311) ==2100925== by 0x166098: main (afl-fuzz-main.c:46) ==2100925== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==2100925== ==2100925== ==2100925== Process terminating with default action of signal 11 (SIGSEGV) ==2100925== Access not within mapped region at address 0x0 ==2100925== at 0x1FCA3C: ndr_push_spoolss_PrinterEnumValues (ndr_spoolss.c:22939) ==2100925== by 0x25CE41: ndr_push___spoolss_EnumPrinterDataEx (ndr_spoolss.c:35251) ==2100925== by 0x15F1C3: ndr_push_spoolss_EnumPrinterDataEx (ndr_spoolss_buf.c:628) ==2100925== by 0x165EF7: LLVMFuzzerTestOneInput (fuzz_ndr_spoolss_TYPE_OUT.c:311) ==2100925== by 0x166098: main (afl-fuzz-main.c:46) ==2100925== If you believe this happened as a result of a stack ==2100925== overflow in your program's main thread (unlikely but ==2100925== possible), you can try to increase the size of the ==2100925== main thread stack using the --main-stacksize= flag. ==2100925== The main thread stack size used in this run was 8388608. ==2100925== ==2100925== HEAP SUMMARY: ==2100925== in use at exit: 173,221 bytes in 717 blocks ==2100925== total heap usage: 1,321 allocs, 604 frees, 187,421 bytes allocated ==2100925== ==2100925== LEAK SUMMARY: ==2100925== definitely lost: 0 bytes in 0 blocks ==2100925== indirectly lost: 0 bytes in 0 blocks ==2100925== possibly lost: 6,397 bytes in 15 blocks ==2100925== still reachable: 166,824 bytes in 702 blocks ==2100925== suppressed: 0 bytes in 0 blocks ==2100925== Rerun with --leak-check=full to see details of leaked memory ==2100925== ==2100925== For lists of detected and suppressed errors, rerun with: -s ==2100925== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) Segmentation fault This one does not cause problems when converted to ndrdump: bin/ndrdump spoolss 79 out --base64-input --input AAAAAAAAAAAgICAgIP///w== I'm not sure why.