Segfault in _zz_fuzz when calling getpwnam_r or getpwuid_r

[Quipyowert2]

The program in the examples section of manual page getpwuid_r() crashes in _zz_fuzz when run with zzuf ./a.out nathan. Compiled with gcc -g test.c with gcc 7.5.0 on openSUSE 15.2 in Windows Subsystem for Linux.

Guessing from the Valgrind results, it seems zzuf is attempting to fuzz read-only memory.

Versions:
zzuf version: e598eef
gcc version: gcc (SUSE Linux) 7.5.0
gdb version: GNU gdb (GDB; openSUSE Leap 15.2) 8.3.1
valgrind version: 3.15.0
uname: Linux 4.4.0-19041-Microsoft #488-Microsoft Mon Sep 01 13:43:00 PST 2020 x86_64 x86_64 x86_64 GNU/Linux
Windows version: Windows 10 2004 (OS Build 19041.630)

Debug output (zzuf --debug --debug ./a.out nathan):

** zzuf debug ** libzzuf initialised for PID 29860
** zzuf debug ** ... fuzz(3, @0, 0)
** zzuf debug ** ... after: stream([3], NULL + 0 "" + 0 "")
** zzuf debug ** fopen("/etc/passwd", "rme") = [3]
** zzuf debug ** ... before: stream([3], NULL + 0 "" + 0 "")
** zzuf debug ** ... fuzz(3, @0, 1)
** zzuf debug ** ... fuzz(3, @0, 765)
zzuf[s=0,r=0.004]: signal 11 (SIGSEGV)

gdb backtrace (gdb -ex "set follow-fork-mode child" -ex 'set pagination off' -ex 'run' -ex 'bt full' --args zzuf ./a.out nathan |& tee zzuf-backtrace ):

Thread 2.1 "a.out" received signal SIGSEGV, Segmentation fault.
[Switching to process 7714]
0x00007fffff13ee78 in _zz_fuzz (fd=3, buf=0x7fffff7ee000 "man:x:13:62:Manual pages viewer:/var/lib/empty:/sbin/nologin\nmessagebus:x:499:499:User for D-Bus:/run/dbus:/usr/bin/false\nnobody:x:65534:65534:nobody:/var/lib/nobody:/bin/bash\nroot:x:0:0:root:/root:/b"..., len=765) at common/fuzz.c:168
168	            aligned_buf[j] = byte;
#0  0x00007fffff13ee78 in _zz_fuzz (fd=3, buf=0x7fffff7ee000 "man:x:13:62:Manual pages viewer:/var/lib/empty:/sbin/nologin\nmessagebus:x:499:499:User for D-Bus:/run/dbus:/usr/bin/false\nnobody:x:65534:65534:nobody:/var/lib/nobody:/bin/bash\nroot:x:0:0:root:/root:/b"..., len=765) at common/fuzz.c:168
        byte = 108 'l'
        fuzzbyte = 2 '\002'
        j = 2
        start = 0
        stop = 765
        i = 0
        pos = 0
        aligned_buf = 0x7fffff7ee000 "man:x:13:62:Manual pages viewer:/var/lib/empty:/sbin/nologin\nmessagebus:x:499:499:User for D-Bus:/run/dbus:/usr/bin/false\nnobody:x:65534:65534:nobody:/var/lib/nobody:/bin/bash\nroot:x:0:0:root:/root:/b"...
        fuzz = 0x7fffff3e76c0 <static_files+32>
#1  0x00007fffff13bd49 in fgets_unlocked (s=0x602290 "", size=1024, stream=0x6026a0) at libzzuf/lib-stream.c:874
        chr = 109
        newcnt = 764
        i = 0
        fd = 3
        oldpos = 0
        oldcnt = 0
        newpos = 1
        ret = 0x602290 ""
        __func__ = "fgets_unlocked"
#2  0x00007ffffe6139ee in _nss_compat_getpwnam_r () from /lib64/libnss_compat.so.2
No symbol table info available.
#3  0x00007ffffee385cf in getpwnam_r@@GLIBC_2.2.5 () from /lib64/libc.so.6
No symbol table info available.
#4  0x0000000000400864 in main (argc=2, argv=0x7ffffffee168) at test.c:32
        pwd = {pw_name = 0x7ffffffee168 "\a\345\376\377\377\177", pw_passwd = 0x7ffffeb611d1 <dlopen@@GLIBC_2.2.5+65> "\205\300u+H\213D$\020H\213L$(dH3\f%(", pw_uid = 1, pw_gid = 0, pw_gecos = 0x40091d <__libc_csu_init+77> "H\203\303\001H9\335u\352H\203\304\b[]A\\A]A^A_\303ff.\017\037\204", pw_dir = 0x7fffff7e04f0 "", pw_shell = 0x0}
        result = 0x7
        buf = 0x602290 ""
        bufsize = 1024
        s = 0

Valgrind results (valgrind --trace-children=yes zzuf ./a.out nathan):

==7727== Process terminating with default action of signal 11 (SIGSEGV)
==7727==  Bad permissions for mapped region at address 0x4027002
==7727==    at 0x4E49E78: _zz_fuzz (fuzz.c:168)
==7727==    by 0x4E46D48: fgets_unlocked (lib-stream.c:874)
==7727==    by 0x5DF79ED: _nss_compat_getpwnam_r (in /lib64/libnss_compat-2.26.so)
==7727==    by 0x51C55CE: getpwnam_r@@GLIBC_2.2.5 (in /lib64/libc-2.26.so)
==7727==    by 0x400863: main (test.c:32)
==7727==