From 1ff78b877f0138064f0a0513267e8355affd4be8 Mon Sep 17 00:00:00 2001 From: Eugene Kliuchnikov Date: Fri, 10 Mar 2017 16:01:49 +0100 Subject: [PATCH] Prevent fuzzer timeouts on compression-bomb samples (#522) * Prevent fuzzer timeouts on compression-bomb samples. * Fix fuzzer lanucher --- fuzz/decode_fuzzer.cc | 10 +++++++++- fuzz/test_fuzzer.sh | 2 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/fuzz/decode_fuzzer.cc b/fuzz/decode_fuzzer.cc index 36ae937..60c6f8e 100644 --- a/fuzz/decode_fuzzer.cc +++ b/fuzz/decode_fuzzer.cc @@ -16,6 +16,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { const int kBufferSize = 1024; uint8_t* buffer = new uint8_t[kBufferSize]; + /* The biggest "magic number" in brotli is 16MiB - 16, so no need to check + the cases with much longer output. */ + const size_t total_out_limit = (addend == 0) ? (1 << 26) : (1 << 24); + size_t total_out = 0; + BrotliDecoderState* state = BrotliDecoderCreateInstance(0, 0, 0); if (addend == 0) @@ -31,10 +36,13 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { while (result == BROTLI_DECODER_RESULT_NEEDS_MORE_OUTPUT) { size_t avail_out = kBufferSize; uint8_t* next_out = buffer; - size_t total_out; result = BrotliDecoderDecompressStream( state, &avail_in, &next_in, &avail_out, &next_out, &total_out); + if (total_out > total_out_limit) + break; } + if (total_out > total_out_limit) + break; if (result != BROTLI_DECODER_RESULT_NEEDS_MORE_INPUT) break; } diff --git a/fuzz/test_fuzzer.sh b/fuzz/test_fuzzer.sh index 393482b..8266fde 100755 --- a/fuzz/test_fuzzer.sh +++ b/fuzz/test_fuzzer.sh @@ -17,7 +17,7 @@ ar rvs decode_fuzzer.a decode_fuzzer.o c++ ../fuzz/run_decode_fuzzer.cc -o run_decode_fuzzer -lasan decode_fuzzer.a ./libbrotlidec.a ./libbrotlicommon.a mkdir decode_corpora -unzip ../java/integration/fuzz_data.zip -d decode_corpora +unzip ../java/org/brotli/integration/fuzz_data.zip -d decode_corpora for f in `ls decode_corpora` do