[wasm][fuzzer] Enforce input size limit

The "max_len" argument for fuzzer targets is deprecated. We need to enforce the limit internally. R=ahaas@chromium.org Bug: chromium:894939 Change-Id: I2206bc63d5e39f1aa189e11042a6a0bbcca31b0d Reviewed-on: https://chromium-review.googlesource.com/c/1299020 Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#56998}
2018-10-25 16:24:01 +02:00 · 2018-10-25 16:24:01 +02:00 · 267e6b0cb7
commit 267e6b0cb7
parent 9fa085e59a
2 changed files with 7 additions and 0 deletions
--- a/test/fuzzer/wasm-fuzzer-common.cc
+++ b/test/fuzzer/wasm-fuzzer-common.cc
@ -251,6 +251,11 @@ void GenerateTestCase(Isolate* isolate, ModuleWireBytes wire_bytes,

 int WasmExecutionFuzzer::FuzzWasmModule(Vector<const uint8_t> data,
                                        bool require_valid) {
+  // Strictly enforce the input size limit. Note that setting "max_len" on the
+  // fuzzer target is not enough, since different fuzzers are used and not all
+  // respect that limit.
+  if (data.size() > max_input_size()) return 0;
+
  v8_fuzzer::FuzzerSupport* support = v8_fuzzer::FuzzerSupport::Get();
  v8::Isolate* isolate = support->GetIsolate();
  i::Isolate* i_isolate = reinterpret_cast<Isolate*>(isolate);
--- a/test/fuzzer/wasm-fuzzer-common.h
+++ b/test/fuzzer/wasm-fuzzer-common.h
@ -34,6 +34,8 @@ class WasmExecutionFuzzer {
  virtual ~WasmExecutionFuzzer() = default;
  int FuzzWasmModule(Vector<const uint8_t> data, bool require_valid = false);

+  virtual size_t max_input_size() const { return 512; }
+
 protected:
  virtual bool GenerateModule(
      Isolate* isolate, Zone* zone, Vector<const uint8_t> data,