for ~perfect compression link fuzzer input limit to an output limit

Change-Id: I30c3a0b75c818b55f6e73fdb68bf59fdac249d0e Reviewed-on: https://gerrit.libreoffice.org/49606Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: Caolán McNamara <caolanm@redhat.com> Tested-by: Caolán McNamara <caolanm@redhat.com>

for ~perfect compression link fuzzer input limit to an output limit
Change-Id: I30c3a0b75c818b55f6e73fdb68bf59fdac249d0e Reviewed-on: https://gerrit.libreoffice.org/49606Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: Caolán McNamara <caolanm@redhat.com> Tested-by: Caolán McNamara <caolanm@redhat.com>
76c58b1c · Caolán McNamara · 4c925efc · 76c58b1c · 76c58b1c
Kaydet (Commit) 76c58b1c authored Şub 12, 2018 tarafından Caolán McNamara
Hide whitespace changes
Inline Side-by-side

Showing with 21 additions and 0 deletions

itiff.cxx filter/source/graphicfilter/itiff/itiff.cxx +12 -0

commonfuzzer.hxx vcl/workben/commonfuzzer.hxx +9 -0

No files found.
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -513,6 +513,10 @@ sal_uInt8* TIFFReader::getMapData(sal_uInt32 np)

 bool TIFFReader::ReadMap()
 {
+    //when fuzzing with a max len set, max decompress to 2000 times that limit
+    static size_t nMaxAllowedDecompression = [](const char* pEnv) { size_t nRet = pEnv ? std::atoi(pEnv) : 0; return nRet * 2000; }(std::getenv("FUZZ_MAX_INPUT_LEN"));
+    size_t nTotalDataRead = 0;
+
    if ( nCompression == 1 || nCompression == 32771 )
    {
        sal_uInt32 nStripBytesPerRow;
@@ -603,6 +607,9 @@ bool TIFFReader::ReadMap()
                bDifferentToPrev |= !aResult.m_bBufferUnchanged;
                if ( pTIFF->GetError() )
                    return false;
+                nTotalDataRead += nBytesPerRow;
+                if (nMaxAllowedDecompression && nTotalDataRead > nMaxAllowedDecompression)
+                    return false;
            }
            if (!bDifferentToPrev)
            {
@@ -645,6 +652,11 @@ bool TIFFReader::ReadMap()
                if ( ( aLZWDecom.Decompress(getMapData(np), nBytesPerRow) != nBytesPerRow ) || pTIFF->GetError() )
                    return false;
            }
+
+            nTotalDataRead += nBytesPerRow;
+            if (nMaxAllowedDecompression && nTotalDataRead > nMaxAllowedDecompression)
+                return false;
+
            if ( !ConvertScanline( ny ) )
                return false;
        }

--- a/vcl/workben/commonfuzzer.hxx
+++ b/vcl/workben/commonfuzzer.hxx
@@ -87,6 +87,15 @@ void CommonInitialize(int *argc, char ***argv)
    setenv("SAL_DISABLE_DEFAULTPRINTER", "1", 1);
    setenv("SAL_NO_FONT_LOOKUP", "1", 1);

+    //allow bubbling of max input len to fuzzer targets
+    int nMaxLen = 0;
+    for (int i = 0; i < *argc; ++i)
+    {
+        if (strncmp((*argv)[i], "-max_len=", 9) == 0)
+            nMaxLen = atoi((*argv)[i] + 9);
+    }
+    setenv("FUZZ_MAX_INPUT_LEN", "1", nMaxLen);
+
    osl_setCommandArgs(*argc, *argv);

    OUString sExecDir = getExecutableDir();