ofz#11104 for timeouts, limit decompression ratios when fuzzing

Change-Id: If9efe56a40a866269a06ce944885a324495af48a
Reviewed-on: https://gerrit.libreoffice.org/67036
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>

filter/source/graphicfilter/itiff/itiff.cxx

@@ -547,8 +547,8 @@ sal_uInt8* TIFFReader::getMapData(sal_uInt32 np)
 
 bool TIFFReader::ReadMap()
 {
-    //when fuzzing with a max len set, max decompress to 2000 times that limit
-    static size_t nMaxAllowedDecompression = [](const char* pEnv) { size_t nRet = pEnv ? std::atoi(pEnv) : 0; return nRet * 2000; }(std::getenv("FUZZ_MAX_INPUT_LEN"));
+    //when fuzzing with a max len set, max decompress to 250 times that limit
+    static size_t nMaxAllowedDecompression = [](const char* pEnv) { size_t nRet = pEnv ? std::atoi(pEnv) : 0; return nRet * 250; }(std::getenv("FUZZ_MAX_INPUT_LEN"));
     size_t nTotalDataRead = 0;
 
     if ( nCompression == 1 || nCompression == 32771 )

vcl/source/gdi/pngread.cxx

@@ -900,6 +900,10 @@ sal_uInt8 PNGReaderImpl::ImplScaleColor()
 
 void PNGReaderImpl::ImplReadIDAT()
 {
+    //when fuzzing with a max len set, max decompress to 250 times that limit
+    static size_t nMaxAllowedDecompression = [](const char* pEnv) { size_t nRet = pEnv ? std::atoi(pEnv) : 0; return nRet * 250; }(std::getenv("FUZZ_MAX_INPUT_LEN"));
+    size_t nTotalDataRead = 0;
+
     if( mnChunkLen > 0 )
     {
         mbIDATStarted = true;
@@ -922,6 +926,12 @@ void PNGReaderImpl::ImplReadIDAT()
                 mbStatus = false;
                 break;
             }
+            nTotalDataRead += nRead;
+            if (nMaxAllowedDecompression && nTotalDataRead > nMaxAllowedDecompression)
+            {
+                mbStatus = false;
+                break;
+            }
             if ( nRead < nToRead )
             {
                 mpScanCurrent += nRead; // more ZStream data in the next IDAT chunk