filter/source/graphicfilter/itiff/itiff.cxx | 12 ++++++++++++ vcl/source/filter/jpeg/jpegc.cxx | 9 ++++++--- vcl/workben/commonfuzzer.hxx | 9 +++++++++ 3 files changed, 27 insertions(+), 3 deletions(-)
New commits: commit 10b6a2b2d6a5cb938ead02cba2fa03f748c5f63c Author: Caolán McNamara <caol...@redhat.com> Date: Mon Feb 12 14:17:30 2018 +0000 give up on recoverable errors earlier when fuzzing Change-Id: I10b06a977f77c0802cbf5a1db33671ba1db69ba9 Reviewed-on: https://gerrit.libreoffice.org/49601 Tested-by: Jenkins <c...@libreoffice.org> Reviewed-by: Caolán McNamara <caol...@redhat.com> Tested-by: Caolán McNamara <caol...@redhat.com> diff --git a/vcl/source/filter/jpeg/jpegc.cxx b/vcl/source/filter/jpeg/jpegc.cxx index ddb5075fd817..8a8ea3707379 100644 --- a/vcl/source/filter/jpeg/jpegc.cxx +++ b/vcl/source/filter/jpeg/jpegc.cxx @@ -39,8 +39,6 @@ extern "C" { #include <vcl/bitmapaccess.hxx> #include <vcl/graphicfilter.hxx> -#define WarningLimit 1000 - #ifdef _MSC_VER #pragma warning(push) #pragma warning (disable: 4324) /* disable to __declspec(align()) aligned warning */ @@ -72,6 +70,11 @@ extern "C" void outputMessage (j_common_ptr cinfo) SAL_WARN("vcl.filter", "failure reading JPEG: " << buffer); } +static int GetWarningLimit() +{ + return utl::ConfigManager::IsFuzzing() ? 100 : 1000; +} + extern "C" void emitMessage (j_common_ptr cinfo, int msg_level) { if (msg_level < 0) @@ -80,7 +83,7 @@ extern "C" void emitMessage (j_common_ptr cinfo, int msg_level) // reasonable limit (initially using ImageMagick's current limit of // 1000), then bail. // https://libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf - if (cinfo->err->num_warnings++ > WarningLimit) + if (++cinfo->err->num_warnings > GetWarningLimit()) cinfo->err->error_exit(cinfo); else cinfo->err->output_message(cinfo); commit 76c58b1cfbe2ab41b8e33d40953341410be7db96 Author: Caolán McNamara <caol...@redhat.com> Date: Mon Feb 12 15:20:03 2018 +0000 for ~perfect compression link fuzzer input limit to an output limit Change-Id: I30c3a0b75c818b55f6e73fdb68bf59fdac249d0e Reviewed-on: https://gerrit.libreoffice.org/49606 Tested-by: Jenkins <c...@libreoffice.org> Reviewed-by: Caolán McNamara <caol...@redhat.com> Tested-by: Caolán McNamara <caol...@redhat.com> diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx index 6e7bb2461eac..0449cdff7e2b 100644 --- a/filter/source/graphicfilter/itiff/itiff.cxx +++ b/filter/source/graphicfilter/itiff/itiff.cxx @@ -513,6 +513,10 @@ sal_uInt8* TIFFReader::getMapData(sal_uInt32 np) bool TIFFReader::ReadMap() { + //when fuzzing with a max len set, max decompress to 2000 times that limit + static size_t nMaxAllowedDecompression = [](const char* pEnv) { size_t nRet = pEnv ? std::atoi(pEnv) : 0; return nRet * 2000; }(std::getenv("FUZZ_MAX_INPUT_LEN")); + size_t nTotalDataRead = 0; + if ( nCompression == 1 || nCompression == 32771 ) { sal_uInt32 nStripBytesPerRow; @@ -603,6 +607,9 @@ bool TIFFReader::ReadMap() bDifferentToPrev |= !aResult.m_bBufferUnchanged; if ( pTIFF->GetError() ) return false; + nTotalDataRead += nBytesPerRow; + if (nMaxAllowedDecompression && nTotalDataRead > nMaxAllowedDecompression) + return false; } if (!bDifferentToPrev) { @@ -645,6 +652,11 @@ bool TIFFReader::ReadMap() if ( ( aLZWDecom.Decompress(getMapData(np), nBytesPerRow) != nBytesPerRow ) || pTIFF->GetError() ) return false; } + + nTotalDataRead += nBytesPerRow; + if (nMaxAllowedDecompression && nTotalDataRead > nMaxAllowedDecompression) + return false; + if ( !ConvertScanline( ny ) ) return false; } diff --git a/vcl/workben/commonfuzzer.hxx b/vcl/workben/commonfuzzer.hxx index 9b6f5728572c..cc4830fa5990 100644 --- a/vcl/workben/commonfuzzer.hxx +++ b/vcl/workben/commonfuzzer.hxx @@ -87,6 +87,15 @@ void CommonInitialize(int *argc, char ***argv) setenv("SAL_DISABLE_DEFAULTPRINTER", "1", 1); setenv("SAL_NO_FONT_LOOKUP", "1", 1); + //allow bubbling of max input len to fuzzer targets + int nMaxLen = 0; + for (int i = 0; i < *argc; ++i) + { + if (strncmp((*argv)[i], "-max_len=", 9) == 0) + nMaxLen = atoi((*argv)[i] + 9); + } + setenv("FUZZ_MAX_INPUT_LEN", "1", nMaxLen); + osl_setCommandArgs(*argc, *argv); OUString sExecDir = getExecutableDir(); _______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits