dany/libwebp
1
0
Fork 0
mirror of https://github.com/webmproject/libwebp.git synced 2025-04-04 16:06:49 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

Limit animdecoder_fuzzer to 320MB

Browse Source 
Change-Id: Ic139ea870b98c58a2ecf46e81844f647fa0d2aba
This commit is contained in:
Yannis Guyon 2024-02-15 10:16:54 +00:00
parent cbe825e4cc
commit 713982b883
1 changed files with 18 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
tests/fuzzer/animdecoder_fuzzer.cc
View File

@ -14,25 +14,34 @@
// //
//////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////
#include "examples/anim_util.h" #include <cstddef>
#include "imageio/imageio_util.h" #include <cstdint>
#include "src/webp/demux.h"
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { #include "imageio/imageio_util.h"
#include "src/webp/decode.h"
#include "src/webp/demux.h"
#include "src/webp/mux_types.h"
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
// WebPAnimDecoderGetInfo() is too late to check the canvas size as // WebPAnimDecoderGetInfo() is too late to check the canvas size as
// WebPAnimDecoderNew() will handle the allocations. // WebPAnimDecoderNew() will handle the allocations.
const size_t kMaxNumBytes = 2684354560; // RSS (resident set size) limit.
const size_t kMaxNumPixels = kMaxNumBytes / 4; // At most ARGB.
const size_t kMaxNumPixelsSafe = kMaxNumPixels / 2; // Allow one buffer copy.
WebPBitstreamFeatures features; WebPBitstreamFeatures features;
if (WebPGetFeatures(data, size, &features) == VP8_STATUS_OK) { if (WebPGetFeatures(data, size, &features) == VP8_STATUS_OK) {
if (!ImgIoUtilCheckSizeArgumentsOverflow(features.width * 4, if (!ImgIoUtilCheckSizeArgumentsOverflow(features.width * 4,
features.height)) { features.height) ||
static_cast<size_t>(features.width) * features.height >
kMaxNumPixelsSafe) {
return 0; return 0;
} }
} }
// decode everything as an animation // decode everything as an animation
WebPData webp_data = { data, size }; WebPData webp_data = {data, size};
WebPAnimDecoder* const dec = WebPAnimDecoderNew(&webp_data, NULL); WebPAnimDecoder* const dec = WebPAnimDecoderNew(&webp_data, nullptr);
if (dec == NULL) return 0; if (dec == nullptr) return 0;
WebPAnimInfo info; WebPAnimInfo info;
if (!WebPAnimDecoderGetInfo(dec, &info)) goto End; if (!WebPAnimDecoderGetInfo(dec, &info)) goto End;
@ -46,7 +55,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
int timestamp; int timestamp;
if (!WebPAnimDecoderGetNext(dec, &buf, &timestamp)) break; if (!WebPAnimDecoderGetNext(dec, &buf, &timestamp)) break;
} }
End: End:
WebPAnimDecoderDelete(dec); WebPAnimDecoderDelete(dec);
return 0; return 0;
} }