OSS-Fuzz: Check img size b4 readers allocate mem
After the completion of the start_input() method, it's too late to check the image size, because the image readers may have already tried to allocate memory for the image. If the width and height are excessively large, then attempting to allocate memory for the image could slow performance or lead to out-of-memory errors prior to the fuzz target checking the image size. NOTE: Specifically, the aforementioned OOM errors and slow units were observed with the compression fuzz targets when using MSan.
This commit is contained in:
DRC
7
cjpeg.c
7
cjpeg.c
@@ -690,6 +690,9 @@ main(int argc, char **argv)
|
||||
/* Figure out the input file format, and set up to read it. */
|
||||
src_mgr = select_file_type(&cinfo, input_file);
|
||||
src_mgr->input_file = input_file;
|
||||
#ifdef CJPEG_FUZZER
|
||||
src_mgr->max_pixels = 1048576;
|
||||
#endif
|
||||
|
||||
/* Read the input file header to obtain file size & colorspace. */
|
||||
(*src_mgr->start_input) (&cinfo, src_mgr);
|
||||
@@ -709,9 +712,7 @@ main(int argc, char **argv)
|
||||
jpeg_stdio_dest(&cinfo, output_file);
|
||||
|
||||
#ifdef CJPEG_FUZZER
|
||||
if (cinfo.image_width < 1 || cinfo.image_height < 1 ||
|
||||
(unsigned long long)cinfo.image_width * cinfo.image_height > 1048576 ||
|
||||
setjmp(myerr.setjmp_buffer))
|
||||
if (setjmp(myerr.setjmp_buffer))
|
||||
HANDLE_ERROR()
|
||||
#endif
|
||||
|
||||
|
||||
Reference in New Issue
Block a user