OSS-Fuzz: Check img size b4 readers allocate mem

After the completion of the start_input() method, it's too late to check the image size, because the image readers may have already tried to allocate memory for the image. If the width and height are excessively large, then attempting to allocate memory for the image could slow performance or lead to out-of-memory errors prior to the fuzz target checking the image size. NOTE: Specifically, the aforementioned OOM errors and slow units were observed with the compression fuzz targets when using MSan.
2021-04-15 19:03:53 -05:00
parent 3ab3234875
commit 171b875b27
7 changed files with 50 additions and 15 deletions
--- a/turbojpeg.c
+++ b/turbojpeg.c
@@ -2092,22 +2092,17 @@ DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width,
    THROWG("tjLoadImage(): Unsupported file type");

  src->input_file = file;
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+  /* Ignore images larger than 1 Megapixel when fuzzing. */
+  if (flags & TJFLAG_FUZZING)
+    src->max_pixels = 1048576;
+#endif
  (*src->start_input) (cinfo, src);
  (*cinfo->mem->realize_virt_arrays) ((j_common_ptr)cinfo);

  *width = cinfo->image_width;  *height = cinfo->image_height;
  *pixelFormat = cs2pf[cinfo->in_color_space];

-#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
-  /* Ignore 0-pixel images and images larger than 1 Megapixel when fuzzing.
-     Casting *width to (unsigned long long) prevents integer overflow if
-     (*width) * (*height) > INT_MAX. */
-  if (flags & TJFLAG_FUZZING &&
-      (*width < 1 || *height < 1 ||
-       (unsigned long long)(*width) * (*height) > 1048576))
-    THROWG("tjLoadImage(): Uncompressed image is too large");
-#endif
-
  pitch = PAD((*width) * tjPixelSize[*pixelFormat], align);
  if ((unsigned long long)pitch * (unsigned long long)(*height) >
      (unsigned long long)((size_t)-1) ||