From cb1634dd31866bdb6cf3554bbc87e01f87f49f25 Mon Sep 17 00:00:00 2001 From: John Cupitt Date: Sat, 25 Jul 2020 14:46:44 +0100 Subject: [PATCH] block fuzz data over 100kb Many codecs can take a huge amount of time attempting to read large random objects. jpeg_read_header(), for example, can take ~10s on a 1mb of random data. Ignore fuzz objects over 100kb. See https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24383 --- fuzz/jpegsave_buffer_fuzzer.cc | 3 +++ fuzz/jpegsave_file_fuzzer.cc | 3 +++ fuzz/mosaic_fuzzer.cc | 3 +++ fuzz/pngsave_buffer_fuzzer.cc | 3 +++ fuzz/sharpen_fuzzer.cc | 3 +++ fuzz/smartcrop_fuzzer.cc | 3 +++ fuzz/thumbnail_fuzzer.cc | 3 +++ fuzz/webpsave_buffer_fuzzer.cc | 3 +++ 8 files changed, 24 insertions(+) diff --git a/fuzz/jpegsave_buffer_fuzzer.cc b/fuzz/jpegsave_buffer_fuzzer.cc index 6c7a5fdf..5f095792 100644 --- a/fuzz/jpegsave_buffer_fuzzer.cc +++ b/fuzz/jpegsave_buffer_fuzzer.cc @@ -14,6 +14,9 @@ LLVMFuzzerTestOneInput( const guint8 *data, size_t size ) void *buf; size_t len; + if( size > 100 * 1024 * 1024 ) + return( 0 ); + if( !(image = vips_image_new_from_buffer( data, size, "", NULL )) ) return( 0 ); diff --git a/fuzz/jpegsave_file_fuzzer.cc b/fuzz/jpegsave_file_fuzzer.cc index 7b31fedc..8d53ca03 100644 --- a/fuzz/jpegsave_file_fuzzer.cc +++ b/fuzz/jpegsave_file_fuzzer.cc @@ -42,6 +42,9 @@ LLVMFuzzerTestOneInput( const guint8 *data, size_t size ) { char *name; + if( size > 100 * 1024 * 1024 ) + return( 0 ); + if( !(name = vips__temp_name( "%s" )) ) return( 0 ); diff --git a/fuzz/mosaic_fuzzer.cc b/fuzz/mosaic_fuzzer.cc index 7f3c82b8..913f0ca2 100644 --- a/fuzz/mosaic_fuzzer.cc +++ b/fuzz/mosaic_fuzzer.cc @@ -25,6 +25,9 @@ LLVMFuzzerTestOneInput( const guint8 *data, size_t size ) if( size < sizeof( struct mosaic_opt ) ) return( 0 ); + if( size > 100 * 1024 * 1024 ) + return( 0 ); + if( !(ref = vips_image_new_from_buffer( data, size, "", NULL )) ) return( 0 ); diff --git a/fuzz/pngsave_buffer_fuzzer.cc b/fuzz/pngsave_buffer_fuzzer.cc index 099c5d41..b0fec7cd 100644 --- a/fuzz/pngsave_buffer_fuzzer.cc +++ b/fuzz/pngsave_buffer_fuzzer.cc @@ -14,6 +14,9 @@ LLVMFuzzerTestOneInput( const guint8 *data, size_t size ) void *buf; size_t len; + if( size > 100 * 1024 * 1024 ) + return( 0 ); + if( !(image = vips_image_new_from_buffer( data, size, "", NULL )) ) return( 0 ); diff --git a/fuzz/sharpen_fuzzer.cc b/fuzz/sharpen_fuzzer.cc index fffb1d0a..4dde781f 100644 --- a/fuzz/sharpen_fuzzer.cc +++ b/fuzz/sharpen_fuzzer.cc @@ -13,6 +13,9 @@ LLVMFuzzerTestOneInput( const guint8 *data, size_t size ) VipsImage *image, *out; double d; + if( size > 100 * 1024 * 1024 ) + return( 0 ); + if( !(image = vips_image_new_from_buffer( data, size, "", NULL )) ) return( 0 ); diff --git a/fuzz/smartcrop_fuzzer.cc b/fuzz/smartcrop_fuzzer.cc index 06828b10..af919cbf 100644 --- a/fuzz/smartcrop_fuzzer.cc +++ b/fuzz/smartcrop_fuzzer.cc @@ -13,6 +13,9 @@ LLVMFuzzerTestOneInput( const guint8 *data, size_t size ) VipsImage *image, *out; double d; + if( size > 100 * 1024 * 1024 ) + return( 0 ); + if( !(image = vips_image_new_from_buffer( data, size, "", NULL )) ) return( 0 ); diff --git a/fuzz/thumbnail_fuzzer.cc b/fuzz/thumbnail_fuzzer.cc index 8a21edac..de4a52c3 100644 --- a/fuzz/thumbnail_fuzzer.cc +++ b/fuzz/thumbnail_fuzzer.cc @@ -13,6 +13,9 @@ LLVMFuzzerTestOneInput( const guint8 *data, size_t size ) VipsImage *image, *out; double d; + if( size > 100 * 1024 * 1024 ) + return( 0 ); + if( !(image = vips_image_new_from_buffer( data, size, "", NULL )) ) return( 0 ); diff --git a/fuzz/webpsave_buffer_fuzzer.cc b/fuzz/webpsave_buffer_fuzzer.cc index 931645c2..d5ae3f60 100644 --- a/fuzz/webpsave_buffer_fuzzer.cc +++ b/fuzz/webpsave_buffer_fuzzer.cc @@ -14,6 +14,9 @@ LLVMFuzzerTestOneInput( const guint8 *data, size_t size ) void *buf; size_t len; + if( size > 100 * 1024 * 1024 ) + return( 0 ); + if( !(image = vips_image_new_from_buffer( data, size, "", NULL )) ) return( 0 );