diff options
author | Lei Zhang <thestig@chromium.org> | 2017-08-23 15:33:07 -0700 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-08-28 16:16:38 +0000 |
commit | b0860beccd6a4a8d9f8ea3dbba392a3a13218ad3 (patch) | |
tree | 50440c358f683e1bd5b1981981ca3defa8a602cc /testing/libfuzzer/pdf_jpx_fuzzer.cc | |
parent | 41799881d04a01168700558ff394962b3b318b46 (diff) | |
download | pdfium-b0860beccd6a4a8d9f8ea3dbba392a3a13218ad3.tar.xz |
Limit pdf_jpx_fuzzer memory usage.
BUG=chromium:738711
Change-Id: I4a308694c3e6fcd17431515b7897969d54486071
Reviewed-on: https://pdfium-review.googlesource.com/11870
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
Diffstat (limited to 'testing/libfuzzer/pdf_jpx_fuzzer.cc')
-rw-r--r-- | testing/libfuzzer/pdf_jpx_fuzzer.cc | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/testing/libfuzzer/pdf_jpx_fuzzer.cc b/testing/libfuzzer/pdf_jpx_fuzzer.cc index b48c14068c..88d82abb80 100644 --- a/testing/libfuzzer/pdf_jpx_fuzzer.cc +++ b/testing/libfuzzer/pdf_jpx_fuzzer.cc @@ -8,6 +8,7 @@ #include "core/fxcodec/codec/cjpx_decoder.h" #include "core/fxcodec/codec/codec_int.h" +#include "core/fxcrt/fx_safe_types.h" #include "core/fxge/dib/cfx_dibitmap.h" #include "core/fxge/fx_dib.h" @@ -24,6 +25,13 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { uint32_t components; g_module.GetImageInfo(decoder.get(), &width, &height, &components); + static constexpr uint32_t kMemLimit = 1024 * 1024 * 1024; // 1 GB. + FX_SAFE_UINT32 mem = width; + mem *= height; + mem *= components; + if (!mem.IsValid() || mem.ValueOrDie() > kMemLimit) + return 0; + FXDIB_Format format; if (components == 1) { format = FXDIB_8bppRgb; |