From 2bb28c347bcafc2fb5ad3e7782220e31048cc81d Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Wed, 23 Aug 2017 23:48:01 -0700
Subject: Limit pdf_codec_jbig2_fuzzer memory usage.

BUG=chromium:749610

Change-Id: Ia83558568293398c72b7215e9b3fe4e4df6f969a
Reviewed-on: https://pdfium-review.googlesource.com/11931
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
---
 testing/libfuzzer/pdf_codec_jbig2_fuzzer.cc | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/testing/libfuzzer/pdf_codec_jbig2_fuzzer.cc b/testing/libfuzzer/pdf_codec_jbig2_fuzzer.cc
index 9378141ffa..9a2ebd2e32 100644
--- a/testing/libfuzzer/pdf_codec_jbig2_fuzzer.cc
+++ b/testing/libfuzzer/pdf_codec_jbig2_fuzzer.cc
@@ -9,6 +9,7 @@
 #include "core/fxcodec/JBig2_DocumentContext.h"
 #include "core/fxcodec/codec/ccodec_jbig2module.h"
 #include "core/fxcodec/jbig2/JBig2_Context.h"
+#include "core/fxcrt/fx_safe_types.h"
 #include "core/fxge/dib/cfx_dibitmap.h"
 #include "core/fxge/fx_dib.h"
 #include "third_party/base/ptr_util.h"
@@ -27,6 +28,14 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   size -= kParameterSize;
   data += kParameterSize;
 
+  static constexpr uint32_t kMemLimit = 1024 * 1024 * 1024;  // 1 GB.
+  static constexpr uint32_t k1bppRgbComponents = 4;  // From CFX_DIBitmap impl.
+  FX_SAFE_UINT32 mem = width;
+  mem *= height;
+  mem *= k1bppRgbComponents;
+  if (!mem.IsValid() || mem.ValueOrDie() > kMemLimit)
+    return 0;
+
   auto bitmap = pdfium::MakeRetain<CFX_DIBitmap>();
   if (!bitmap->Create(width, height, FXDIB_1bppRgb))
     return 0;
-- 
cgit v1.2.3