From e053e0fd169a62ce36b33e37b8ed6a1d29a77630 Mon Sep 17 00:00:00 2001
From: Nicolas Pena <npm@chromium.org>
Date: Thu, 30 Nov 2017 15:09:52 +0000
Subject: Reduce memory limit of PDF XFA fuzzers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CFX_DIBitmap::Create does an allocation of size roughly 4*width*height
even in xfa_codec_fuzzer.h. This CL fixes the memory limit accordingly.

Bug: 789359
Change-Id: Ib5cbd08510ecacb2fbd22cb23394d24a86110bc5
Reviewed-on: https://pdfium-review.googlesource.com/19890
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Nicolás Peña Moreno <npm@chromium.org>
---
 testing/libfuzzer/xfa_codec_fuzzer.h | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/testing/libfuzzer/xfa_codec_fuzzer.h b/testing/libfuzzer/xfa_codec_fuzzer.h
index 90706af9f4..0ab7834f1e 100644
--- a/testing/libfuzzer/xfa_codec_fuzzer.h
+++ b/testing/libfuzzer/xfa_codec_fuzzer.h
@@ -38,9 +38,13 @@ class XFACodecFuzzer {
 
     // Skipping very large images, since they will take a long time and may lead
     // to OOM.
-    if (decoder->GetHeight() != 0 &&
-        decoder->GetWidth() > kXFACodecFuzzerPixelLimit / decoder->GetHeight())
+    FX_SAFE_UINT32 bitmap_size = decoder->GetHeight();
+    bitmap_size *= decoder->GetWidth();
+    bitmap_size *= 4;  // From CFX_DIBitmap impl.
+    if (!bitmap_size.IsValid() ||
+        bitmap_size.ValueOrDie() > kXFACodecFuzzerPixelLimit) {
       return 0;
+    }
 
     auto bitmap = pdfium::MakeRetain<CFX_DIBitmap>();
     bitmap->Create(decoder->GetWidth(), decoder->GetHeight(), FXDIB_Argb);
-- 
cgit v1.2.3