From b6e0117285a918f4f2f3a350b8a648d2247d3d8e Mon Sep 17 00:00:00 2001
From: Ryan Harrison <rharrison@chromium.org>
Date: Wed, 20 Jun 2018 13:43:04 +0000
Subject: Add in a size guard to JPX fuzzer

Setting an upper limit to the size of images being processed in the
JPX fuzzer to reduce timeouts due to images just being really big.

Also cleaned the types for passing pitch down to reduce the signedness
conversions.

BUG=chromium:834561

Change-Id: I28b7a2537a922ed7a9ca2f8ed049ae78dd471f49
Reviewed-on: https://pdfium-review.googlesource.com/35570
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
---
 testing/fuzzers/pdf_jpx_fuzzer.cc | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'testing')

diff --git a/testing/fuzzers/pdf_jpx_fuzzer.cc b/testing/fuzzers/pdf_jpx_fuzzer.cc
index da65bc2d9a..b74957bb14 100644
--- a/testing/fuzzers/pdf_jpx_fuzzer.cc
+++ b/testing/fuzzers/pdf_jpx_fuzzer.cc
@@ -14,6 +14,10 @@
 
 CCodec_JpxModule g_module;
 
+namespace {
+const uint32_t kMaxJPXFuzzSize = 100 * 1024 * 1024;  // 100 MB
+}  // namespace
+
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   std::unique_ptr<CJPX_Decoder> decoder =
       g_module.CreateDecoder(data, size, nullptr);
@@ -47,6 +51,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   if (!bitmap->Create(width, height, format))
     return 0;
 
+  if (bitmap->GetHeight() <= 0 ||
+      kMaxJPXFuzzSize / bitmap->GetPitch() <
+          static_cast<uint32_t>(bitmap->GetHeight()))
+    return 0;
+
   std::vector<uint8_t> output_offsets(components);
   for (uint32_t i = 0; i < components; ++i)
     output_offsets[i] = i;
-- 
cgit v1.2.3