third_party/libpng/patches/0002-fuzzeroom.patch - chromium/src - Git at Google

 From bd38fe17b88d63245832978286f2fe12c9ed6de7 Mon Sep 17 00:00:00 2001
 From: Christopher Thompson <cthomp@chromium.org>
 Date: Mon, 12 Nov 2018 09:47:32 -0800
 Subject: [PATCH] Add custom malloc with max limit to prevent OOM

 This adds the custom malloc/free functions from the old
 libpng_read_fuzzer to the upstream fuzzer to prevent clusterfuzz running
 into OOM.

 Bug: 904054
 Change-Id: Ibb824beb191cb5657687c55ee2db8c7783547bad
 ---

 diff --git a/third_party/libpng/contrib/oss-fuzz/libpng_read_fuzzer.cc b/third_party/libpng/contrib/oss-fuzz/libpng_read_fuzzer.cc
 index 3a8ecab..ea27d20 100644
 --- a/third_party/libpng/contrib/oss-fuzz/libpng_read_fuzzer.cc
 +++ b/third_party/libpng/contrib/oss-fuzz/libpng_read_fuzzer.cc
 @@ -78,6 +78,21 @@
    buf_state->data += length;
  }

 +void* limited_malloc(png_structp, png_alloc_size_t size) {
 +  // libpng may allocate large amounts of memory that the fuzzer reports as
 +  // an error. In order to silence these errors, make libpng fail when trying
 +  // to allocate a large amount. This allocator used to be in the Chromium
 +  // version of this fuzzer.
 +  // This number is chosen to match the default png_user_chunk_malloc_max.
 +  if (size > 8000000)
 +    return nullptr;
 +
 +  return malloc(size);
 +}
 +
 +void default_free(png_structp, png_voidp ptr) {
 +  return free(ptr);
 +}
 +
  static const int kPngHeaderSize = 8;

  // Entry point for LibFuzzer.
 @@ -118,6 +133,9 @@
      return 0;
    }

 +  // Use a custom allocator that fails for large allocations to avoid OOM.
 +  png_set_mem_fn(png_handler.png_ptr, nullptr, limited_malloc, default_free);
 +
    png_set_crc_action(png_handler.png_ptr, PNG_CRC_QUIET_USE, PNG_CRC_QUIET_USE);
  #ifdef PNG_IGNORE_ADLER32
    png_set_option(png_handler.png_ptr, PNG_IGNORE_ADLER32, PNG_OPTION_ON);
	From bd38fe17b88d63245832978286f2fe12c9ed6de7 Mon Sep 17 00:00:00 2001
	From: Christopher Thompson <cthomp@chromium.org>
	Date: Mon, 12 Nov 2018 09:47:32 -0800
	Subject: [PATCH] Add custom malloc with max limit to prevent OOM

	This adds the custom malloc/free functions from the old
	libpng_read_fuzzer to the upstream fuzzer to prevent clusterfuzz running
	into OOM.

	Bug: 904054
	Change-Id: Ibb824beb191cb5657687c55ee2db8c7783547bad
	---

	diff --git a/third_party/libpng/contrib/oss-fuzz/libpng_read_fuzzer.cc b/third_party/libpng/contrib/oss-fuzz/libpng_read_fuzzer.cc
	index 3a8ecab..ea27d20 100644
	--- a/third_party/libpng/contrib/oss-fuzz/libpng_read_fuzzer.cc
	+++ b/third_party/libpng/contrib/oss-fuzz/libpng_read_fuzzer.cc
	@@ -78,6 +78,21 @@
	buf_state->data += length;
	}

	+void* limited_malloc(png_structp, png_alloc_size_t size) {
	+ // libpng may allocate large amounts of memory that the fuzzer reports as
	+ // an error. In order to silence these errors, make libpng fail when trying
	+ // to allocate a large amount. This allocator used to be in the Chromium
	+ // version of this fuzzer.
	+ // This number is chosen to match the default png_user_chunk_malloc_max.
	+ if (size > 8000000)
	+ return nullptr;
	+
	+ return malloc(size);
	+}
	+
	+void default_free(png_structp, png_voidp ptr) {
	+ return free(ptr);
	+}
	+
	static const int kPngHeaderSize = 8;

	// Entry point for LibFuzzer.
	@@ -118,6 +133,9 @@
	return 0;
	}

	+ // Use a custom allocator that fails for large allocations to avoid OOM.
	+ png_set_mem_fn(png_handler.png_ptr, nullptr, limited_malloc, default_free);
	+
	png_set_crc_action(png_handler.png_ptr, PNG_CRC_QUIET_USE, PNG_CRC_QUIET_USE);
	#ifdef PNG_IGNORE_ADLER32
	png_set_option(png_handler.png_ptr, PNG_IGNORE_ADLER32, PNG_OPTION_ON);