| From bd38fe17b88d63245832978286f2fe12c9ed6de7 Mon Sep 17 00:00:00 2001 |
| From: Christopher Thompson <cthomp@chromium.org> |
| Date: Mon, 12 Nov 2018 09:47:32 -0800 |
| Subject: [PATCH] Add custom malloc with max limit to prevent OOM |
| |
| This adds the custom malloc/free functions from the old |
| libpng_read_fuzzer to the upstream fuzzer to prevent clusterfuzz running |
| into OOM. |
| |
| Bug: 904054 |
| Change-Id: Ibb824beb191cb5657687c55ee2db8c7783547bad |
| --- |
| |
| diff --git a/third_party/libpng/contrib/oss-fuzz/libpng_read_fuzzer.cc b/third_party/libpng/contrib/oss-fuzz/libpng_read_fuzzer.cc |
| index 3a8ecab..ea27d20 100644 |
| --- a/third_party/libpng/contrib/oss-fuzz/libpng_read_fuzzer.cc |
| +++ b/third_party/libpng/contrib/oss-fuzz/libpng_read_fuzzer.cc |
| @@ -78,6 +78,21 @@ |
| buf_state->data += length; |
| } |
| |
| +void* limited_malloc(png_structp, png_alloc_size_t size) { |
| + // libpng may allocate large amounts of memory that the fuzzer reports as |
| + // an error. In order to silence these errors, make libpng fail when trying |
| + // to allocate a large amount. This allocator used to be in the Chromium |
| + // version of this fuzzer. |
| + // This number is chosen to match the default png_user_chunk_malloc_max. |
| + if (size > 8000000) |
| + return nullptr; |
| + |
| + return malloc(size); |
| +} |
| + |
| +void default_free(png_structp, png_voidp ptr) { |
| + return free(ptr); |
| +} |
| + |
| static const int kPngHeaderSize = 8; |
| |
| // Entry point for LibFuzzer. |
| @@ -118,6 +133,9 @@ |
| return 0; |
| } |
| |
| + // Use a custom allocator that fails for large allocations to avoid OOM. |
| + png_set_mem_fn(png_handler.png_ptr, nullptr, limited_malloc, default_free); |
| + |
| png_set_crc_action(png_handler.png_ptr, PNG_CRC_QUIET_USE, PNG_CRC_QUIET_USE); |
| #ifdef PNG_IGNORE_ADLER32 |
| png_set_option(png_handler.png_ptr, PNG_IGNORE_ADLER32, PNG_OPTION_ON); |