diff options
Diffstat (limited to 'contrib/oss-fuzz/libpng_read_fuzzer.cc')
| -rw-r--r-- | contrib/oss-fuzz/libpng_read_fuzzer.cc | 24 |
1 files changed, 21 insertions, 3 deletions
diff --git a/contrib/oss-fuzz/libpng_read_fuzzer.cc b/contrib/oss-fuzz/libpng_read_fuzzer.cc index 7b305509c..0190cf786 100644 --- a/contrib/oss-fuzz/libpng_read_fuzzer.cc +++ b/contrib/oss-fuzz/libpng_read_fuzzer.cc @@ -5,8 +5,6 @@ // Use of this source code is governed by a BSD-style license that may // be found in the LICENSE file https://cs.chromium.org/chromium/src/LICENSE -// Last changed in libpng 1.6.35 [July 15, 2018] - // The modifications in 2017 by Glenn Randers-Pehrson include // 1. addition of a PNG_CLEANUP macro, // 2. setting the option to ignore ADLER32 checksums, @@ -17,6 +15,7 @@ #include <stddef.h> #include <stdint.h> +#include <stdlib.h> #include <string.h> #include <vector> @@ -60,7 +59,7 @@ struct PngObjectHandler { png_free(png_ptr, row_ptr); if (end_info_ptr) png_destroy_read_struct(&png_ptr, &info_ptr, &end_info_ptr); - else if (info_ptr) + else if (info_ptr) png_destroy_read_struct(&png_ptr, &info_ptr, nullptr); else png_destroy_read_struct(&png_ptr, nullptr, nullptr); @@ -78,6 +77,22 @@ void user_read_data(png_structp png_ptr, png_bytep data, size_t length) { buf_state->data += length; } +void* limited_malloc(png_structp, png_alloc_size_t size) { + // libpng may allocate large amounts of memory that the fuzzer reports as + // an error. In order to silence these errors, make libpng fail when trying + // to allocate a large amount. This allocator used to be in the Chromium + // version of this fuzzer. + // This number is chosen to match the default png_user_chunk_malloc_max. + if (size > 8000000) + return nullptr; + + return malloc(size); +} + +void default_free(png_structp, png_voidp ptr) { + return free(ptr); +} + static const int kPngHeaderSize = 8; // Entry point for LibFuzzer. @@ -118,6 +133,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { return 0; } + // Use a custom allocator that fails for large allocations to avoid OOM. + png_set_mem_fn(png_handler.png_ptr, nullptr, limited_malloc, default_free); + png_set_crc_action(png_handler.png_ptr, PNG_CRC_QUIET_USE, PNG_CRC_QUIET_USE); #ifdef PNG_IGNORE_ADLER32 png_set_option(png_handler.png_ptr, PNG_IGNORE_ADLER32, PNG_OPTION_ON); |