Don't overflow on multiplication in the libjpeg_turbo fuzzer (#218)

author: Alex Gaynor <alex.gaynor@gmail.com> 2016-12-27 18:32:54 -0500
committer: Kostya Serebryany <konstantin.s.serebryany@gmail.com> 2016-12-27 15:32:54 -0800
commit: c3a44cb1e38226fa5078456f6c40415200090472 (patch)
tree: 5185782f020ab93b19d4bf560b5741244556f5f6 /projects/libjpeg-turbo
parent: c4ac474aef6c84d42d2f8c7077613cc7f11c495f (diff)
download: oss-fuzz-c3a44cb1e38226fa5078456f6c40415200090472.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/projects/libjpeg-turbo/libjpeg_turbo_fuzzer.cc b/projects/libjpeg-turbo/libjpeg_turbo_fuzzer.cc
index 1cee173df..838e5368a 100644
--- a/projects/libjpeg-turbo/libjpeg_turbo_fuzzer.cc
+++ b/projects/libjpeg-turbo/libjpeg_turbo_fuzzer.cc
@@ -32,8 +32,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
         jpegDecompressor, data, size, &width, &height, &subsamp, &colorspace);
 
     // Bail out if decompressing the headers failed, the width or height is 0,
-    // or the image is too large (avoids slowing down too much)
-    if (res != 0 || width == 0 || height == 0 || (width * height > (1024 * 1024))) {
+    // or the image is too large (avoids slowing down too much). Cast to size_t to
+    // avoid overflows on the multiplication
+    if (res != 0 || width == 0 || height == 0 || ((size_t)width * height > (1024 * 1024))) {
         tjDestroy(jpegDecompressor);
         return 0;
     }
author	Alex Gaynor <alex.gaynor@gmail.com>	2016-12-27 18:32:54 -0500
committer	Kostya Serebryany <konstantin.s.serebryany@gmail.com>	2016-12-27 15:32:54 -0800
commit	c3a44cb1e38226fa5078456f6c40415200090472 (patch)
tree	5185782f020ab93b19d4bf560b5741244556f5f6 /projects/libjpeg-turbo
parent	c4ac474aef6c84d42d2f8c7077613cc7f11c495f (diff)
download	oss-fuzz-c3a44cb1e38226fa5078456f6c40415200090472.tar.gz