Merge "Snap for 11730676 from e3204995372afdfd25cc99611e9a001b2cb28ba2 to sdk-release" into sdk-release

author: Android Build Coastguard Worker <android-build-coastguard-worker@google.com> 2024-04-18 01:24:58 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> 2024-04-18 01:24:58 +0000
commit: ac19f36b8cdef41a423dcb6ca3d0c2231dc53045 (patch)
tree: 81511e5a4fba3525fde7c8f5d6ec70403df61003 /tests/fuzzer/animdecoder_fuzzer.cc
parent: acf3f286509a2ace97aa0d670d3bd935dcf01607 (diff)
parent: c3e89de6f2a2c5239f78d17dc0d820bc03444cf4 (diff)
download: webp-ac19f36b8cdef41a423dcb6ca3d0c2231dc53045.tar.gz
1 files changed, 16 insertions, 7 deletions
diff --git a/tests/fuzzer/animdecoder_fuzzer.cc b/tests/fuzzer/animdecoder_fuzzer.cc
index a79712dc..c3ea4758 100644
--- a/tests/fuzzer/animdecoder_fuzzer.cc
+++ b/tests/fuzzer/animdecoder_fuzzer.cc
@@ -14,25 +14,34 @@
 //
 ////////////////////////////////////////////////////////////////////////////////
 
-#include "examples/anim_util.h"
+#include <cstddef>
+#include <cstdint>
+
 #include "imageio/imageio_util.h"
+#include "src/webp/decode.h"
 #include "src/webp/demux.h"
+#include "src/webp/mux_types.h"
 
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   // WebPAnimDecoderGetInfo() is too late to check the canvas size as
   // WebPAnimDecoderNew() will handle the allocations.
+  const size_t kMaxNumBytes = 2684354560;  // RSS (resident set size) limit.
+  const size_t kMaxNumPixels = kMaxNumBytes / 4;       // At most ARGB.
+  const size_t kMaxNumPixelsSafe = kMaxNumPixels / 2;  // Allow one buffer copy.
   WebPBitstreamFeatures features;
   if (WebPGetFeatures(data, size, &features) == VP8_STATUS_OK) {
     if (!ImgIoUtilCheckSizeArgumentsOverflow(features.width * 4,
-                                             features.height)) {
+                                             features.height) ||
+        static_cast<size_t>(features.width) * features.height >
+            kMaxNumPixelsSafe) {
       return 0;
     }
   }
 
   // decode everything as an animation
-  WebPData webp_data = { data, size };
-  WebPAnimDecoder* const dec = WebPAnimDecoderNew(&webp_data, NULL);
-  if (dec == NULL) return 0;
+  WebPData webp_data = {data, size};
+  WebPAnimDecoder* const dec = WebPAnimDecoderNew(&webp_data, nullptr);
+  if (dec == nullptr) return 0;
 
   WebPAnimInfo info;
   if (!WebPAnimDecoderGetInfo(dec, &info)) goto End;
@@ -46,7 +55,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     int timestamp;
     if (!WebPAnimDecoderGetNext(dec, &buf, &timestamp)) break;
   }
- End:
+End:
   WebPAnimDecoderDelete(dec);
   return 0;
 }
author	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	2024-04-18 01:24:58 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	2024-04-18 01:24:58 +0000
commit	ac19f36b8cdef41a423dcb6ca3d0c2231dc53045 (patch)
tree	81511e5a4fba3525fde7c8f5d6ec70403df61003 /tests/fuzzer/animdecoder_fuzzer.cc
parent	acf3f286509a2ace97aa0d670d3bd935dcf01607 (diff)
parent	c3e89de6f2a2c5239f78d17dc0d820bc03444cf4 (diff)
download	webp-ac19f36b8cdef41a423dcb6ca3d0c2231dc53045.tar.gz