[Libreoffice-commits] core.git: 2 commits - filter/source vcl/source vcl/workben

Caolán McNamara caolanm at redhat.com
Mon Feb 12 20:36:36 UTC 2018 

 filter/source/graphicfilter/itiff/itiff.cxx |   12 ++++++++++++
 vcl/source/filter/jpeg/jpegc.cxx            |    9 ++++++---
 vcl/workben/commonfuzzer.hxx                |    9 +++++++++
 3 files changed, 27 insertions(+), 3 deletions(-)

New commits:
commit 10b6a2b2d6a5cb938ead02cba2fa03f748c5f63c
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Mon Feb 12 14:17:30 2018 +0000

    give up on recoverable errors earlier when fuzzing
    
    Change-Id: I10b06a977f77c0802cbf5a1db33671ba1db69ba9
    Reviewed-on: https://gerrit.libreoffice.org/49601
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/vcl/source/filter/jpeg/jpegc.cxx b/vcl/source/filter/jpeg/jpegc.cxx
index ddb5075fd817..8a8ea3707379 100644
--- a/vcl/source/filter/jpeg/jpegc.cxx
+++ b/vcl/source/filter/jpeg/jpegc.cxx
@@ -39,8 +39,6 @@ extern "C" {
 #include <vcl/bitmapaccess.hxx>
 #include <vcl/graphicfilter.hxx>
 
-#define WarningLimit 1000
-
 #ifdef _MSC_VER
 #pragma warning(push)
 #pragma warning (disable: 4324) /* disable to __declspec(align()) aligned warning */
@@ -72,6 +70,11 @@ extern "C" void outputMessage (j_common_ptr cinfo)
     SAL_WARN("vcl.filter", "failure reading JPEG: " << buffer);
 }
 
+static int GetWarningLimit()
+{
+    return utl::ConfigManager::IsFuzzing() ? 100 : 1000;
+}
+
 extern "C" void emitMessage (j_common_ptr cinfo, int msg_level)
 {
     if (msg_level < 0)
@@ -80,7 +83,7 @@ extern "C" void emitMessage (j_common_ptr cinfo, int msg_level)
         // reasonable limit (initially using ImageMagick's current limit of
         // 1000), then bail.
         // https://libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf
-        if (cinfo->err->num_warnings++ > WarningLimit)
+        if (++cinfo->err->num_warnings > GetWarningLimit())
             cinfo->err->error_exit(cinfo);
         else
             cinfo->err->output_message(cinfo);
commit 76c58b1cfbe2ab41b8e33d40953341410be7db96
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Mon Feb 12 15:20:03 2018 +0000

    for ~perfect compression link fuzzer input limit to an output limit
    
    Change-Id: I30c3a0b75c818b55f6e73fdb68bf59fdac249d0e
    Reviewed-on: https://gerrit.libreoffice.org/49606
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx
index 6e7bb2461eac..0449cdff7e2b 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -513,6 +513,10 @@ sal_uInt8* TIFFReader::getMapData(sal_uInt32 np)
 
 bool TIFFReader::ReadMap()
 {
+    //when fuzzing with a max len set, max decompress to 2000 times that limit
+    static size_t nMaxAllowedDecompression = [](const char* pEnv) { size_t nRet = pEnv ? std::atoi(pEnv) : 0; return nRet * 2000; }(std::getenv("FUZZ_MAX_INPUT_LEN"));
+    size_t nTotalDataRead = 0;
+
     if ( nCompression == 1 || nCompression == 32771 )
     {
         sal_uInt32 nStripBytesPerRow;
@@ -603,6 +607,9 @@ bool TIFFReader::ReadMap()
                 bDifferentToPrev |= !aResult.m_bBufferUnchanged;
                 if ( pTIFF->GetError() )
                     return false;
+                nTotalDataRead += nBytesPerRow;
+                if (nMaxAllowedDecompression && nTotalDataRead > nMaxAllowedDecompression)
+                    return false;
             }
             if (!bDifferentToPrev)
             {
@@ -645,6 +652,11 @@ bool TIFFReader::ReadMap()
                 if ( ( aLZWDecom.Decompress(getMapData(np), nBytesPerRow) != nBytesPerRow ) || pTIFF->GetError() )
                     return false;
             }
+
+            nTotalDataRead += nBytesPerRow;
+            if (nMaxAllowedDecompression && nTotalDataRead > nMaxAllowedDecompression)
+                return false;
+
             if ( !ConvertScanline( ny ) )
                 return false;
         }
diff --git a/vcl/workben/commonfuzzer.hxx b/vcl/workben/commonfuzzer.hxx
index 9b6f5728572c..cc4830fa5990 100644
--- a/vcl/workben/commonfuzzer.hxx
+++ b/vcl/workben/commonfuzzer.hxx
@@ -87,6 +87,15 @@ void CommonInitialize(int *argc, char ***argv)
     setenv("SAL_DISABLE_DEFAULTPRINTER", "1", 1);
     setenv("SAL_NO_FONT_LOOKUP", "1", 1);
 
+    //allow bubbling of max input len to fuzzer targets
+    int nMaxLen = 0;
+    for (int i = 0; i < *argc; ++i)
+    {
+        if (strncmp((*argv)[i], "-max_len=", 9) == 0)
+            nMaxLen = atoi((*argv)[i] + 9);
+    }
+    setenv("FUZZ_MAX_INPUT_LEN", "1", nMaxLen);
+
     osl_setCommandArgs(*argc, *argv);
 
     OUString sExecDir = getExecutableDir();

More information about the Libreoffice-commits mailing list