Commit 4b245364caadc85aea4ac01d626985f9e2ff4c0d
Committed by
GitHub
GitHub
Merge pull request #1285 from m-holger/fuzz
Adjust fuzzer Pl_Flate memory limits
Showing
10 changed files
with
10 additions
and
16 deletions
fuzz/CMakeLists.txt
| @@ -141,6 +141,7 @@ set(CORPUS_OTHER | @@ -141,6 +141,7 @@ set(CORPUS_OTHER | ||
| 141 | 70306a.fuzz | 141 | 70306a.fuzz |
| 142 | 70306b.fuzz | 142 | 70306b.fuzz |
| 143 | 71624.fuzz | 143 | 71624.fuzz |
| 144 | + 71689.fuzz | ||
| 144 | ) | 145 | ) |
| 145 | 146 | ||
| 146 | set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus) | 147 | set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus) |
fuzz/qpdf_crypt_fuzzer.cc
| @@ -109,7 +109,7 @@ FuzzHelper::doChecks() | @@ -109,7 +109,7 @@ FuzzHelper::doChecks() | ||
| 109 | 109 | ||
| 110 | Pl_PNGFilter::setMemoryLimit(1'000'000); | 110 | Pl_PNGFilter::setMemoryLimit(1'000'000); |
| 111 | Pl_TIFFPredictor::setMemoryLimit(1'000'000); | 111 | Pl_TIFFPredictor::setMemoryLimit(1'000'000); |
| 112 | - Pl_Flate::setMemoryLimit(1'000'000); | 112 | + Pl_Flate::setMemoryLimit(200'000); |
| 113 | 113 | ||
| 114 | // Do not decompress corrupt data. This may cause extended runtime within jpeglib without | 114 | // Do not decompress corrupt data. This may cause extended runtime within jpeglib without |
| 115 | // exercising additional code paths in qpdf, and potentially causing counterproductive timeouts. | 115 | // exercising additional code paths in qpdf, and potentially causing counterproductive timeouts. |
fuzz/qpdf_crypt_insecure_fuzzer.cc
| @@ -109,7 +109,7 @@ FuzzHelper::doChecks() | @@ -109,7 +109,7 @@ FuzzHelper::doChecks() | ||
| 109 | 109 | ||
| 110 | Pl_PNGFilter::setMemoryLimit(1'000'000); | 110 | Pl_PNGFilter::setMemoryLimit(1'000'000); |
| 111 | Pl_TIFFPredictor::setMemoryLimit(1'000'000); | 111 | Pl_TIFFPredictor::setMemoryLimit(1'000'000); |
| 112 | - Pl_Flate::setMemoryLimit(1'000'000); | 112 | + Pl_Flate::setMemoryLimit(200'000); |
| 113 | 113 | ||
| 114 | // Do not decompress corrupt data. This may cause extended runtime within jpeglib without | 114 | // Do not decompress corrupt data. This may cause extended runtime within jpeglib without |
| 115 | // exercising additional code paths in qpdf, and potentially causing counterproductive timeouts. | 115 | // exercising additional code paths in qpdf, and potentially causing counterproductive timeouts. |
fuzz/qpdf_extra/71689.fuzz
0 → 100644
No preview for this file type
fuzz/qpdf_fuzzer.cc
| @@ -93,13 +93,6 @@ FuzzHelper::testWrite() | @@ -93,13 +93,6 @@ FuzzHelper::testWrite() | ||
| 93 | w->setDeterministicID(true); | 93 | w->setDeterministicID(true); |
| 94 | w->setQDFMode(true); | 94 | w->setQDFMode(true); |
| 95 | doWrite(w); | 95 | doWrite(w); |
| 96 | - | ||
| 97 | - q = getQpdf(); | ||
| 98 | - w = getWriter(q); | ||
| 99 | - w->setStaticID(true); | ||
| 100 | - w->setLinearization(true); | ||
| 101 | - w->setR6EncryptionParameters("u", "o", true, true, true, true, true, true, qpdf_r3p_full, true); | ||
| 102 | - doWrite(w); | ||
| 103 | } | 96 | } |
| 104 | 97 | ||
| 105 | void | 98 | void |
| @@ -114,7 +107,7 @@ FuzzHelper::doChecks() | @@ -114,7 +107,7 @@ FuzzHelper::doChecks() | ||
| 114 | 107 | ||
| 115 | Pl_PNGFilter::setMemoryLimit(1'000'000); | 108 | Pl_PNGFilter::setMemoryLimit(1'000'000); |
| 116 | Pl_TIFFPredictor::setMemoryLimit(1'000'000); | 109 | Pl_TIFFPredictor::setMemoryLimit(1'000'000); |
| 117 | - Pl_Flate::setMemoryLimit(1'000'000); | 110 | + Pl_Flate::setMemoryLimit(200'000); |
| 118 | 111 | ||
| 119 | // Do not decompress corrupt data. This may cause extended runtime within jpeglib without | 112 | // Do not decompress corrupt data. This may cause extended runtime within jpeglib without |
| 120 | // exercising additional code paths in qpdf, and potentially causing counterproductive timeouts. | 113 | // exercising additional code paths in qpdf, and potentially causing counterproductive timeouts. |
fuzz/qpdf_lin_fuzzer.cc
| @@ -108,7 +108,7 @@ FuzzHelper::doChecks() | @@ -108,7 +108,7 @@ FuzzHelper::doChecks() | ||
| 108 | 108 | ||
| 109 | Pl_PNGFilter::setMemoryLimit(1'000'000); | 109 | Pl_PNGFilter::setMemoryLimit(1'000'000); |
| 110 | Pl_TIFFPredictor::setMemoryLimit(1'000'000); | 110 | Pl_TIFFPredictor::setMemoryLimit(1'000'000); |
| 111 | - Pl_Flate::setMemoryLimit(1'000'000); | 111 | + Pl_Flate::setMemoryLimit(200'000); |
| 112 | 112 | ||
| 113 | // Do not decompress corrupt data. This may cause extended runtime within jpeglib without | 113 | // Do not decompress corrupt data. This may cause extended runtime within jpeglib without |
| 114 | // exercising additional code paths in qpdf, and potentially causing counterproductive timeouts. | 114 | // exercising additional code paths in qpdf, and potentially causing counterproductive timeouts. |
fuzz/qpdf_outlines_fuzzer.cc
| @@ -85,7 +85,7 @@ FuzzHelper::doChecks() | @@ -85,7 +85,7 @@ FuzzHelper::doChecks() | ||
| 85 | 85 | ||
| 86 | Pl_PNGFilter::setMemoryLimit(1'000'000); | 86 | Pl_PNGFilter::setMemoryLimit(1'000'000); |
| 87 | Pl_TIFFPredictor::setMemoryLimit(1'000'000); | 87 | Pl_TIFFPredictor::setMemoryLimit(1'000'000); |
| 88 | - Pl_Flate::setMemoryLimit(1'000'000); | 88 | + Pl_Flate::setMemoryLimit(200'000); |
| 89 | 89 | ||
| 90 | // Do not decompress corrupt data. This may cause extended runtime within jpeglib without | 90 | // Do not decompress corrupt data. This may cause extended runtime within jpeglib without |
| 91 | // exercising additional code paths in qpdf, and potentially causing counterproductive timeouts. | 91 | // exercising additional code paths in qpdf, and potentially causing counterproductive timeouts. |
fuzz/qpdf_pages_fuzzer.cc
| @@ -106,7 +106,7 @@ FuzzHelper::doChecks() | @@ -106,7 +106,7 @@ FuzzHelper::doChecks() | ||
| 106 | 106 | ||
| 107 | Pl_PNGFilter::setMemoryLimit(1'000'000); | 107 | Pl_PNGFilter::setMemoryLimit(1'000'000); |
| 108 | Pl_TIFFPredictor::setMemoryLimit(1'000'000); | 108 | Pl_TIFFPredictor::setMemoryLimit(1'000'000); |
| 109 | - Pl_Flate::setMemoryLimit(1'000'000); | 109 | + Pl_Flate::setMemoryLimit(200'000); |
| 110 | 110 | ||
| 111 | // Do not decompress corrupt data. This may cause extended runtime within jpeglib without | 111 | // Do not decompress corrupt data. This may cause extended runtime within jpeglib without |
| 112 | // exercising additional code paths in qpdf, and potentially causing counterproductive timeouts. | 112 | // exercising additional code paths in qpdf, and potentially causing counterproductive timeouts. |
fuzz/qtest/fuzz.test
| @@ -11,7 +11,7 @@ my $td = new TestDriver('fuzz'); | @@ -11,7 +11,7 @@ my $td = new TestDriver('fuzz'); | ||
| 11 | 11 | ||
| 12 | my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS"; | 12 | my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS"; |
| 13 | 13 | ||
| 14 | -my $n_qpdf_files = 78; # increment when adding new files | 14 | +my $n_qpdf_files = 79; # increment when adding new files |
| 15 | 15 | ||
| 16 | my @fuzzers = ( | 16 | my @fuzzers = ( |
| 17 | ['ascii85' => 1], | 17 | ['ascii85' => 1], |
libqpdf/Pl_Flate.cc
| @@ -181,7 +181,7 @@ Pl_Flate::handleData(unsigned char const* data, size_t len, int flush) | @@ -181,7 +181,7 @@ Pl_Flate::handleData(unsigned char const* data, size_t len, int flush) | ||
| 181 | } | 181 | } |
| 182 | uLong ready = QIntC::to_ulong(m->out_bufsize - zstream.avail_out); | 182 | uLong ready = QIntC::to_ulong(m->out_bufsize - zstream.avail_out); |
| 183 | if (ready > 0) { | 183 | if (ready > 0) { |
| 184 | - if (memory_limit) { | 184 | + if (memory_limit && m->action != a_deflate) { |
| 185 | m->written += ready; | 185 | m->written += ready; |
| 186 | if (m->written > memory_limit) { | 186 | if (m->written > memory_limit) { |
| 187 | throw std::runtime_error("PL_Flate memory limit exceeded"); | 187 | throw std::runtime_error("PL_Flate memory limit exceeded"); |
| @@ -205,7 +205,7 @@ void | @@ -205,7 +205,7 @@ void | ||
| 205 | Pl_Flate::finish() | 205 | Pl_Flate::finish() |
| 206 | { | 206 | { |
| 207 | if (m->written > memory_limit) { | 207 | if (m->written > memory_limit) { |
| 208 | - return; | 208 | + throw std::runtime_error("PL_Flate memory limit exceeded"); |
| 209 | } | 209 | } |
| 210 | try { | 210 | try { |
| 211 | if (m->outbuf.get()) { | 211 | if (m->outbuf.get()) { |