Commit fa9df75bd40c875cfcad1b66ad6f154bbcae32d0
Committed by
GitHub
GitHub
Merge pull request #1251 from m-holger/fuzz
Mark intentional unsigned integer wrapping in MD5_native::transform and adjust fuzzer memory limits
Showing
2 changed files
with
7 additions
and
2 deletions
fuzz/qpdf_fuzzer.cc
| ... | ... | @@ -181,8 +181,8 @@ FuzzHelper::doChecks() |
| 181 | 181 | // occur legitimately and therefore must be allowed during normal operations. |
| 182 | 182 | Pl_DCT::setMemoryLimit(1'000'000'000); |
| 183 | 183 | |
| 184 | - Pl_PNGFilter::setMemoryLimit(1'000'000'000); | |
| 185 | - Pl_TIFFPredictor::setMemoryLimit(1'000'000'000); | |
| 184 | + Pl_PNGFilter::setMemoryLimit(1'000'000); | |
| 185 | + Pl_TIFFPredictor::setMemoryLimit(1'000'000); | |
| 186 | 186 | |
| 187 | 187 | // Do not decompress corrupt data. This may cause extended runtime within jpeglib without |
| 188 | 188 | // exercising additional code paths in qpdf, and potentially causing counterproductive timeouts. | ... | ... |
libqpdf/MD5_native.cc
| ... | ... | @@ -193,7 +193,12 @@ MD5_native::digest(Digest result) |
| 193 | 193 | } |
| 194 | 194 | |
| 195 | 195 | // MD5 basic transformation. Transforms state based on block. |
| 196 | +// | |
| 197 | +// NB The algorithm intentionally relies on unsigned integer wrap-around | |
| 196 | 198 | void MD5_native::transform(uint32_t state[4], unsigned char block[64]) |
| 199 | +#if defined(__clang__) | |
| 200 | +__attribute__((no_sanitize("unsigned-integer-overflow"))) | |
| 201 | +#endif | |
| 197 | 202 | { |
| 198 | 203 | uint32_t a = state[0], b = state[1], c = state[2], d = state[3], x[16]; |
| 199 | 204 | ... | ... |