OpenSystemsDevelopment / qpdf

Commit fa9df75bd40c875cfcad1b66ad6f154bbcae32d0

Authored by m-holger
Committed by GitHub
2 parents b3ab5cd2 4f694cdf

Merge pull request #1251 from m-holger/fuzz 

Mark intentional unsigned integer wrapping in MD5_native::transform and adjust fuzzer memory limits
Inline Side-by-side
Showing 2 changed files with 7 additions and 2 deletions
fuzz/qpdf_fuzzer.cc
  View file @fa9df75
@@ -181,8 +181,8 @@ FuzzHelper::doChecks() @@ -181,8 +181,8 @@ FuzzHelper::doChecks()
181 // occur legitimately and therefore must be allowed during normal operations. 181 // occur legitimately and therefore must be allowed during normal operations.
182 Pl_DCT::setMemoryLimit(1'000'000'000); 182 Pl_DCT::setMemoryLimit(1'000'000'000);
183 183
184 - Pl_PNGFilter::setMemoryLimit(1'000'000'000);  
185 - Pl_TIFFPredictor::setMemoryLimit(1'000'000'000); 184 + Pl_PNGFilter::setMemoryLimit(1'000'000);
  185 + Pl_TIFFPredictor::setMemoryLimit(1'000'000);
186 186
187 // Do not decompress corrupt data. This may cause extended runtime within jpeglib without 187 // Do not decompress corrupt data. This may cause extended runtime within jpeglib without
188 // exercising additional code paths in qpdf, and potentially causing counterproductive timeouts. 188 // exercising additional code paths in qpdf, and potentially causing counterproductive timeouts.
libqpdf/MD5_native.cc
  View file @fa9df75
@@ -193,7 +193,12 @@ MD5_native::digest(Digest result) @@ -193,7 +193,12 @@ MD5_native::digest(Digest result)
193 } 193 }
194 194
195 // MD5 basic transformation. Transforms state based on block. 195 // MD5 basic transformation. Transforms state based on block.
  196 +//
  197 +// NB The algorithm intentionally relies on unsigned integer wrap-around
196 void MD5_native::transform(uint32_t state[4], unsigned char block[64]) 198 void MD5_native::transform(uint32_t state[4], unsigned char block[64])
  199 +#if defined(__clang__)
  200 +__attribute__((no_sanitize("unsigned-integer-overflow")))
  201 +#endif
197 { 202 {
198 uint32_t a = state[0], b = state[1], c = state[2], d = state[3], x[16]; 203 uint32_t a = state[0], b = state[1], c = state[2], d = state[3], x[16];
199 204