diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2019-01-28 21:37:21 +0000 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2019-01-29 09:53:54 +0100 |
| commit | eb70426c1fdf021f2688f179988a8c36b673c67b (patch) | |
| tree | b70fdb1fab1c653bf5e81ec28421a4ee1db0c314 | |
| parent | cb50e64a858e6791f9893699be0ec5fe4a259834 (diff) | |
ofz#11104 for timeouts, limit decompression ratios when fuzzing
Change-Id: If9efe56a40a866269a06ce944885a324495af48a
Reviewed-on: https://gerrit.libreoffice.org/67036
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
| -rw-r--r-- | filter/source/graphicfilter/itiff/itiff.cxx | 4 | ||||
| -rw-r--r-- | vcl/source/gdi/pngread.cxx | 10 |
2 files changed, 12 insertions, 2 deletions
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx index 8f8edd243be2..4e121351530d 100644 --- a/filter/source/graphicfilter/itiff/itiff.cxx +++ b/filter/source/graphicfilter/itiff/itiff.cxx @@ -547,8 +547,8 @@ sal_uInt8* TIFFReader::getMapData(sal_uInt32 np) bool TIFFReader::ReadMap() { - //when fuzzing with a max len set, max decompress to 2000 times that limit - static size_t nMaxAllowedDecompression = [](const char* pEnv) { size_t nRet = pEnv ? std::atoi(pEnv) : 0; return nRet * 2000; }(std::getenv("FUZZ_MAX_INPUT_LEN")); + //when fuzzing with a max len set, max decompress to 250 times that limit + static size_t nMaxAllowedDecompression = [](const char* pEnv) { size_t nRet = pEnv ? std::atoi(pEnv) : 0; return nRet * 250; }(std::getenv("FUZZ_MAX_INPUT_LEN")); size_t nTotalDataRead = 0; if ( nCompression == 1 || nCompression == 32771 ) diff --git a/vcl/source/gdi/pngread.cxx b/vcl/source/gdi/pngread.cxx index b5ac9e430596..f4bdbf8ae9bc 100644 --- a/vcl/source/gdi/pngread.cxx +++ b/vcl/source/gdi/pngread.cxx @@ -900,6 +900,10 @@ sal_uInt8 PNGReaderImpl::ImplScaleColor() void PNGReaderImpl::ImplReadIDAT() { + //when fuzzing with a max len set, max decompress to 250 times that limit + static size_t nMaxAllowedDecompression = [](const char* pEnv) { size_t nRet = pEnv ? std::atoi(pEnv) : 0; return nRet * 250; }(std::getenv("FUZZ_MAX_INPUT_LEN")); + size_t nTotalDataRead = 0; + if( mnChunkLen > 0 ) { mbIDATStarted = true; @@ -922,6 +926,12 @@ void PNGReaderImpl::ImplReadIDAT() mbStatus = false; break; } + nTotalDataRead += nRead; + if (nMaxAllowedDecompression && nTotalDataRead > nMaxAllowedDecompression) + { + mbStatus = false; + break; + } if ( nRead < nToRead ) { mpScanCurrent += nRead; // more ZStream data in the next IDAT chunk |