ofz#11104 for timeouts, limit decompression ratios when fuzzing

Change-Id: If9efe56a40a866269a06ce944885a324495af48a
Reviewed-on: https://gerrit.libreoffice.org/67036
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>

1 files changed, 10 insertions, 0 deletions

diff --git a/vcl/source/gdi/pngread.cxx b/vcl/source/gdi/pngread.cxx
index b5ac9e430596..f4bdbf8ae9bc 100644
--- a/vcl/source/gdi/pngread.cxx
+++ b/vcl/source/gdi/pngread.cxx
@@ -900,6 +900,10 @@ sal_uInt8 PNGReaderImpl::ImplScaleColor()
 
 void PNGReaderImpl::ImplReadIDAT()
 {
+    //when fuzzing with a max len set, max decompress to 250 times that limit
+    static size_t nMaxAllowedDecompression = [](const char* pEnv) { size_t nRet = pEnv ? std::atoi(pEnv) : 0; return nRet * 250; }(std::getenv("FUZZ_MAX_INPUT_LEN"));
+    size_t nTotalDataRead = 0;
+
     if( mnChunkLen > 0 )
     {
         mbIDATStarted = true;
@@ -922,6 +926,12 @@ void PNGReaderImpl::ImplReadIDAT()
                 mbStatus = false;
                 break;
             }
+            nTotalDataRead += nRead;
+            if (nMaxAllowedDecompression && nTotalDataRead > nMaxAllowedDecompression)
+            {
+                mbStatus = false;
+                break;
+            }
             if ( nRead < nToRead )
             {
                 mpScanCurrent += nRead; // more ZStream data in the next IDAT chunk