Changeset 103316 in vbox for trunk/src/libs/libpng-1.6.42/contrib/oss-fuzz/libpng_read_fuzzer.cc

Timestamp:

Feb 12, 2024 3:57:56 PM (12 months ago)

Author:

vboxsync

Message:

libpng-1.6.42: Applied and adjusted our libpng changes to 1.6.42. bugref:8515

File:

• trunk/src/libs/libpng-1.6.42/contrib/oss-fuzz/libpng_read_fuzzer.cc (modified) (5 diffs)

trunk/src/libs/libpng-1.6.42/contrib/oss-fuzz/libpng_read_fuzzer.cc

@@ -5 +5 @@
 // Use of this source code is governed by a BSD-style license that may
 // be found in the LICENSE file https://cs.chromium.org/chromium/src/LICENSE
-
-// Last changed in libpng 1.6.35 [July 15, 2018]
 
 // The modifications in 2017 by Glenn Randers-Pehrson include
@@ -18 +16 @@
 #include <stddef.h>
 #include <stdint.h>
+#include <stdlib.h>
 #include <string.h>
 
@@ -61 +60 @@
     if (end_info_ptr)
       png_destroy_read_struct(&png_ptr, &info_ptr, &end_info_ptr);
-    else if (info_ptr) 
+    else if (info_ptr)
       png_destroy_read_struct(&png_ptr, &info_ptr, nullptr);
     else
@@ -77 +76 @@
   buf_state->bytes_left -= length;
   buf_state->data += length;
+}
+
+void* limited_malloc(png_structp, png_alloc_size_t size) {
+  // libpng may allocate large amounts of memory that the fuzzer reports as
+  // an error. In order to silence these errors, make libpng fail when trying
+  // to allocate a large amount. This allocator used to be in the Chromium
+  // version of this fuzzer.
+  // This number is chosen to match the default png_user_chunk_malloc_max.
+  if (size > 8000000)
+    return nullptr;
+
+  return malloc(size);
+}
+
+void default_free(png_structp, png_voidp ptr) {
+  return free(ptr);
 }
 
@@ -118 +133 @@
     return 0;
   }
+
+  // Use a custom allocator that fails for large allocations to avoid OOM.
+  png_set_mem_fn(png_handler.png_ptr, nullptr, limited_malloc, default_free);
 
   png_set_crc_action(png_handler.png_ptr, PNG_CRC_QUIET_USE, PNG_CRC_QUIET_USE);