diff options
author | Michael Hanselmann <public@hansmi.ch> | 2021-08-22 21:45:22 +0200 |
---|---|---|
committer | Michael Hanselmann <public@hansmi.ch> | 2021-08-22 21:45:47 +0200 |
commit | f2835023d808c3f73d7f2e495968b9568d5c2bef (patch) | |
tree | d08e307f7f400209c6c4ed14a32d97bc5daa8fca | |
parent | 8490a7ac101d4ee0a78c44b252d3b7a6c2508c74 (diff) |
Avoid integer overflow in fuzzing code
Don't try to multiply the number of bytes to read when it's too large:
signed integer overflow: 4 * 538976082 cannot be represented in type 'int'
Given the usual sizes of fuzzing inputs, even a few MiB is too large.
Signed-off-by: Michael Hanselmann <public@hansmi.ch>
-rw-r--r-- | fuzzing/usbredirparserfuzz.cc | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/fuzzing/usbredirparserfuzz.cc b/fuzzing/usbredirparserfuzz.cc index 4c3882a..b2482a6 100644 --- a/fuzzing/usbredirparserfuzz.cc +++ b/fuzzing/usbredirparserfuzz.cc @@ -48,12 +48,19 @@ void parser_log(void *priv, int level, const char *msg) { } +int wobbly_read_write_count(int count) +{ + if (count > (1024 * 1024)) { + return count; + } + + return std::min(count, fdp->ConsumeIntegralInRange(1, 4 * count)); +} + int parser_read(void *priv, uint8_t *data, int count) { // Simulate short reads - count = std::min(count, fdp->ConsumeIntegralInRange(1, 4 * count)); - - return fdp->ConsumeData(data, count); + return fdp->ConsumeData(data, wobbly_read_write_count(count)); } // Read over complete input buffer to detect buffer overflows @@ -77,7 +84,7 @@ void read_all(const T *ptr) int parser_write(void *priv, uint8_t *data, int count) { // Simulate short writes - count = std::min(count, fdp->ConsumeIntegralInRange(1, 4 * count)); + count = wobbly_read_write_count(count); read_all(data, count); |