summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Hanselmann <public@hansmi.ch>2021-08-22 21:45:22 +0200
committerMichael Hanselmann <public@hansmi.ch>2021-08-22 21:45:47 +0200
commitf2835023d808c3f73d7f2e495968b9568d5c2bef (patch)
treed08e307f7f400209c6c4ed14a32d97bc5daa8fca
parent8490a7ac101d4ee0a78c44b252d3b7a6c2508c74 (diff)
Avoid integer overflow in fuzzing code
Don't try to multiply the number of bytes to read when it's too large: signed integer overflow: 4 * 538976082 cannot be represented in type 'int' Given the usual sizes of fuzzing inputs, even a few MiB is too large. Signed-off-by: Michael Hanselmann <public@hansmi.ch>
Diffstat
-rw-r--r--fuzzing/usbredirparserfuzz.cc15
1 files changed, 11 insertions, 4 deletions
diff --git a/fuzzing/usbredirparserfuzz.cc b/fuzzing/usbredirparserfuzz.cc
index 4c3882a..b2482a6 100644
--- a/fuzzing/usbredirparserfuzz.cc
+++ b/fuzzing/usbredirparserfuzz.cc
@@ -48,12 +48,19 @@ void parser_log(void *priv, int level, const char *msg)
{
}
+int wobbly_read_write_count(int count)
+{
+ if (count > (1024 * 1024)) {
+ return count;
+ }
+
+ return std::min(count, fdp->ConsumeIntegralInRange(1, 4 * count));
+}
+
int parser_read(void *priv, uint8_t *data, int count)
{
// Simulate short reads
- count = std::min(count, fdp->ConsumeIntegralInRange(1, 4 * count));
-
- return fdp->ConsumeData(data, count);
+ return fdp->ConsumeData(data, wobbly_read_write_count(count));
}
// Read over complete input buffer to detect buffer overflows
@@ -77,7 +84,7 @@ void read_all(const T *ptr)
int parser_write(void *priv, uint8_t *data, int count)
{
// Simulate short writes
- count = std::min(count, fdp->ConsumeIntegralInRange(1, 4 * count));
+ count = wobbly_read_write_count(count);
read_all(data, count);
generated by cgit v1.2.3 (git 2.39.1) at 2024-04-23 10:09:38 +0000