diff --git a/.github/workflows/fuzzing.yml b/.github/workflows/fuzzing.yml index ea8d17cd1..bb75a0f41 100644 --- a/.github/workflows/fuzzing.yml +++ b/.github/workflows/fuzzing.yml @@ -56,7 +56,7 @@ jobs: - name: Build & Fuzz run: | - bazelisk run ${{env.BUILD_BUDDY_CONFIG}} --java_runtime_version=remotejdk_${{ matrix.jdk }} ${{ matrix.bazel_args }} ${{ matrix.extra_bazel_args }} //selffuzz/src/test/java/com/code_intelligence/selffuzz/mutation:ArgumentsMutatorFuzzTest --jvmopt=-Xmx10000m -- -runs=1000000 + bazelisk run ${{env.BUILD_BUDDY_CONFIG}} --java_runtime_version=remotejdk_${{ matrix.jdk }} ${{ matrix.bazel_args }} ${{ matrix.extra_bazel_args }} //selffuzz/src/test/java/com/code_intelligence/selffuzz/mutation:ArgumentsMutatorFuzzTest -- -runs=1000000 # Notification job that runs after all matrix jobs complete notification: diff --git a/selffuzz/src/test/java/com/code_intelligence/selffuzz/mutation/BUILD.bazel b/selffuzz/src/test/java/com/code_intelligence/selffuzz/mutation/BUILD.bazel index 23f44e0b3..208dbca40 100644 --- a/selffuzz/src/test/java/com/code_intelligence/selffuzz/mutation/BUILD.bazel +++ b/selffuzz/src/test/java/com/code_intelligence/selffuzz/mutation/BUILD.bazel @@ -9,6 +9,9 @@ java_fuzz_target_test( "ImmutableBean.java", ], data = ["//selffuzz/src/test/resources:ArgumentsMutatorFuzzTest-corpus"], + env = { + "_JAVA_OPTIONS": "-Xmx1024m", + }, fuzzer_args = [ # Make sure that the fuzzer can run. Longer fuzzing runs will be done in a separate GH action. "-runs=10000", diff --git a/src/main/java/com/code_intelligence/jazzer/mutation/mutator/proto/BuilderMutatorFactory.java b/src/main/java/com/code_intelligence/jazzer/mutation/mutator/proto/BuilderMutatorFactory.java index e1d4bae75..60fda5c9c 100644 --- a/src/main/java/com/code_intelligence/jazzer/mutation/mutator/proto/BuilderMutatorFactory.java +++ b/src/main/java/com/code_intelligence/jazzer/mutation/mutator/proto/BuilderMutatorFactory.java @@ -57,6 +57,7 @@ import com.code_intelligence.jazzer.mutation.mutator.lang.LangMutators; import com.code_intelligence.jazzer.mutation.support.Preconditions; import com.google.protobuf.Any; +import com.google.protobuf.CodedInputStream; import com.google.protobuf.Descriptors.Descriptor; import com.google.protobuf.Descriptors.EnumDescriptor; import com.google.protobuf.Descriptors.EnumValueDescriptor; @@ -86,6 +87,11 @@ import java.util.stream.Stream; public final class BuilderMutatorFactory implements MutatorFactory { + + // Generous size limit for decoded protobuf messages. This is necessary to guard against OOM + // errors when the corpus format changes e.g. due to a change in the fuzz test signature. + private static final int MAX_MESSAGE_SIZE = 32 * 1024 * 1024; // 32 MiB + private InPlaceMutator mutatorForField( AnnotatedType initialType, FieldDescriptor field, @@ -273,9 +279,11 @@ public B readExclusive(InputStream in) throws IOException { } private Builder parseLeniently(InputStream in) throws IOException { + CodedInputStream cis = CodedInputStream.newInstance(in); + cis.setSizeLimit(MAX_MESSAGE_SIZE); Builder builder = defaultInstance.toBuilder(); try { - builder.mergeFrom(in); + builder.mergeFrom(cis); } catch (InvalidProtocolBufferException ignored) { // builder has been partially modified with what could be decoded before the parser error. }