better blocking of large input images in the fuzzer

things like 65494x5 pixel PNGs were being allowed through and caused timeouts
libvips · Aug 9, 2019 · d81efda · d81efda
1 parent 765a416
commit d81efda
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 55 deletions.
diff --git a/fuzz/jpegsave_buffer_fuzzer.cc b/fuzz/jpegsave_buffer_fuzzer.cc
@@ -12,19 +12,16 @@ LLVMFuzzerTestOneInput( const guint8 *data, size_t size )
 {
 	VipsImage *image;
 	void *buf;
-	size_t len, width, height, bands;
+	size_t len;
 
-	if( !(image = vips_image_new_from_buffer( data, size, "", NULL )) ) {
+	if( !(image = vips_image_new_from_buffer( data, size, "", NULL )) ) 
 		return( 0 );
-	}
-
-	width = image->Xsize;
-	height = image->Ysize;
-	bands = image->Bands;
 
-	/* Skip big images. It is likely to timeout.
+	/* Skip big images. They are likely to timeout.
 	 */
-	if ( width * height * bands > 256 * 256 * 16 ) {
+	if( image->Xsize > 1024 ||
+		image->Ysize > 1024 ||
+		image->Bands > 10 ) {
 		g_object_unref( image );
 		return( 0 );
 	}

diff --git a/fuzz/pngsave_buffer_fuzzer.cc b/fuzz/pngsave_buffer_fuzzer.cc
@@ -12,19 +12,16 @@ LLVMFuzzerTestOneInput( const guint8 *data, size_t size )
 {
 	VipsImage *image;
 	void *buf;
-	size_t len, width, height, bands;
+	size_t len;
 
-	if( !(image = vips_image_new_from_buffer( data, size, "", NULL )) ) {
+	if( !(image = vips_image_new_from_buffer( data, size, "", NULL )) ) 
 		return( 0 );
-	}
-
-	width = image->Xsize;
-	height = image->Ysize;
-	bands = image->Bands;
 
-	/* Skip big images. It is likely to timeout.
+	/* Skip big images. They are likely to timeout.
 	 */
-	if ( width * height * bands > 256 * 256 * 16 ) {
+	if( image->Xsize > 1024 ||
+		image->Ysize > 1024 ||
+		image->Bands > 10 ) {
 		g_object_unref( image );
 		return( 0 );
 	}

diff --git a/fuzz/sharpen_fuzzer.cc b/fuzz/sharpen_fuzzer.cc
@@ -10,34 +10,30 @@ LLVMFuzzerInitialize( int *argc, char ***argv )
 extern "C" int
 LLVMFuzzerTestOneInput( const guint8 *data, size_t size )
 {
-	VipsImage *in, *out;
-	size_t width, height, bands;
+	VipsImage *image, *out;
 	double d;
 
-	if( !(in = vips_image_new_from_buffer( data, size, "", NULL )) ) {
+	if( !(image = vips_image_new_from_buffer( data, size, "", NULL )) ) 
 		return( 0 );
-	}
-
-	width = in->Xsize;
-	height = in->Ysize;
-	bands = in->Bands;
 
-	/* Skip big images. It is likely to timeout.
+	/* Skip big images. They are likely to timeout.
 	 */
-	if ( width * height * bands > 256 * 256 * 16 ) {
-		g_object_unref( in );
+	if( image->Xsize > 1024 ||
+		image->Ysize > 1024 ||
+		image->Bands > 10 ) {
+		g_object_unref( image );
 		return( 0 );
 	}
 
-	if( vips_sharpen( in, &out, NULL ) ) {
-		g_object_unref( in );
+	if( vips_sharpen( image, &out, NULL ) ) {
+		g_object_unref( image );
 		return( 0 );
 	}
 
 	vips_avg( out, &d, NULL );
 
 	g_object_unref( out );
-	g_object_unref( in );
+	g_object_unref( image );
 
 	return( 0 );
 }
diff --git a/fuzz/thumbnail_fuzzer.cc b/fuzz/thumbnail_fuzzer.cc
@@ -10,34 +10,30 @@ LLVMFuzzerInitialize( int *argc, char ***argv )
 extern "C" int
 LLVMFuzzerTestOneInput( const guint8 *data, size_t size )
 {
-	VipsImage *in, *out;
-	size_t width, height, bands;
+	VipsImage *image, *out;
 	double d;
 
-	if( !(in = vips_image_new_from_buffer( data, size, "", NULL )) ) {
+	if( !(image = vips_image_new_from_buffer( data, size, "", NULL )) ) 
 		return( 0 );
-	}
-
-	width = in->Xsize;
-	height = in->Ysize;
-	bands = in->Bands;
 
-	/* Skip big images. It is likely to timeout.
+	/* Skip big images. They are likely to timeout.
 	 */
-	if ( width * height * bands > 256 * 256 * 16 ) {
-		g_object_unref( in );
+	if( image->Xsize > 1024 ||
+		image->Ysize > 1024 ||
+		image->Bands > 10 ) {
+		g_object_unref( image );
 		return( 0 );
 	}
 
-	if( vips_thumbnail_image( in, &out, 42, NULL ) ) {
-		g_object_unref( in );
+	if( vips_thumbnail_image( image, &out, 42, NULL ) ) {
+		g_object_unref( image );
 		return( 0 );
 	}
 
 	vips_avg( out, &d, NULL );
 
 	g_object_unref( out );
-	g_object_unref( in );
+	g_object_unref( image );
 
 	return( 0 );
 }
diff --git a/fuzz/webpsave_buffer_fuzzer.cc b/fuzz/webpsave_buffer_fuzzer.cc
@@ -12,19 +12,16 @@ LLVMFuzzerTestOneInput( const guint8 *data, size_t size )
 {
 	VipsImage *image;
 	void *buf;
-	size_t len, width, height, bands;
+	size_t len;
 
-	if( !(image = vips_image_new_from_buffer( data, size, "", NULL )) ) {
+	if( !(image = vips_image_new_from_buffer( data, size, "", NULL )) ) 
 		return( 0 );
-	}
-
-	width = image->Xsize;
-	height = image->Ysize;
-	bands = image->Bands;
 
-	/* Skip big images. It is likely to timeout.
+	/* Skip big images. They are likely to timeout.
 	 */
-	if ( width * height * bands > 256 * 256 * 16 ) {
+	if( image->Xsize > 1024 ||
+		image->Ysize > 1024 ||
+		image->Bands > 10 ) {
 		g_object_unref( image );
 		return( 0 );
 	}