From 356f2b947670b7eb33a1f535c71bc5c87a60b0d1 Mon Sep 17 00:00:00 2001 From: Thomas Orgis Date: Mon, 16 Sep 2019 16:06:25 +0200 Subject: [PATCH] mpg123: limit fuzzer runtime (#2832) * mpg123: limit runtime of decode_fuzzer To avoid spurious timeout reports, the test shall end after 10000 MPEG frames or 1 MiB of data, which should both be reasonable numbers. The timeout report motivating this had 500K with 140k bad frames. The limit of 10000 frames corresponds to a normal radio song as MP3 stream. * mpg123: limit runtime of read_fuzzer This applies the same logic as the decode fuzzer: stop decoding after 10000 MPEG frames or 1 MiB of input data. We could debate a bigger limit on the data size, but we do want compact testcases, right? --- projects/mpg123/decode_fuzzer.cc | 4 +++- projects/mpg123/read_fuzzer.c | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/projects/mpg123/decode_fuzzer.cc b/projects/mpg123/decode_fuzzer.cc index 9dafb20f3..4fe4b2e63 100644 --- a/projects/mpg123/decode_fuzzer.cc +++ b/projects/mpg123/decode_fuzzer.cc @@ -36,7 +36,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { FuzzedDataProvider provider(data, size); while ((decode_ret != MPG123_ERR)) { if (decode_ret == MPG123_NEED_MORE) { - if (provider.remaining_bytes() == 0) { + if (provider.remaining_bytes() == 0 + || mpg123_tellframe(handle) > 10000 + || mpg123_tell_stream(handle) > 1<<20) { break; } const size_t next_size = provider.ConsumeIntegralInRange( diff --git a/projects/mpg123/read_fuzzer.c b/projects/mpg123/read_fuzzer.c index 75e9275c0..9126dd646 100644 --- a/projects/mpg123/read_fuzzer.c +++ b/projects/mpg123/read_fuzzer.c @@ -75,7 +75,8 @@ int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { do { size_t decoded_size; read_error = mpg123_read(handle, outmemory, outmemorysize, &decoded_size); - } while (read_error == MPG123_OK); + } while (read_error == MPG123_OK && mpg123_tellframe(handle) <= 10000 + && mpg123_tell_stream(handle) <= 1<<20); } mpg123_close(handle);