From 5e9a6f218484733df3b80e45e7d602fa7f01c764 Mon Sep 17 00:00:00 2001
From: Eugene Kliuchnikov <eustas.ru@gmail.com>
Date: Fri, 3 Dec 2021 13:32:00 +0300
Subject: [PATCH] Stop fuzzing once output size limit is reached (#6958)

As with most other compressors, brotli input could be a "bomb".
Limiting output size defuses such inputs (to avoid timeouts).
---
 projects/brotli-java/FuzzDecode.java | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/projects/brotli-java/FuzzDecode.java b/projects/brotli-java/FuzzDecode.java
index ffd82cf10..cdcd5a7ce 100644
--- a/projects/brotli-java/FuzzDecode.java
+++ b/projects/brotli-java/FuzzDecode.java
@@ -22,7 +22,12 @@ import org.brotli.dec.BrotliInputStream;
 public class FuzzDecode {
   public static void fuzzerTestOneInput(FuzzedDataProvider data) {
     byte[] buffer = new byte[65536];
-    ByteArrayInputStream input = new ByteArrayInputStream(data.consumeBytes(65536));
+    byte[] inputBytes = data.consumeBytes(65536);
+    // Brotli allows 0-bit prefix codes - thus even small input could produce large output.
+    long totalOutputCap = Math.min(4096L * inputBytes.length, 3L << 24);
+    totalOutputCap = Math.max(totalOutputCap, 1L << 20);
+    long totalOutput = 0;
+    ByteArrayInputStream input = new ByteArrayInputStream(inputBytes);
     try {
       BrotliInputStream brotliInput = new BrotliInputStream(input);
       while (true) {
@@ -30,6 +35,8 @@ public class FuzzDecode {
         if (len <= 0) {
           break;
         }
+        totalOutput += len;
+        if (totalOutput >= totalOutputCap) break;
       }
     } catch (IOException expected) {}
   }