fuzzing: Add input length limits on g_string_replace() test

Limit the input size. With a short @find, and a long `init` and `replace` it’s quite possible to hit OOM. We’re not interested in testing that — it’s up to the caller of `g_string_replace()` to handle that. 1KB on each of the inputs should be plenty to find any string parsing or pointer arithmetic bugs in `g_string_replace()`. Signed-off-by: Philip Withnall <pwithnall@gnome.org> oss-fuzz#371233785
2025-01-11 23:16:14 +01:00 · 2024-10-05 23:01:58 +01:00 · 2024-10-05 23:01:58 +01:00 · 276889ac85
commit 276889ac85
parent 74e37a483f
1 changed files with 14 additions and 0 deletions
--- a/fuzzing/fuzz_string.c
+++ b/fuzzing/fuzz_string.c
@ -40,6 +40,20 @@ LLVMFuzzerTestOneInput (const unsigned char *data, size_t size)
  find = (n_args > 1) ? args[1] : "";
  replace = (n_args > 2) ? args[2] : "";

+  /* Limit the input size. With a short @find, and a long @init and @replace
+   * it’s quite possible to hit OOM. We’re not interested in testing that — it’s
+   * up to the caller of g_string_replace() to handle that. 1KB on each of the
+   * inputs should be plenty to find any string parsing or pointer arithmetic
+   * bugs in g_string_replace(). */
+  if (strlen (init) > 1000 ||
+      strlen (find) > 1000 ||
+      strlen (replace) > 1000)
+    {
+      g_strfreev (args);
+      g_free (nul_terminated_data);
+      return 0;
+    }
+
  /* Test g_string_replace() and see if it crashes. */
  string = g_string_new (init);
  g_string_replace (string, find, replace, 0);