From 276889ac85995a4388d1a609221ef150252e8b1c Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Sat, 5 Oct 2024 23:01:58 +0100 Subject: [PATCH] fuzzing: Add input length limits on g_string_replace() test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Limit the input size. With a short @find, and a long `init` and `replace` it’s quite possible to hit OOM. We’re not interested in testing that — it’s up to the caller of `g_string_replace()` to handle that. 1KB on each of the inputs should be plenty to find any string parsing or pointer arithmetic bugs in `g_string_replace()`. Signed-off-by: Philip Withnall oss-fuzz#371233785 --- fuzzing/fuzz_string.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/fuzzing/fuzz_string.c b/fuzzing/fuzz_string.c index 46f04b2ab..f47ab4e92 100644 --- a/fuzzing/fuzz_string.c +++ b/fuzzing/fuzz_string.c @@ -40,6 +40,20 @@ LLVMFuzzerTestOneInput (const unsigned char *data, size_t size) find = (n_args > 1) ? args[1] : ""; replace = (n_args > 2) ? args[2] : ""; + /* Limit the input size. With a short @find, and a long @init and @replace + * it’s quite possible to hit OOM. We’re not interested in testing that — it’s + * up to the caller of g_string_replace() to handle that. 1KB on each of the + * inputs should be plenty to find any string parsing or pointer arithmetic + * bugs in g_string_replace(). */ + if (strlen (init) > 1000 || + strlen (find) > 1000 || + strlen (replace) > 1000) + { + g_strfreev (args); + g_free (nul_terminated_data); + return 0; + } + /* Test g_string_replace() and see if it crashes. */ string = g_string_new (init); g_string_replace (string, find, replace, 0);