Limit the size of images being fuzzed in XFACodecFuzzers
This limits the size detected in the header to 1,000,000 pixels, which
will support 1000 x 1000 images. This is being done to remove
non-useful OOM reports for very large images and improve fuzzing
efficiency, since larger images are unlikely to cover new logic.
BUG=pdfium:925
Change-Id: I4a7fa7cf02cbb469048b752d45bc9f64a1b60a98
Reviewed-on: https://pdfium-review.googlesource.com/17010
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
diff --git a/testing/libfuzzer/xfa_codec_fuzzer.h b/testing/libfuzzer/xfa_codec_fuzzer.h
index a590596..e91ea20 100644
--- a/testing/libfuzzer/xfa_codec_fuzzer.h
+++ b/testing/libfuzzer/xfa_codec_fuzzer.h
@@ -17,6 +17,10 @@
#include "testing/fx_string_testhelpers.h"
#include "third_party/base/ptr_util.h"
+// Arbitrarily picked to support up to 1000x1000 images. This is far below where
+// OOM issues are occuring.
+const int kXFACodecFuzzerPixelLimit = 1000000;
+
class XFACodecFuzzer {
public:
static int Fuzz(const uint8_t* data, size_t size, FXCODEC_IMAGE_TYPE type) {
@@ -33,14 +37,18 @@
if (status != FXCODEC_STATUS_FRAME_READY)
return 0;
+ // Skipping very large images, since they will take a long time and may lead
+ // to OOM.
+ if (decoder->GetWidth() * decoder->GetHeight() > kXFACodecFuzzerPixelLimit)
+ return 0;
+
auto bitmap = pdfium::MakeRetain<CFX_DIBitmap>();
bitmap->Create(decoder->GetWidth(), decoder->GetHeight(), FXDIB_Argb);
int32_t frames;
if (decoder->GetFrames(&frames) != FXCODEC_STATUS_DECODE_READY ||
- frames == 0) {
+ frames == 0)
return 0;
- }
status = decoder->StartDecode(bitmap, 0, 0, bitmap->GetWidth(),
bitmap->GetHeight());