From 9086988ffa8da62c25c764a146a84603629734aa Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Wed, 16 Dec 2020 15:41:52 +0100 Subject: [PATCH] Enforce maximum length of fuzz input Remove the libfuzzer max_len option which doesn't apply to other fuzzing engines. Enforce the maximum length directly in the fuzz targets. For the xml target, lower the maximum when expanding entities to avoid timeout and OOM errors. --- fuzz/html.options | 1 - fuzz/regexp.c | 3 +++ fuzz/regexp.options | 1 - fuzz/schema.c | 3 +++ fuzz/schema.options | 1 - fuzz/uri.c | 3 +++ fuzz/uri.options | 1 - fuzz/xml.c | 11 ++++++++--- fuzz/xml.options | 1 - fuzz/xpath.c | 3 +++ fuzz/xpath.options | 1 - 11 files changed, 20 insertions(+), 9 deletions(-) diff --git a/fuzz/html.options b/fuzz/html.options index a32c583e..e5d3bbee 100644 --- a/fuzz/html.options +++ b/fuzz/html.options @@ -1,3 +1,2 @@ [libfuzzer] -max_len = 1000000 timeout = 20 diff --git a/fuzz/regexp.c b/fuzz/regexp.c index 3b35671b..cfffedd9 100644 --- a/fuzz/regexp.c +++ b/fuzz/regexp.c @@ -21,6 +21,9 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) { char *str[2] = { NULL, NULL }; size_t numStrings; + if (size > 200) + return(0); + numStrings = xmlFuzzExtractStrings(data, size, str, 2); /* CUR_SCHAR doesn't handle invalid UTF-8 and may cause infinite loops. */ diff --git a/fuzz/regexp.options b/fuzz/regexp.options index 09b9e6f0..ea2a7a23 100644 --- a/fuzz/regexp.options +++ b/fuzz/regexp.options @@ -1,3 +1,2 @@ [libfuzzer] -max_len = 200 timeout = 5 diff --git a/fuzz/schema.c b/fuzz/schema.c index f1ee9380..7b034eca 100644 --- a/fuzz/schema.c +++ b/fuzz/schema.c @@ -21,6 +21,9 @@ int LLVMFuzzerTestOneInput(const char *data, size_t size) { xmlSchemaParserCtxtPtr pctxt; + if (size > 50000) + return(0); + xmlFuzzDataInit(data, size); xmlFuzzReadEntities(); diff --git a/fuzz/schema.options b/fuzz/schema.options index 195ec544..e5d3bbee 100644 --- a/fuzz/schema.options +++ b/fuzz/schema.options @@ -1,3 +1,2 @@ [libfuzzer] -max_len = 80000 timeout = 20 diff --git a/fuzz/uri.c b/fuzz/uri.c index 69d0439f..5e4c099c 100644 --- a/fuzz/uri.c +++ b/fuzz/uri.c @@ -13,6 +13,9 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) { char *str[2] = { NULL, NULL }; size_t numStrings; + if (size > 10000) + return(0); + numStrings = xmlFuzzExtractStrings(data, size, str, 2); uri = xmlParseURI(str[0]); diff --git a/fuzz/uri.options b/fuzz/uri.options index 8c45a722..ea2a7a23 100644 --- a/fuzz/uri.options +++ b/fuzz/uri.options @@ -1,3 +1,2 @@ [libfuzzer] -max_len = 10000 timeout = 5 diff --git a/fuzz/xml.c b/fuzz/xml.c index 09867cf7..97b40b87 100644 --- a/fuzz/xml.c +++ b/fuzz/xml.c @@ -29,13 +29,18 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) { xmlTextReaderPtr reader; xmlChar *out; const char *docBuffer, *docUrl; - size_t docSize, consumed, chunkSize; + size_t maxSize, docSize, consumed, chunkSize; int opts, outSize; xmlFuzzDataInit(data, size); opts = xmlFuzzReadInt(); - /* XML_PARSE_HUGE still causes timeouts. */ - opts &= ~XML_PARSE_HUGE; + + /* Lower maximum size when processing entities for now. */ + maxSize = opts & XML_PARSE_NOENT ? 50000 : 500000; + if (size > maxSize) { + xmlFuzzDataCleanup(); + return(0); + } xmlFuzzReadEntities(); docBuffer = xmlFuzzMainEntity(&docSize); diff --git a/fuzz/xml.options b/fuzz/xml.options index 195ec544..e5d3bbee 100644 --- a/fuzz/xml.options +++ b/fuzz/xml.options @@ -1,3 +1,2 @@ [libfuzzer] -max_len = 80000 timeout = 20 diff --git a/fuzz/xpath.c b/fuzz/xpath.c index 767acb98..4cb29f67 100644 --- a/fuzz/xpath.c +++ b/fuzz/xpath.c @@ -23,6 +23,9 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) { const char *expr, *xml; size_t exprSize, xmlSize; + if (size > 10000) + return(0); + xmlFuzzDataInit(data, size); expr = xmlFuzzReadString(&exprSize); diff --git a/fuzz/xpath.options b/fuzz/xpath.options index 02d5e976..e5d3bbee 100644 --- a/fuzz/xpath.options +++ b/fuzz/xpath.options @@ -1,3 +1,2 @@ [libfuzzer] -max_len = 10000 timeout = 20