testing/libfuzzer/fuzzers/libpng_read_fuzzer.cc - Issue 1809383002: [libfuzzer] Prevent division by zero in libpng_read_fuzzer.

Side by Side Diff

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Side by Side Diff: testing/libfuzzer/fuzzers/libpng_read_fuzzer.cc

Issue 1809383002: [libfuzzer] Prevent division by zero in libpng_read_fuzzer. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Created 4 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2015 The Chromium Authors. All rights reserved.	1 // Copyright 2015 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include <stddef.h>	5 #include <stddef.h>

6 #include <stdint.h>	6 #include <stdint.h>

7	7

8 #include <vector>	8 #include <vector>

9	9

10 #include "base/bind.h"	10 #include "base/bind.h"

(...skipping 74 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
85 int bit_depth, color_type, interlace_type, compression_type;	85 int bit_depth, color_type, interlace_type, compression_type;

86 int filter_type;	86 int filter_type;

87	87

88 if (!png_get_IHDR(png_ptr, info_ptr, &width, &height,	88 if (!png_get_IHDR(png_ptr, info_ptr, &width, &height,

89 &bit_depth, &color_type, &interlace_type,	89 &bit_depth, &color_type, &interlace_type,

90 &compression_type, &filter_type)) {	90 &compression_type, &filter_type)) {

91 return 0;	91 return 0;

92 }	92 }

93	93

94 // This is going to be too slow.	94 // This is going to be too slow.

95 if (height > 100000000 / width)	95 if (width && height > 100000000 / width)
	aizatsky 2016/03/18 17:18:18 Is this written to prevent overflow? width * heigh Is this written to prevent overflow? width * height > ... would look much nicer. mmoroz 2016/03/21 09:07:37 Yes, this is for overflow prevention (from here: h Show quoted text On 2016/03/18 17:18:18, aizatsky wrote: > Is this written to prevent overflow? width * height > ... would look much nicer. Yes, this is for overflow prevention (from here: https://codereview.chromium.org/1808123004/). I can replace it with cast to uint64_t, if you think it would be better.
96 return 0;	96 return 0;

97	97

98 int passes = png_set_interlace_handling(png_ptr);	98 int passes = png_set_interlace_handling(png_ptr);

99 png_start_read_image(png_ptr);	99 png_start_read_image(png_ptr);

100	100

101 for (int pass = 0; pass < passes; ++pass) {	101 for (int pass = 0; pass < passes; ++pass) {

102 for (png_uint_32 y = 0; y < height; ++y) {	102 for (png_uint_32 y = 0; y < height; ++y) {

103 png_read_row(png_ptr, static_cast<png_bytep>(row), NULL);	103 png_read_row(png_ptr, static_cast<png_bytep>(row), NULL);

104 }	104 }

105 }	105 }

106	106

107 return 0;	107 return 0;

108 }	108 }

OLD	NEW

« no previous file with comments | « no previous file | no next file » | no next file with comments »