Commit 267e6b0c authored by Clemens Hammacher's avatar Clemens Hammacher Committed by Commit Bot

[wasm][fuzzer] Enforce input size limit

The "max_len" argument for fuzzer targets is deprecated. We need to
enforce the limit internally.

R=ahaas@chromium.org

Bug: chromium:894939
Change-Id: I2206bc63d5e39f1aa189e11042a6a0bbcca31b0d
Reviewed-on: https://chromium-review.googlesource.com/c/1299020Reviewed-by: 's avatarAndreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56998}
parent 9fa085e5
......@@ -251,6 +251,11 @@ void GenerateTestCase(Isolate* isolate, ModuleWireBytes wire_bytes,
int WasmExecutionFuzzer::FuzzWasmModule(Vector<const uint8_t> data,
bool require_valid) {
// Strictly enforce the input size limit. Note that setting "max_len" on the
// fuzzer target is not enough, since different fuzzers are used and not all
// respect that limit.
if (data.size() > max_input_size()) return 0;
v8_fuzzer::FuzzerSupport* support = v8_fuzzer::FuzzerSupport::Get();
v8::Isolate* isolate = support->GetIsolate();
i::Isolate* i_isolate = reinterpret_cast<Isolate*>(isolate);
......
......@@ -34,6 +34,8 @@ class WasmExecutionFuzzer {
virtual ~WasmExecutionFuzzer() = default;
int FuzzWasmModule(Vector<const uint8_t> data, bool require_valid = false);
virtual size_t max_input_size() const { return 512; }
protected:
virtual bool GenerateModule(
Isolate* isolate, Zone* zone, Vector<const uint8_t> data,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment