[Cast channel fuzzer] Add size check in the fuzzer code.

-max_len=N doesn't guarantee that libfuzzer won't ever try feeding a larger input into the target. So a check is added to the code to enforce the size limit. Bug: 828359 Change-Id: I2aa1404e618350896636de42a0ecc426946c8401 Reviewed-on: https://chromium-review.googlesource.com/996403 Commit-Queue: Derek Cheng <imcheng@chromium.org> Reviewed-by: Max Moroz <mmoroz@chromium.org> Cr-Commit-Position: refs/heads/master@{#548174}

[Cast channel fuzzer] Add size check in the fuzzer code.
-max_len=N doesn't guarantee that libfuzzer won't ever try feeding a larger input into the target. So a check is added to the code to enforce the size limit. Bug: 828359 Change-Id: I2aa1404e618350896636de42a0ecc426946c8401 Reviewed-on: https://chromium-review.googlesource.com/996403 Commit-Queue: Derek Cheng <imcheng@chromium.org> Reviewed-by: Max Moroz <mmoroz@chromium.org> Cr-Commit-Position: refs/heads/master@{#548174}
261c6064 · Derek Cheng · Commit Bot · c5cf88e6 · 261c6064
Commit 261c6064 authored Apr 04, 2018 by Derek Cheng Committed by Commit Bot Apr 04, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

components/cast_channel/cast_message_fuzzer.cc components/cast_channel/cast_message_fuzzer.cc +3 -0

No files found.
--- a/components/cast_channel/cast_message_fuzzer.cc
+++ b/components/cast_channel/cast_message_fuzzer.cc
@@ -20,6 +20,9 @@ google::protobuf::LogSilencer log_silencer;
 namespace cast_channel {

 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  if (size > MessageFramer::MessageHeader::max_message_size())
+    return 0;
+
  scoped_refptr<net::GrowableIOBuffer> buffer =
      base::MakeRefCounted<net::GrowableIOBuffer>();
  buffer->SetCapacity(MessageFramer::MessageHeader::max_message_size());