Fix OOM in string escape fuzzer

base::EscapeJSONString appends to the given output string. Since the fuzzer used a global string, it eventually runs out of memory. BUG=None TEST=Fuzzer runs for a long time without OOM. OOM error should eventually vanish here: https://clusterfuzz.com/v2/testcases?fuzzer=libFuzzer_base_json_string_escape_fuzzer&open=yes&project=chromium Change-Id: Idb75cb00b437e6e42aa69d847b58f69040b4bde9 Reviewed-on: https://chromium-review.googlesource.com/1125078 Commit-Queue: Abhishek Arya <inferno@chromium.org> Reviewed-by: Robert Sesek <rsesek@chromium.org> Reviewed-by: Abhishek Arya <inferno@chromium.org> Cr-Commit-Position: refs/heads/master@{#573314}

Fix OOM in string escape fuzzer
base::EscapeJSONString appends to the given output string. Since the fuzzer used a global string, it eventually runs out of memory. BUG=None TEST=Fuzzer runs for a long time without OOM. OOM error should eventually vanish here: https://clusterfuzz.com/v2/testcases?fuzzer=libFuzzer_base_json_string_escape_fuzzer&open=yes&project=chromium Change-Id: Idb75cb00b437e6e42aa69d847b58f69040b4bde9 Reviewed-on: https://chromium-review.googlesource.com/1125078 Commit-Queue: Abhishek Arya <inferno@chromium.org> Reviewed-by: Robert Sesek <rsesek@chromium.org> Reviewed-by: Abhishek Arya <inferno@chromium.org> Cr-Commit-Position: refs/heads/master@{#573314}
c1b21fe6 · Lutz Justen · Commit Bot · b8f92fd5 · c1b21fe6 · c1b21fe6
Commit c1b21fe6 authored Jul 09, 2018 by Lutz Justen Committed by Commit Bot Jul 09, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 5 deletions

base/json/json_reader_fuzzer.cc base/json/json_reader_fuzzer.cc +3 -3

base/json/string_escape_fuzzer.cc base/json/string_escape_fuzzer.cc +2 -2

No files found.
--- a/base/json/json_reader_fuzzer.cc
+++ b/base/json/json_reader_fuzzer.cc
@@ -5,9 +5,6 @@
 #include "base/json/json_reader.h"
 #include "base/values.h"

-int error_code, error_line, error_column;
-std::string error_message;
-
 // Entry point for LibFuzzer.
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
  if (size < 2)
@@ -21,6 +18,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
  base::StringPiece input_string(input.get(), size - 1);

  const int options = data[size - 1];
+
+  int error_code, error_line, error_column;
+  std::string error_message;
  base::JSONReader::ReadAndReturnError(input_string, options, &error_code,
                                       &error_message, &error_line,
                                       &error_column);

--- a/base/json/string_escape_fuzzer.cc
+++ b/base/json/string_escape_fuzzer.cc
@@ -6,8 +6,6 @@

 #include <memory>

-std::string escaped_string;
-
 // Entry point for LibFuzzer.
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
  if (size < 2)
@@ -22,6 +20,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
  memcpy(input.get(), data, actual_size_char8);

  base::StringPiece input_string(input.get(), actual_size_char8);
+  std::string escaped_string;
  base::EscapeJSONString(input_string, put_in_quotes, &escaped_string);

  // Test for wide-strings if available size is even.
@@ -31,6 +30,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
  size_t actual_size_char16 = actual_size_char8 / 2;
  base::StringPiece16 input_string16(
      reinterpret_cast<base::char16*>(input.get()), actual_size_char16);
+  escaped_string.clear();
  base::EscapeJSONString(input_string16, put_in_quotes, &escaped_string);

  return 0;