Merge pull request #1251 from m-holger/fuzz

Mark intentional unsigned integer wrapping in MD5_native::transform and adjust fuzzer memory limits
2024-12-22 02:49:00 +00:00 · 2024-07-23 00:22:31 +01:00 · 2024-07-23 00:22:31 +01:00 · fa9df75bd4
commit fa9df75bd4
parent b3ab5cd216 4f694cdfde
2 changed files with 7 additions and 2 deletions
--- a/fuzz/qpdf_fuzzer.cc
+++ b/fuzz/qpdf_fuzzer.cc
@ -181,8 +181,8 @@ FuzzHelper::doChecks()
    // occur legitimately and therefore must be allowed during normal operations.
    Pl_DCT::setMemoryLimit(1'000'000'000);

-    Pl_PNGFilter::setMemoryLimit(1'000'000'000);
-    Pl_TIFFPredictor::setMemoryLimit(1'000'000'000);
+    Pl_PNGFilter::setMemoryLimit(1'000'000);
+    Pl_TIFFPredictor::setMemoryLimit(1'000'000);

    // Do not decompress corrupt data. This may cause extended runtime within jpeglib without
    // exercising additional code paths in qpdf, and potentially causing counterproductive timeouts.
--- a/libqpdf/MD5_native.cc
+++ b/libqpdf/MD5_native.cc
@ -193,7 +193,12 @@ MD5_native::digest(Digest result)
 }

 // MD5 basic transformation. Transforms state based on block.
+//
+// NB The algorithm intentionally relies on unsigned integer wrap-around
 void MD5_native::transform(uint32_t state[4], unsigned char block[64])
+#if defined(__clang__)
+__attribute__((no_sanitize("unsigned-integer-overflow")))
+#endif
 {
    uint32_t a = state[0], b = state[1], c = state[2], d = state[3], x[16];