From 914198fd288329cfb67290076286e32296496be0 Mon Sep 17 00:00:00 2001 From: Andrew Gallant Date: Mon, 9 Oct 2023 14:02:40 -0400 Subject: [PATCH] regex: reject large patterns when fuzzing Otherwise we risk timeouts. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61484 --- fuzz/fuzz_targets/fuzz_regex_match.rs | 10 ++++++++-- ...minimized-fuzz_regex_match-6659953212129280 | Bin 0 -> 399135 bytes 2 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 fuzz/regressions/clusterfuzz-testcase-minimized-fuzz_regex_match-6659953212129280 diff --git a/fuzz/fuzz_targets/fuzz_regex_match.rs b/fuzz/fuzz_targets/fuzz_regex_match.rs index 6c375510d..a5dda53d6 100644 --- a/fuzz/fuzz_targets/fuzz_regex_match.rs +++ b/fuzz/fuzz_targets/fuzz_regex_match.rs @@ -54,6 +54,9 @@ re.is_match({haystack:?}); fuzz_target!(|case: FuzzCase| -> Corpus { let _ = env_logger::try_init(); + if case.pattern.len() > (16 * (1 << 10)) { + return Corpus::Reject; + } if case.haystack.len() > (16 * (1 << 10)) { return Corpus::Reject; } @@ -65,8 +68,11 @@ fuzz_target!(|case: FuzzCase| -> Corpus { .ignore_whitespace(case.ignore_whitespace) .unicode(case.unicode) .octal(case.octal) - .size_limit(1<<18) - .build() else { return Corpus::Reject }; + .size_limit(1 << 18) + .build() + else { + return Corpus::Reject; + }; re.is_match(case.haystack); Corpus::Keep }); diff --git a/fuzz/regressions/clusterfuzz-testcase-minimized-fuzz_regex_match-6659953212129280 b/fuzz/regressions/clusterfuzz-testcase-minimized-fuzz_regex_match-6659953212129280 new file mode 100644 index 0000000000000000000000000000000000000000..b8cdc138a42791040d908484abc77478ca1defec GIT binary patch literal 399135 zcmeI*Ps^tFS;q1ENi$g5B8ZEMB5fgc^ogStUDTkYbnCKEg)o>bvXDv^QlW)OX|OM3 z-hiv_Y)jsX@1WqU+yrmtAV(g)lRV~{oWJ|;H<)ss(<|royFS0;d|H?$-rPL7;s5=3 z{|gWKi+Sv3x7*$Q3+{Q;$L{Le-2?DX%fC-kyPk>bQaetP$K_n*x@q`+OfeSJS)ANH|Qq!45i z2vaEECcZwbTPacqvI)dJq`)S=K5XntkwTD7AWWfroA~;$Zly>e$R-f?kOG_d`mnJp zMG8SSfiQ*gZQ|?0x|Je@Ae%tkLkeu->%+#b6e$GR1i}=`w~4P0>sE>sf@}hD4=J#T zuMZo$Qlt=M69`i%-zL63tXnBk2(k&pJ*2=UzCLX1N|8d4O(0C6e4F_Cux_PDA;=~W z_mBdc`1-K1D@6)HHi0mO@@?Yl!@89sg&>;@s2O54rd|bq^`fyEnw35M&()Q+V+| zcuMJ)mcj)C#oADQUFYDjvx>~JCYEl zaAar?>au+Jic+6e$D|1OjQ@LkfV&%@G6wXh#yl6pjq-L7i5L6oLo>fwb-+1;FIy2m%4L zBMD&&M~3#GPAf$UK?H$7TKA9wU~+Q=fdJZ(gfN98LwiuCl_G^8fmE`7Om2=K5I{SU5T5D26_#vVR<`oV8*j`3n&`hoyL;m?U9g18bC zIO1jW)viP-Qd~R;Q+V+o+za+gOK~Mx@AsbI)w_oj=xv!!PzbUPgeg419~J$0&sGXo z0u<*C;vP}}7wqy20s*um31JFHhW4OND@6)H1c5+W_mBc$a&rWM0NRm+Foh#Sdr+s9 zB84D=Kp?GqNC7apIf6g{?MOnH!jYjpsMAW3LJ&b9kk&n<0GQkyK_Gy3Bq2=U$j~0t zX{AUZh#(M1>mE`7Om2=K5I{SU5T5D27o4=Dg9H%AZ%pdCpFQ#dlT z2X$I0QV1dl1k#?^9zJ{e^IzWk_p2IYT%#Zt19D=!=pH^7aKSES!TKTh->G{@fx@M@ zpRW)5SSfS^#peNG3e6J`1rY=SXh#y_9#UY1a%Ya*nbRtO;(U3T!t?!-UWuPjiWGvJ zK8Slrfz!XUp77`kcJu?3;>E(V!DIx4+cGk=2X$I0QV1dl1k$>P6abT(BM1c0jwFOB z92we!I;|8b1Q7%RY28B#fXU4f1OjMB62cUY4DCUkR*DpY2m*n$?jZ%h(97s;r4U3A2%sHFh_RS*cE9Z3jNI5M;cby_J>2qFjs(z=Hf0F#>|2n5iMB!np(8QOz7 ztrRH)5d;Eh-9rk1$;}Z20%%7P!W51S?LnPZiWGtf0)e#dAqBwX<_H1-v?B>&3P*ADQUFYDjvx>~JCYEl zaAar?>au+Jic+6e$D|1OjQ@LkfV&%@G6wXh#yl6pjq-L7i5L6oLo>fwb-+1;FIy2m%4L zBMD&&M~3#GPAf$UK?H$7TKA9wU~+Q=fdJZ(gfN98LwiuCl_G^8ffJ*M z^tMbVC|4=J!hxid%Z z%xM)salX7v;rV_^uf$I%MG8SqAH+SR!0F#vPw0Y`BE|WFFooy)CA|_qp%mwy&VIG{@f!@6#28AH&K$yad|G`sAzqAxC7$^=8;vP}}SK_(~0s*um31JFHhW4OND@6)H z1c5+W_mBc$a&rWM0NRm+Foh#Sdr+s9B84D=Kp?GqNC7apIf6g{?MOnH!jYjpsMAW3 zLJ&b9kk&n<0GQkyK_Gy3Bq2=U$j~0tX{AUZh#(M1>mE`7Om2=K5I{SU5T5D27o4=Dg9H%AZ%pdCpFQ#dlT2X$I0QV1dl1k$>P6abT(BM1c0jwFOB92we! zI;|8b1Q7%RY28B#fXU4f1OjMB62cUY4DCUkR*DpY2m*n$7r2N0&O?U&0v!*@ca%Hx zr4>MNzE|%aQs82)wjXl7>Aap#U<$pn-hB!|1c3nBk%YL16j-6$nIm_0TGJkUI^YF< z>1X^uu^IVNB906_t)Q&r^Ghp$!XRw|aSti5iLVbEyHcbOWD^KeDBmW&KCD|QQV6mM z#66_ICcZvw>`IYBkWC;=p?sV8`mk=LNFm535ciM*oA~;$u`5LiK{kOfh4O9U>%+R0 zB84EEK-@zLY~t&~#;z181la__6w0@WuMg{1iWGuu0&x#1u!*k^8@p1Z5M&bwQz+ji zzCNs5DN+cs3B*05z$U&vZ0t&rLXb@$Ord<6`1-JJrAQ&jCJ^_K0-N~yu(2ye3PCo3 zFop7M;_Jh@l_G^8n?T${3T)!*!^W-@DFoRB!W7E4iLVdqR*DpYYyxo)DX@vJ4;#Bu zq!45i2vaEECcZwbTPacqvI)dJq`)S=K5XntkwTD7AWY$P@_pko{uwrV%IgF{hVHh4 z+|`&$hA)pfw>YK-@zLtWfSuLtKg!g2aI-)Wx7c0IdmG z0pcD~V1;sL8sbu<5F`#vp)Ljm0%%Rh3J~{@0xOg|(-4;;g&=WY3Ux6k5I}1}R)DyN z6j-6$nTEI&DFlfFQ>cqUfdE<)vI4|Cq`(U0&NRfONFhiZm_l6)3Ix!akQE^AAq7?_ zccvjOMG8UUz!d6YP#}QTgscE@4=J!hxibxMDN+a$2c}RLg8~7xCS(POdq{y5%AIM5 zOOZm5I535}7!(MgH6bfN+(QbiQ0`1aT#6Ke#DOW)#h^d{tqEBH;vQ09g>q*a;!>m# zBo0iWE(QexXidlp5ciM*E0jCa5SJo_AaP&{bulOqKx;x)fVhVgSfSjRhPV_d1c?Jv zsEa{?09q5W0>nL}zzXHgG{mJyAxIpULR}0B1kjq06(H^*1y(3`rXemx3PIw)6zXD7 zAb{3{tN?KjDX>DhGYxSmQV0?Urcf7y0s*upWCe(ONP!i~ooR?mkwTC-Fon7p6bPU- zAuB-KLkg@=?o2~miWGvxfhp9*pg;hv30VQ+9#UY1a%URiQlt5so2dvf!69@`(p$L=r=--5h%Z1)j8BrkXDknip``qEOQ5ailG z+(QanTLSvME`KRf91?^nJmkCk*}k+ChfhFX?Jbnz@VDR|Qs9V}(O0_?r8xXb^wo#F z1*Y(j?>@>0`_c-a@am5U;vQ1qh?mhxqrtk!RRP^ILTPa)#P@Fr6dq@FXu*)w91kjEogee>u+Jic+6e$D|1OjQ@ zLkfV&%@G6wXh#yl6pjq-L7i5L6oLo>fwb-+1;FIy2m%4LBMD&&M~3#GPAf$UK?H$7 zTKA9wU~+Q=fdJZ(gfN98LwnE*n3iw3fDbw3CzvVqxjrAQ%&AP`9F9#Q~IZjK-jKs%BUrf_6v z59+j1q!2_92&8onDF7xnM-T|09Z3jNI5M;cby_J>2qFjs(z=Hf0F#>|2n5iMB!np( z8QOz7trRH)5d;Eh-9rk1$;}Z20%%7P!W51S?Lm(+?I>@*K*yt8o-b{DQwXvN#66_I zCcZvw>`IYBkWC;=p?sV8`mk=LNFm535ciM*oA~;@s2O54rd|bq^`fyEnw35M&()Q+V+|cuMJ)mcj)C#oADQUFYDjvx>~JCYElaAar?>au+Jic+6e$D|1OjQ@LkfV& z%@G6wXh#yl6pjq-L7i5L6oLo>fwb-+1;FIy2m%4LBMD&&M~3#GPAf$UK?H$7TKA9w zU~+Q=fdJZ(gfN98LwnG3nf8s(_-Fg0krog#66_ICcZv=zp{^20EKP=VG4CIC=ftvLRNsdhZI<$ z+?j^B6e$FW15>DrL4g2T6S4xtJ*2=2<<2z3rAQ%29GF5~3yaVb&=5(lPG7lQ%;v?gQ)hA)pfw>YK-@zLtWfSuLtKg!g2aI-)Wx7c0IdmG0pcD~V1;sL8sbu<5F`#v zp)Ljm0%%Rh3J~{@0xOg|(-4;;g&=WY3Ux6k5I}1}R)DyN6j-6$nTEI&DFlfFQ>cqU zfdE<)vI4|Cq`(U0&NRfONFhiZm_l6)3Ix!akQE^AAq7?_ccvjOMG8UUz!d6YP#}QT zgscE@4=J!hxibxMDN+a$2c}RLg8~7xCS(POdq{y5%AIM5OOZm5I535}7!(MgH6bfN z+(QbiQ0`1aT#6Ke#DOW)#h^d{tqEBH;vQ09g>q*a;!>m#Bo0iWE(QexXidlp5ciM* zE0jCa5SJo_AaP&{bulOqKx;x)fVhVgSfSjRhPV_d1c?JvsEa{?09q5W0>nL}zzXHg zG{mJyAxIpULR}0B1kjq06(H^*1y(3`rXemx3PIw)6zXD7Ab{3{tN?KjDX>DhGYxSm zQV0?Urcf7y0s*upWCe(ONP!i~ooR?mkzxbLv!@^Y>fy(?^~!HQ{P20b|J7gLeEh3- ziVcH1^v++-WA2{Ze4fYl2l25xjKjAe?;YEHL=VZ!9XsT^yN$lI6e$F`HW2ra0@s#+ zey_`4iWG+gVG0lV?tZo}Eydvz&{um4r8xX8xQ7%t;$`&Ju0$ygzY=}*A#Z^xJmkBN z^1;5e0w}!tBZ9bx6gc8#^wq9JDNmE`7Om2=K5I{SU5T z5D27o4=Dg9H%AZ%pdCpFQ#dlT2X$I0QV1dl1k$>P6abT(BM1c0jwFOB92we!I;|8b z1Q7%RY28B#fXU4f1OjMB62cUY4DCUkR*DpY2m*n$?jZ%hqxjrAQ%&AP`9F9#Q~IZjK-jKs%BUrf_6v z59+j1q!2_92&8onDF7xnM-T|09Z3jNI5M;cby_J>2qFjs(z=Hf0F#>|2n5iMB!np( z8QOz7trRH)5d;Eh-9rk1$;}Z20%%7P!W51S?LnPZiWGtf0)e#dAqBwX<_H1-v?fFl z2%t3~fDl~JM(8}It{lbh#(L^YeE2mRv$qifYyYZCdfZe{DDtP>y3j& z5J4b-)`SQG0kkGW5D1_(A%Z{vtqBnX0%%Q$AP_)nLIi;TS`%`rApe7d?OQJkCV~h8 z0kkGW5D1_(AukWId;EvH-R|o@-2L(HOZ#H~$M@d*(HoC{^soQ)#>4;Tf8Mx%sq!x` zFYnDK0W(MjDFPQ`U=%lCfz?%#j;@i%{b^VY-NpM2$OyMOzK#}D?u3G?r}x4-nYCvUy}r*FQq`?Gg; z55N7|n~xsv-gxvo|MLCU9z6N(`?r6-|MSuJ-ul7Me)jmiJAeG{?)P@j+vmTP^LKx- z+r7T8zWk57-A{IpU;Xy(o6mp!lYiL{`K$e(kN)<%fBl`mdH=s}-@8kZdIiXfZ^5tl zQb8bq)`VOI$p7x}nfvyOT>URT`shDC`sf!A{H@1N1R(rHcroe=Ue?7-yYV;s&*eA! eU)$Z@zJ7aq`=9@{|Cjvn`t94dx9|Mm5B?9F4sLb; literal 0 HcmV?d00001