diff options
author | David Benjamin <davidben@google.com> | 2017-11-28 14:49:53 -0500 |
---|---|---|
committer | CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> | 2017-11-28 21:48:00 +0000 |
commit | fc9c67599d9bdeb2e0467085133b81a8e28f77a4 (patch) | |
tree | 88dffceffe5bbffc563648a3ed9ab514094eec6a /fuzz/bn_mod_exp.cc | |
parent | a7673facf85f01f1e880b74c3f9e35563c2a44fd (diff) | |
download | boringssl-fc9c67599d9bdeb2e0467085133b81a8e28f77a4.zip boringssl-fc9c67599d9bdeb2e0467085133b81a8e28f77a4.tar.gz boringssl-fc9c67599d9bdeb2e0467085133b81a8e28f77a4.tar.bz2 |
Bound the input to the bn_mod_exp fuzzer.
This is not a speedy operation, so the fuzzers need a bit of help to
avoid timeouts.
Bug: chromium:786049
Change-Id: Ib56281b63eb6c895057f21254f0cc7c5c2d85ee4
Reviewed-on: https://boringssl-review.googlesource.com/23484
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Diffstat (limited to 'fuzz/bn_mod_exp.cc')
-rw-r--r-- | fuzz/bn_mod_exp.cc | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/fuzz/bn_mod_exp.cc b/fuzz/bn_mod_exp.cc index bcc5097..46e3c88 100644 --- a/fuzz/bn_mod_exp.cc +++ b/fuzz/bn_mod_exp.cc @@ -70,6 +70,16 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { CBS_len(&child2) == 0) { return 0; } + + // Don't fuzz inputs larger than 512 bytes (4096 bits). This isn't ideal, but + // the naive |mod_exp| above is somewhat slow, so this otherwise causes the + // fuzzers to spend a lot of time exploring timeouts. + if (CBS_len(&child0) > 512 || + CBS_len(&child1) > 512 || + CBS_len(&child2) > 512) { + return 0; + } + bssl::UniquePtr<BIGNUM> base( BN_bin2bn(CBS_data(&child0), CBS_len(&child0), nullptr)); BN_set_negative(base.get(), sign % 2); |