Fix two issues to make fuzzing test quit earlier (#3471)

- Add a marco to limit the maxi allocable memory size of fuzz test to 2GB to avoid libFuzzer out-of-memory - Check global type in load_global_import and load_global_section
2025-02-06 06:55:07 +00:00 · 2024-05-30 14:55:21 +08:00 · 2024-05-30 14:55:21 +08:00 · d29802c451
commit d29802c451
parent a2a8b32456
4 changed files with 27 additions and 3 deletions
--- a/core/config.h
+++ b/core/config.h
@ -663,4 +663,17 @@
 #define WASM_MEM_ALLOC_WITH_USAGE 0
 #endif

+#ifndef WASM_ENABLE_FUZZ_TEST
+#define WASM_ENABLE_FUZZ_TEST 0
+#endif
+
+#ifndef WASM_MEM_ALLOC_MAX_SIZE
+#if WASM_ENABLE_FUZZ_TEST != 0
+/* In oss-fuzz, the maximum RAM is ~2.5G */
+#define WASM_MEM_ALLOC_MAX_SIZE (2U * 1024 * 1024 * 1024)
+#else
+#define WASM_MEM_ALLOC_MAX_SIZE UINT32_MAX
+#endif
+#endif
+
 #endif /* end of _CONFIG_H_ */
--- a/core/iwasm/interpreter/wasm_loader.c
+++ b/core/iwasm/interpreter/wasm_loader.c
@ -379,7 +379,8 @@ loader_malloc(uint64 size, char *error_buf, uint32 error_buf_size)
 {
    void *mem;

-    if (size >= UINT32_MAX || !(mem = wasm_runtime_malloc((uint32)size))) {
+    if (size >= WASM_MEM_ALLOC_MAX_SIZE
+        || !(mem = wasm_runtime_malloc((uint32)size))) {
        set_error_buf(error_buf, error_buf_size, "allocate memory failed");
        return NULL;
    }
@ -3052,7 +3053,12 @@ load_global_import(const uint8 **p_buf, const uint8 *buf_end,

 #if WASM_ENABLE_GC == 0
    CHECK_BUF(p, p_end, 2);
+    /* global type */
    declare_type = read_uint8(p);
+    if (!is_value_type(declare_type)) {
+        set_error_buf(error_buf, error_buf_size, "type mismatch");
+        return false;
+    }
    declare_mutable = read_uint8(p);
 #else
    if (!resolve_value_type(&p, p_end, parent_module, parent_module->type_count,
@ -4034,7 +4040,12 @@ load_global_section(const uint8 *buf, const uint8 *buf_end, WASMModule *module,
        for (i = 0; i < global_count; i++, global++) {
 #if WASM_ENABLE_GC == 0
            CHECK_BUF(p, p_end, 2);
+            /* global type */
            global->type.val_type = read_uint8(p);
+            if (!is_value_type(global->type.val_type)) {
+                set_error_buf(error_buf, error_buf_size, "type mismatch");
+                return false;
+            }
            mutable = read_uint8(p);
 #else
            if (!resolve_value_type(&p, p_end, module, module->type_count,
--- a/tests/fuzz/wasm-mutator-fuzz/CMakeLists.txt
+++ b/tests/fuzz/wasm-mutator-fuzz/CMakeLists.txt
@ -113,7 +113,7 @@ message([ceith]:REPO_ROOT_DIR, ${REPO_ROOT_DIR})
 set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS}")
 set (CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}")

-add_definitions(-DWAMR_USE_MEM_POOL=0)
+add_definitions(-DWAMR_USE_MEM_POOL=0 -DWASM_ENABLE_FUZZ_TEST=1)

 # Enable fuzzer
 add_compile_options(-fsanitize=fuzzer)
--- a/tests/fuzz/wasm-mutator-fuzz/workspace/CMakeLists.txt
+++ b/tests/fuzz/wasm-mutator-fuzz/workspace/CMakeLists.txt
@ -113,7 +113,7 @@ message([ceith]:REPO_ROOT_DIR, ${REPO_ROOT_DIR})
 set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS}")
 set (CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}")

-add_definitions(-DWAMR_USE_MEM_POOL=0)
+add_definitions(-DWAMR_USE_MEM_POOL=0 -DWASM_ENABLE_FUZZ_TEST=1)

 # Enable fuzzer
 add_compile_options(-fsanitize=fuzzer)