From 043cb0514311d7a037ff476d24accbf02d5ced03 Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith [Google LLC]" Date: Thu, 3 Nov 2022 11:44:18 -0700 Subject: [PATCH 1/3] Increase size limits in _xxtestfuzz. Now that our int<->str conversions are size limited and we have the _pylong module handling larger integers, we don't need to limit everything just to avoid wasting time in the quadratic time DoS-like case while fuzzing. We can tweak these further after seeing how this goes. --- Modules/_xxtestfuzz/fuzzer.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/Modules/_xxtestfuzz/fuzzer.c b/Modules/_xxtestfuzz/fuzzer.c index 366e81a54519a7..c9c53e9c6d3c1d 100644 --- a/Modules/_xxtestfuzz/fuzzer.c +++ b/Modules/_xxtestfuzz/fuzzer.c @@ -142,7 +142,7 @@ static int fuzz_struct_unpack(const char* data, size_t size) { } -#define MAX_JSON_TEST_SIZE 0x10000 +#define MAX_JSON_TEST_SIZE 0x100000 PyObject* json_loads_method = NULL; /* Called by LLVMFuzzerTestOneInput for initialization */ @@ -157,9 +157,7 @@ static int init_json_loads(void) { } /* Fuzz json.loads(x) */ static int fuzz_json_loads(const char* data, size_t size) { - /* Since python supports arbitrarily large ints in JSON, - long inputs can lead to timeouts on boring inputs like - `json.loads("9" * 100000)` */ + /* long inputs could lead to timeouts on boring inputs */ if (size > MAX_JSON_TEST_SIZE) { return 0; } @@ -335,7 +333,7 @@ static int fuzz_sre_match(const char* data, size_t size) { return 0; } -#define MAX_CSV_TEST_SIZE 0x10000 +#define MAX_CSV_TEST_SIZE 0x100000 PyObject* csv_module = NULL; PyObject* csv_error = NULL; /* Called by LLVMFuzzerTestOneInput for initialization */ @@ -393,7 +391,7 @@ static int fuzz_csv_reader(const char* data, size_t size) { return 0; } -#define MAX_AST_LITERAL_EVAL_TEST_SIZE 0x10000 +#define MAX_AST_LITERAL_EVAL_TEST_SIZE 0x100000 PyObject* ast_literal_eval_method = NULL; /* Called by LLVMFuzzerTestOneInput for initialization */ static int init_ast_literal_eval(void) { @@ -459,6 +457,9 @@ int LLVMFuzzerInitialize(int *argc, char ***argv) { PyConfig config; PyConfig_InitPythonConfig(&config); config.install_signal_handlers = 0; + /* Raise the limit above the default allow exercising larger things + * now that we fall back to the _pylong module for large values. */ + config.int_max_str_digits = 8086; PyStatus status; status = PyConfig_SetBytesString(&config, &config.program_name, *argv[0]); if (PyStatus_Exception(status)) { From 8dcc68979b4cc832c04f822f22454596f2a7c8af Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith [Google LLC]" Date: Thu, 3 Nov 2022 12:27:29 -0700 Subject: [PATCH 2/3] restore original comment, no need to edit it --- Modules/_xxtestfuzz/fuzzer.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Modules/_xxtestfuzz/fuzzer.c b/Modules/_xxtestfuzz/fuzzer.c index c9c53e9c6d3c1d..75b7616a973aa8 100644 --- a/Modules/_xxtestfuzz/fuzzer.c +++ b/Modules/_xxtestfuzz/fuzzer.c @@ -157,7 +157,9 @@ static int init_json_loads(void) { } /* Fuzz json.loads(x) */ static int fuzz_json_loads(const char* data, size_t size) { - /* long inputs could lead to timeouts on boring inputs */ + /* Since python supports arbitrarily large ints in JSON, + long inputs can lead to timeouts on boring inputs like + `json.loads("9" * 100000)` */ if (size > MAX_JSON_TEST_SIZE) { return 0; } From c95a5d959db1080c662c7b6157f844130f944cb6 Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith [Google LLC]" Date: Thu, 3 Nov 2022 12:28:57 -0700 Subject: [PATCH 3/3] comment typo --- Modules/_xxtestfuzz/fuzzer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/_xxtestfuzz/fuzzer.c b/Modules/_xxtestfuzz/fuzzer.c index 75b7616a973aa8..fb0c191d2c494d 100644 --- a/Modules/_xxtestfuzz/fuzzer.c +++ b/Modules/_xxtestfuzz/fuzzer.c @@ -459,7 +459,7 @@ int LLVMFuzzerInitialize(int *argc, char ***argv) { PyConfig config; PyConfig_InitPythonConfig(&config); config.install_signal_handlers = 0; - /* Raise the limit above the default allow exercising larger things + /* Raise the limit above the default allows exercising larger things * now that we fall back to the _pylong module for large values. */ config.int_max_str_digits = 8086; PyStatus status;