Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 0ed6c38

Browse files
syoyocatenacyber
syoyo
and
catenacyber
authored
Catenacyber iofix (tinyobjloader#304)
* Prevent integer overflow in tryParseDouble * Add regression test data to be run by fuzz target * Add simple regression test runner. Co-authored-by: Philippe Antoine <[email protected]>
1 parent 15bc268 commit 0ed6c38

File tree

5 files changed

+21
-0
lines changed

5 files changed

+21
-0
lines changed

fuzzer/README.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,3 +45,7 @@ cf libfuzzer.info for all options
4545
```
4646
$ ./fuzz_ParseFromString -rss_limit_mb=2000
4747
```
48+
49+
## Regression tests
50+
51+
See `regression_runner/`

fuzzer/regression_runner/Makefile

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
all:
2+
clang++ -fsanitize=address,undefined ../../loader_example.cc

fuzzer/regression_runner/README.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
# Run fuzzer regression tests
2+
3+
Currently we only support Linux + clang.
4+
5+
## How to run
6+
7+
```
8+
$ make
9+
$ ./a.out ../regressions/<regression_file>
10+
```
11+

fuzzer/regressions/clusterfuzz-testcase-minimized-fuzz_ParseFromString-4877060179886080

16 Bytes
Binary file not shown.

tiny_obj_loader.h

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -941,6 +941,10 @@ static bool tryParseDouble(const char *s, const char *s_end, double *result) {
941941
read = 0;
942942
end_not_reached = (curr != s_end);
943943
while (end_not_reached && IS_DIGIT(*curr)) {
944+
if (exponent > std::numeric_limits<int>::max()/10) {
945+
// Integer overflow
946+
goto fail;
947+
}
944948
exponent *= 10;
945949
exponent += static_cast<int>(*curr - 0x30);
946950
curr++;

0 commit comments

Comments
 (0)