Fix two issues to make fuzzing test quit earlier (#3471)

lum1n0us · web-flow · commit d29802c451a3 · 2024-05-30T14:55:21.000+08:00
- Add a marco to limit the maxi allocable memory size of fuzz test to
  2GB to avoid libFuzzer out-of-memory
- Check global type in load_global_import and load_global_section
diff --git a/core/config.h b/core/config.h
@@ -663,4 +663,17 @@
 #define WASM_MEM_ALLOC_WITH_USAGE 0
 #endif
 
+#ifndef WASM_ENABLE_FUZZ_TEST
+#define WASM_ENABLE_FUZZ_TEST 0
+#endif
+
+#ifndef WASM_MEM_ALLOC_MAX_SIZE
+#if WASM_ENABLE_FUZZ_TEST != 0
+/* In oss-fuzz, the maximum RAM is ~2.5G */
+#define WASM_MEM_ALLOC_MAX_SIZE (2U * 1024 * 1024 * 1024)
+#else
+#define WASM_MEM_ALLOC_MAX_SIZE UINT32_MAX
+#endif
+#endif
+
 #endif /* end of _CONFIG_H_ */
diff --git a/core/iwasm/interpreter/wasm_loader.c b/core/iwasm/interpreter/wasm_loader.c
@@ -379,7 +379,8 @@ loader_malloc(uint64 size, char *error_buf, uint32 error_buf_size)
 {
     void *mem;
 
-    if (size >= UINT32_MAX || !(mem = wasm_runtime_malloc((uint32)size))) {
+    if (size >= WASM_MEM_ALLOC_MAX_SIZE
+        || !(mem = wasm_runtime_malloc((uint32)size))) {
         set_error_buf(error_buf, error_buf_size, "allocate memory failed");
         return NULL;
     }
@@ -3052,7 +3053,12 @@ load_global_import(const uint8 **p_buf, const uint8 *buf_end,
 
 #if WASM_ENABLE_GC == 0
     CHECK_BUF(p, p_end, 2);
+    /* global type */
     declare_type = read_uint8(p);
+    if (!is_value_type(declare_type)) {
+        set_error_buf(error_buf, error_buf_size, "type mismatch");
+        return false;
+    }
     declare_mutable = read_uint8(p);
 #else
     if (!resolve_value_type(&p, p_end, parent_module, parent_module->type_count,
@@ -4034,7 +4040,12 @@ load_global_section(const uint8 *buf, const uint8 *buf_end, WASMModule *module,
         for (i = 0; i < global_count; i++, global++) {
 #if WASM_ENABLE_GC == 0
             CHECK_BUF(p, p_end, 2);
+            /* global type */
             global->type.val_type = read_uint8(p);
+            if (!is_value_type(global->type.val_type)) {
+                set_error_buf(error_buf, error_buf_size, "type mismatch");
+                return false;
+            }
             mutable = read_uint8(p);
 #else
             if (!resolve_value_type(&p, p_end, module, module->type_count,
diff --git a/tests/fuzz/wasm-mutator-fuzz/CMakeLists.txt b/tests/fuzz/wasm-mutator-fuzz/CMakeLists.txt
@@ -113,7 +113,7 @@ message([ceith]:REPO_ROOT_DIR, ${REPO_ROOT_DIR})
 set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS}")
 set (CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}")
 
-add_definitions(-DWAMR_USE_MEM_POOL=0)
+add_definitions(-DWAMR_USE_MEM_POOL=0 -DWASM_ENABLE_FUZZ_TEST=1)
 
 # Enable fuzzer
 add_compile_options(-fsanitize=fuzzer)
diff --git a/tests/fuzz/wasm-mutator-fuzz/workspace/CMakeLists.txt b/tests/fuzz/wasm-mutator-fuzz/workspace/CMakeLists.txt
@@ -113,7 +113,7 @@ message([ceith]:REPO_ROOT_DIR, ${REPO_ROOT_DIR})
 set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS}")
 set (CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}")
 
-add_definitions(-DWAMR_USE_MEM_POOL=0)
+add_definitions(-DWAMR_USE_MEM_POOL=0 -DWASM_ENABLE_FUZZ_TEST=1)
 
 # Enable fuzzer
 add_compile_options(-fsanitize=fuzzer)
