OSS-Fuzz: Bail out immediately on decomp failure

Don't keep trying to decompress the same image if tj3Decompress*() has already thrown an error. Otherwise, if the image has an excessive number of scans, then each iteration of the loop will try to decompress up to the scan limit, which may cause the overall test to time out even if one iteration doesn't time out.
2026-01-18 21:41:20 +01:00 · 2023-02-07 13:13:24 -06:00
parent 4e028ecd63
commit 2a5a3c6f0a
2 changed files with 8 additions and 4 deletions
--- a/fuzz/decompress.cc
+++ b/fuzz/decompress.cc
@@ -109,14 +109,16 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
           when using MemorySanitizer. */
        for (i = 0; i < w * h * tjPixelSize[pf]; i++)
          sum += ((unsigned char *)dstBuf)[i];
-      }
+      } else
+        goto bailout;
    } else if (precision == 12) {
      if (tj3Decompress12(handle, data, size, (short *)dstBuf, 0, pf) == 0) {
        /* Touch all of the output pixels in order to catch uninitialized reads
           when using MemorySanitizer. */
        for (i = 0; i < w * h * tjPixelSize[pf]; i++)
          sum += ((short *)dstBuf)[i];
-      }
+      } else
+        goto bailout;
    } else {
      if (tj3Decompress16(handle, data, size, (unsigned short *)dstBuf, 0,
                          pf) == 0) {
@@ -124,7 +126,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
           when using MemorySanitizer. */
        for (i = 0; i < w * h * tjPixelSize[pf]; i++)
          sum += ((unsigned short *)dstBuf)[i];
-      }
+      } else
+        goto bailout;
    }

    free(dstBuf);
--- a/fuzz/decompress_yuv.cc
+++ b/fuzz/decompress_yuv.cc
@@ -100,7 +100,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
         when using MemorySanitizer. */
      for (i = 0; i < w * h * tjPixelSize[pf]; i++)
        sum += dstBuf[i];
-    }
+    } else
+      goto bailout;

    free(dstBuf);
    dstBuf = NULL;