fix: guard against malformed corpus entries in protobuf mutator

simonresch · simonresch · commit 8cb6d76a1dd6 · 2025-10-20T11:57:54.000+02:00
When decoding protobuf messages no size limit was enforced which could
lead to OOM failures for corpus entries that were produced by a
different mutator / arbitrary binary data.
diff --git a/.github/workflows/fuzzing.yml b/.github/workflows/fuzzing.yml
@@ -56,7 +56,7 @@ jobs:
 
       - name: Build & Fuzz
         run: |
-          bazelisk run ${{env.BUILD_BUDDY_CONFIG}} --java_runtime_version=remotejdk_${{ matrix.jdk }} ${{ matrix.bazel_args }} ${{ matrix.extra_bazel_args }} //selffuzz/src/test/java/com/code_intelligence/selffuzz/mutation:ArgumentsMutatorFuzzTest --jvmopt=-Xmx10000m -- -runs=1000000
+          bazelisk run ${{env.BUILD_BUDDY_CONFIG}} --java_runtime_version=remotejdk_${{ matrix.jdk }} ${{ matrix.bazel_args }} ${{ matrix.extra_bazel_args }} //selffuzz/src/test/java/com/code_intelligence/selffuzz/mutation:ArgumentsMutatorFuzzTest -- -runs=1000000
 
   # Notification job that runs after all matrix jobs complete
   notification:
diff --git a/selffuzz/src/test/java/com/code_intelligence/selffuzz/mutation/BUILD.bazel b/selffuzz/src/test/java/com/code_intelligence/selffuzz/mutation/BUILD.bazel
@@ -9,6 +9,9 @@ java_fuzz_target_test(
         "ImmutableBean.java",
     ],
     data = ["//selffuzz/src/test/resources:ArgumentsMutatorFuzzTest-corpus"],
+    env = {
+        "_JAVA_OPTIONS": "-Xmx1024m",
+    },
     fuzzer_args = [
         # Make sure that the fuzzer can run. Longer fuzzing runs will be done in a separate GH action.
         "-runs=10000",
diff --git a/src/main/java/com/code_intelligence/jazzer/mutation/mutator/proto/BuilderMutatorFactory.java b/src/main/java/com/code_intelligence/jazzer/mutation/mutator/proto/BuilderMutatorFactory.java
@@ -57,6 +57,7 @@
 import com.code_intelligence.jazzer.mutation.mutator.lang.LangMutators;
 import com.code_intelligence.jazzer.mutation.support.Preconditions;
 import com.google.protobuf.Any;
+import com.google.protobuf.CodedInputStream;
 import com.google.protobuf.Descriptors.Descriptor;
 import com.google.protobuf.Descriptors.EnumDescriptor;
 import com.google.protobuf.Descriptors.EnumValueDescriptor;
@@ -86,6 +87,11 @@
 import java.util.stream.Stream;
 
 public final class BuilderMutatorFactory implements MutatorFactory {
+
+  // Generous size limit for decoded protobuf messages. This is necessary to guard against OOM
+  // errors when the corpus format changes e.g. due to a change in the fuzz test signature.
+  private static final int MAX_MESSAGE_SIZE = 32 * 1024 * 1024; // 32 MiB
+
   private <T extends Builder, U> InPlaceMutator<T> mutatorForField(
       AnnotatedType initialType,
       FieldDescriptor field,
@@ -273,9 +279,11 @@ public B readExclusive(InputStream in) throws IOException {
       }
 
       private Builder parseLeniently(InputStream in) throws IOException {
+        CodedInputStream cis = CodedInputStream.newInstance(in);
+        cis.setSizeLimit(MAX_MESSAGE_SIZE);
         Builder builder = defaultInstance.toBuilder();
         try {
-          builder.mergeFrom(in);
+          builder.mergeFrom(cis);
         } catch (InvalidProtocolBufferException ignored) {
           // builder has been partially modified with what could be decoded before the parser error.
         }
