Through regression range suspected CL is
https://chromium.googlesource.com/chromium/src/+/11a3425fff09d249101f8fb0dcd9c00ddb80283b
scroggo@, could you please take a look?.
Thank you.

> Through regression range suspected CL is
> https://chromium.googlesource.com/chromium/src/+/11a3425fff09d249101f8fb0dcd9c00ddb80283b
> scroggo@, could you please take a look?.
> Thank you.

That CL introduces the fuzzer, so it makes sense that it would be the first one to show this.

This image reports dimensions of 8363 x 1, meaning libpng has to allocate 8363 x 8 (8 bits per pixel) = 66904 bytes per row. That is pretty big, but not going to go over the 2048 MB limit.

The problem is there is an iCCP profile that reports to have a profile_length of 1879048662. This is obviously incorrect, since it is larger than the size of the chunk itself (276 bytes), but libpng tries to allocate all of this memory (~1.8 gigs) anyway.

It would be good if the libpng fuzzers would stop filing bugs on OOM.  Large images with corrupt/large chunks will cause libpng to allocate a lot of memory... there is nothing to fix here.

I think it's good that the fuzzer runs with a memory limit - we at least avoid seeing OOM crashes.  I just don't think it's a bug when we exceed this limit.

Is there a way to go about changing when bugs are filed by the fuzzer?

Yes, we already have some protections against large memory buffers allocation, e.g. https://cs.chromium.org/chromium/src/testing/libfuzzer/fuzzers/libpng_read_fuzzer.cc?l=55 or https://cs.chromium.org/chromium/src/testing/libfuzzer/fuzzers/libpng_read_fuzzer.cc?l=110

but they are not sufficient. I think we've discussed some ideas in  issue 673082 , so we need to add more checks / limits to avoid OOMs.

Unfortunately, this is the only reasonable option. Otherwise, the fuzzer will hit these OOMs too often (even if we disable OOM reporting), and will not discover new inputs and new bugs.

ClusterFuzz has detected this issue as fixed in range 464964:465012.

Detailed report: https://clusterfuzz.com/testcase?key=4521226992353280

Fuzzer: libfuzzer_libpng_progressive_read_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Out-of-memory (exceeds 2048 MB)
Crash Address: 
Crash State:
  libpng_progressive_read_fuzzer
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=454875:454973
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=464964:465012

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94t2jSdW_e9WgjDoVoCVCjJ1YHDFscn0dsPY_qnBWba0auTGvvBDOLmpTDFvB1AkLaOoY4ksMLKrA72vvotnFH4l8a0FTjid9qBiPBu11k94-Nn7i7MFRSwKZudOa0feQ6rSrARVKEI3BGSDFyO2ybCSg6kP_AQO94quwr4RdRvmw7P107THu7myfXDf8BztwNTPWdXE_0v8r2zSl-bdxQo5pkwWy963o3rbmorCF8QC9q4GUZzongArGJ2UZsNNbv5zequTlD99S5bnmPnFGIGdlr7GnCQzNJICip77um39JtxIqvjIpn-hyUkYe1rxaplZc-9R-yaFMHtRD7ymNrgBiNRQdLGCclZjbtC7H1WByJN4BM?testcase_id=4521226992353280


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.