Fix "Issue 39922 in oss-fuzz: cpp-httplib:server_fuzzer: Timeout in server_fuzzer"

Author: yhirose

httplib.h

@@ -4967,6 +4967,10 @@ inline bool Server::read_content(Stream &strm, Request &req, Response &res) {
           })) {
     const auto &content_type = req.get_header_value("Content-Type");
     if (!content_type.find("application/x-www-form-urlencoded")) {
+      if (req.body.size() > CPPHTTPLIB_REQUEST_URI_MAX_LENGTH) {
+        res.status = 413; // NOTE: should be 414?
+        return false;
+      }
       detail::parse_query_text(req.body, req.params);
     }
     return true;

test/Makefile

@@ -1,5 +1,5 @@
 #CXX = clang++
-CXXFLAGS = -g -std=c++11 -I. -Wall -Wextra -Wtype-limits -Wconversion #-fsanitize=address
+CXXFLAGS = -g -std=c++11 -I. -I.. -Wall -Wextra -Wtype-limits -Wconversion #-fsanitize=address
 
 OPENSSL_DIR = /usr/local/opt/[email protected]
 OPENSSL_SUPPORT = -DCPPHTTPLIB_OPENSSL_SUPPORT -I$(OPENSSL_DIR)/include -L$(OPENSSL_DIR)/lib -lssl -lcrypto
@@ -11,22 +11,44 @@ BROTLI_SUPPORT = -DCPPHTTPLIB_BROTLI_SUPPORT -I$(BROTLI_DIR)/include -L$(BROTLI_
 
 TEST_ARGS = gtest/gtest-all.cc gtest/gtest_main.cc $(OPENSSL_SUPPORT) $(ZLIB_SUPPORT) $(BROTLI_SUPPORT) -pthread
 
+# By default, use standalone_fuzz_target_runner.
+# This runner does no fuzzing, but simply executes the inputs
+# provided via parameters.
+# Run e.g. "make all LIB_FUZZING_ENGINE=/path/to/libFuzzer.a"
+# to link the fuzzer(s) against a real fuzzing engine.
+# OSS-Fuzz will define its own value for LIB_FUZZING_ENGINE.
+LIB_FUZZING_ENGINE ?= standalone_fuzz_target_runner.o
+
 all : test test_split
 	./test
-# Note: The intention of test_split is to verify that it works to compile and
-# link the split httplib.h, so there is normally no need to execute it.
 
 proxy : test_proxy
 	./test_proxy
 
 test : test.cc include_httplib.cc ../httplib.h Makefile cert.pem
-	$(CXX) -o $@ -I.. $(CXXFLAGS) test.cc include_httplib.cc $(TEST_ARGS)
+	$(CXX) -o $@ $(CXXFLAGS) test.cc include_httplib.cc $(TEST_ARGS)
 
+# Note: The intention of test_split is to verify that it works to compile and
+# link the split httplib.h, so there is normally no need to execute it.
 test_split : test.cc ../httplib.h httplib.cc Makefile cert.pem
 	$(CXX) -o $@ $(CXXFLAGS) test.cc httplib.cc $(TEST_ARGS)
 
 test_proxy : test_proxy.cc ../httplib.h Makefile cert.pem
-	$(CXX) -o $@ -I.. $(CXXFLAGS) test_proxy.cc $(TEST_ARGS)
+	$(CXX) -o $@ $(CXXFLAGS) test_proxy.cc $(TEST_ARGS)
+
+# Runs server_fuzzer.cc based on value of $(LIB_FUZZING_ENGINE).
+# Usage: make fuzz_test LIB_FUZZING_ENGINE=/path/to/libFuzzer
+fuzz_test: server_fuzzer
+	./server_fuzzer fuzzing/corpus/*
+
+# Fuzz target, so that you can choose which $(LIB_FUZZING_ENGINE) to use.
+server_fuzzer : fuzzing/server_fuzzer.cc ../httplib.h standalone_fuzz_target_runner.o
+	$(CXX) $(CXXFLAGS) -o $@  $< $(OPENSSL_SUPPORT)  $(ZLIB_SUPPORT) $(BROTLI_SUPPORT) $(LIB_FUZZING_ENGINE) -pthread
+
+# Standalone fuzz runner, which just reads inputs from fuzzing/corpus/ dir and
+# feeds it to server_fuzzer.
+standalone_fuzz_target_runner.o : fuzzing/standalone_fuzz_target_runner.cpp
+	$(CXX) $(CXXFLAGS) -c -o $@ $<
 
 httplib.cc : ../httplib.h
 	python3 ../split.py -o .
@@ -42,4 +64,4 @@ cert.pem:
 	#c_rehash .
 
 clean:
-	rm -f test test_proxy pem *.0 *.1 *.srl httplib.h httplib.cc
+	rm -f test test_proxy server_fuzzer pem *.0 *.o *.1 *.srl httplib.h httplib.cc

test/Makefile.fuzz_test

@@ -20,16 +20,16 @@ int main(int argc, char **argv) {
   for (int i = 1; i < argc; i++) {
     std::ifstream in(argv[i]);
     in.seekg(0, in.end);
-    size_t length = in.tellg();
+    size_t length = static_cast<size_t>(in.tellg());
     in.seekg (0, in.beg);
     std::cout << "Reading " << length << " bytes from " << argv[i] << std::endl;
     // Allocate exactly length bytes so that we reliably catch buffer overflows.
     std::vector<char> bytes(length);
-    in.read(bytes.data(), bytes.size());
+    in.read(bytes.data(), static_cast<std::streamsize>(bytes.size()));
     LLVMFuzzerTestOneInput(reinterpret_cast<const uint8_t *>(bytes.data()),
                            bytes.size());
     std::cout << "Execution successful" << std::endl;
   }
   std::cout << "Execution finished" << std::endl;
   return 0;
-}
+}