From f582305ebec5af69ca43bef1c69c96c9b508dd3a Mon Sep 17 00:00:00 2001
From: Craig Tiller <ctiller@google.com>
Date: Fri, 15 Apr 2016 15:22:09 -0700
Subject: Limit message length

---
 test/core/end2end/fuzzers/api_fuzzer.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

(limited to 'test/core')

diff --git a/test/core/end2end/fuzzers/api_fuzzer.c b/test/core/end2end/fuzzers/api_fuzzer.c
index 557fd5febd..6f9be8ecd6 100644
--- a/test/core/end2end/fuzzers/api_fuzzer.c
+++ b/test/core/end2end/fuzzers/api_fuzzer.c
@@ -90,6 +90,21 @@ static void read_buffer(input_stream *inp, char **buffer, size_t *length) {
   }
 }
 
+static uint32_t read_uint22(input_stream *inp) {
+  uint8_t b = next_byte(inp);
+  uint32_t x = b & 0x7f;
+  if (b & 0x80) {
+    x <<= 7;
+    b = next_byte(inp);
+    x |= b & 0x7f;
+    if (b & 0x80) {
+      x <<= 8;
+      x |= next_byte(inp);
+    }
+  }
+  return x;
+}
+
 static uint32_t read_uint32(input_stream *inp) {
   uint8_t b = next_byte(inp);
   uint32_t x = b & 0x7f;
@@ -115,7 +130,7 @@ static uint32_t read_uint32(input_stream *inp) {
 }
 
 static grpc_byte_buffer *read_message(input_stream *inp) {
-  gpr_slice slice = gpr_slice_malloc(read_uint32(inp));
+  gpr_slice slice = gpr_slice_malloc(read_uint22(inp));
   memset(GPR_SLICE_START_PTR(slice), 0, GPR_SLICE_LENGTH(slice));
   return grpc_raw_byte_buffer_create(&slice, 1);
 }
-- 
cgit v1.2.3