Bound the number of API calls in ssl_ctx_api.cc.

By spamming just two bytes, this fuzzer can bounce between
SSL_CTX_use_certificate and SSL_CTX_get0_certificate, which continually
runs d2i_X509 on some certificate.

Doing that nearly 400,000 times is not particularly useful. Bound the
number of API calls. Start with 10,000 and see if the fuzzers are still
unhappy.

Bug: oss-fuzz:17748
Change-Id: I074fa08475fffcb86c02e64dcb9c5c7c69bcda71
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/37765
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/fuzz/ssl_ctx_api.cc b/fuzz/ssl_ctx_api.cc
index 5213a00..abf2f16 100644
--- a/fuzz/ssl_ctx_api.cc
+++ b/fuzz/ssl_ctx_api.cc
@@ -253,6 +253,7 @@
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) {
   constexpr size_t kMaxExpensiveAPIs = 100;
+  constexpr size_t kMaxAPIs = 10000;
   unsigned expensive_api_count = 0;
 
   const std::function<void(SSL_CTX *, CBS *)> kAPIs[] = {
@@ -501,7 +502,7 @@
   CBS cbs;
   CBS_init(&cbs, buf, len);
 
-  for (;;) {
+  for (unsigned i = 0; i < kMaxAPIs; i++) {
     uint8_t index;
     if (!CBS_get_u8(&cbs, &index)) {
       break;