diff options
| author | Lei Zhang <thestig@chromium.org> | 2018-05-25 21:47:19 +0000 |
|---|---|---|
| committer | Chromium commit bot <commit-bot@chromium.org> | 2018-05-25 21:47:19 +0000 |
| commit | fa4d93a08d5cd4f349c480b194a3e795273b27ed (patch) | |
| tree | 522fdac3c130bf525814c0c745a9cffb2f6d6a4b /testing/fuzzers/pdf_lzw_fuzzer.cc | |
| parent | 0d86f765b8361b7f9f3a5fcc659de2f52c806bd0 (diff) | |
| download | pdfium-fa4d93a08d5cd4f349c480b194a3e795273b27ed.tar.xz | |
Move fuzzers to testing/fuzzers.
Move them out of testing/libfuzzer, to make it possible to pull
libfuzzer into that directory. Leave testing/libfuzzer/BUILD.gn there
for now as a transitional build file.
BUG=pdfium:1088
Change-Id: I4126d89dd3e075ac63477a4860e029c135866dbe
Reviewed-on: https://pdfium-review.googlesource.com/32896
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
Diffstat (limited to 'testing/fuzzers/pdf_lzw_fuzzer.cc')
| -rw-r--r-- | testing/fuzzers/pdf_lzw_fuzzer.cc | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/testing/fuzzers/pdf_lzw_fuzzer.cc b/testing/fuzzers/pdf_lzw_fuzzer.cc new file mode 100644 index 0000000000..7e10d2a1ee --- /dev/null +++ b/testing/fuzzers/pdf_lzw_fuzzer.cc @@ -0,0 +1,58 @@ +// Copyright 2017 The PDFium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <vector> + +#include "core/fxcodec/gif/cfx_lzwdecompressor.h" +#include "third_party/base/numerics/safe_conversions.h" + +// Between 2x and 5x is a standard range for LZW according to a quick +// search of papers. Running up to 10x to catch any niche cases. +constexpr uint32_t kMinCompressionRatio = 2; +constexpr uint32_t kMaxCompressionRatio = 10; + +void LZWFuzz(const uint8_t* src_buf, + size_t src_size, + uint8_t color_exp, + uint8_t code_exp) { + std::unique_ptr<CFX_LZWDecompressor> decompressor = + CFX_LZWDecompressor::Create(color_exp, code_exp); + if (!decompressor) + return; + + for (uint32_t compressions_ratio = kMinCompressionRatio; + compressions_ratio <= kMaxCompressionRatio; compressions_ratio++) { + std::vector<uint8_t> dest_buf(compressions_ratio * src_size); + // This cast should be safe since the caller is checking for overflow on + // the initial data. + uint32_t dest_size = static_cast<uint32_t>(dest_buf.size()); + if (CFX_GifDecodeStatus::InsufficientDestSize != + decompressor->Decode(const_cast<uint8_t*>(src_buf), src_size, + dest_buf.data(), &dest_size)) + return; + } +} + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + // Need at least 3 bytes to do anything. + if (size < 3) + return 0; + + // Normally the GIF would provide the code and color sizes, instead, going + // to assume they are the first two bytes of data provided. + uint8_t color_exp = data[0]; + uint8_t code_exp = data[1]; + const uint8_t* lzw_data = data + 2; + uint32_t lzw_data_size = static_cast<uint32_t>(size - 2); + // Check that there isn't going to be an overflow in the destination buffer + // size. + if (lzw_data_size > + std::numeric_limits<uint32_t>::max() / kMaxCompressionRatio) { + return 0; + } + + LZWFuzz(lzw_data, lzw_data_size, color_exp, code_exp); + + return 0; +} |