From c136b3146257d0f12d1347a9f1a4784372e19a56 Mon Sep 17 00:00:00 2001 From: Ryan Harrison Date: Thu, 19 Oct 2017 14:37:06 -0400 Subject: Implement fuzzer for LZW decompressor This adds a fuzzer that tests the LZW decompression code used by our GIF decoder. BUG=pdfium:908 Change-Id: I1381f3ebb2eddf8d2c6f0394b1bb00f67d64a600 Reviewed-on: https://pdfium-review.googlesource.com/16310 Commit-Queue: Ryan Harrison Reviewed-by: Tom Sepez --- testing/libfuzzer/BUILD.gn | 7 +++++ testing/libfuzzer/pdf_lzw_fuzzer.cc | 58 +++++++++++++++++++++++++++++++++++++ 2 files changed, 65 insertions(+) create mode 100644 testing/libfuzzer/pdf_lzw_fuzzer.cc diff --git a/testing/libfuzzer/BUILD.gn b/testing/libfuzzer/BUILD.gn index 2952444421..d23fb88376 100644 --- a/testing/libfuzzer/BUILD.gn +++ b/testing/libfuzzer/BUILD.gn @@ -46,6 +46,7 @@ group("libfuzzer") { ":pdf_codec_tiff_fuzzer", ":pdf_css_fuzzer", ":pdf_fm2js_fuzzer", + ":pdf_lzw_fuzzer", ":pdf_xml_fuzzer", ] } @@ -129,6 +130,12 @@ if (pdf_enable_xfa) { ] } + pdfium_fuzzer("pdf_lzw_fuzzer") { + sources = [ + "pdf_lzw_fuzzer.cc", + ] + } + pdfium_fuzzer("pdf_xml_fuzzer") { sources = [ "pdf_xml_fuzzer.cc", diff --git a/testing/libfuzzer/pdf_lzw_fuzzer.cc b/testing/libfuzzer/pdf_lzw_fuzzer.cc new file mode 100644 index 0000000000..71c258969d --- /dev/null +++ b/testing/libfuzzer/pdf_lzw_fuzzer.cc @@ -0,0 +1,58 @@ +// Copyright 2017 The PDFium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include + +#include "core/fxcodec/gif/cfx_lzwdecompressor.h" +#include "third_party/base/numerics/safe_conversions.h" + +// Between 2x and 5x is a standard range for LZW according to a quick +// search of papers. Running up to 10x to catch any niche cases. +constexpr uint32_t kMinCompressionRatio = 2; +constexpr uint32_t kMaxCompressionRatio = 10; + +void LZWFuzz(const uint8_t* src_buf, + size_t src_size, + uint8_t color_exp, + uint8_t code_exp) { + std::unique_ptr decompressor = + CFX_LZWDecompressor::Create(color_exp, code_exp); + if (!decompressor) + return; + + for (uint32_t compressions_ratio = kMinCompressionRatio; + compressions_ratio <= kMaxCompressionRatio; compressions_ratio++) { + std::vector des_buf(compressions_ratio * src_size); + // This cast should be safe since the caller is checking for overflow on + // the initial data. + uint32_t des_size = static_cast(des_buf.size()); + if (CFX_GifDecodeStatus::InsufficientDestSize != + decompressor->Decode(const_cast(src_buf), src_size, + des_buf.data(), &des_size)) + return; + } +} + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + // Need at least 3 bytes to do anything. + if (size < 3) + return 0; + + // Normally the GIF would provide the code and color sizes, instead, going + // to assume they are the first two bytes of data provided. + uint8_t color_exp = data[0]; + uint8_t code_exp = data[1]; + const uint8_t* lzw_data = data + 2; + uint32_t lzw_data_size = static_cast(size - 2); + // Check that there isn't going to be an overflow in the destination buffer + // size. + if (lzw_data_size > + std::numeric_limits::max() / kMaxCompressionRatio) { + return 0; + } + + LZWFuzz(lzw_data, lzw_data_size, color_exp, code_exp); + + return 0; +} -- cgit v1.2.3