From 5a5f251ce8646ec421aa9e35d8bbca71a984770a Mon Sep 17 00:00:00 2001 From: dsinclair Date: Mon, 6 Jun 2016 11:52:30 -0700 Subject: Add GIF, BMP, JPEG and TIFF XFA fuzzers Generalize the PNG fuzzer and add fuzzers for the other image types handled by the progressive decoder. BUG=chromium:617659, chromium:616842, chromium:616841, chromium:616839 Review-Url: https://codereview.chromium.org/2045613002 --- testing/libfuzzer/BUILD.gn | 61 ++++++++++++++++++++++++++++ testing/libfuzzer/fuzzers.gyp | 49 ++++++++++++++++++++++ testing/libfuzzer/pdf_codec_bmp_fuzzer.cc | 9 +++++ testing/libfuzzer/pdf_codec_gif_fuzzer.cc | 9 +++++ testing/libfuzzer/pdf_codec_jpeg_fuzzer.cc | 9 +++++ testing/libfuzzer/pdf_codec_png_fuzzer.cc | 55 +------------------------ testing/libfuzzer/pdf_codec_tiff_fuzzer.cc | 9 +++++ testing/libfuzzer/xfa_codec_fuzzer.h | 65 ++++++++++++++++++++++++++++++ 8 files changed, 213 insertions(+), 53 deletions(-) create mode 100644 testing/libfuzzer/pdf_codec_bmp_fuzzer.cc create mode 100644 testing/libfuzzer/pdf_codec_gif_fuzzer.cc create mode 100644 testing/libfuzzer/pdf_codec_jpeg_fuzzer.cc create mode 100644 testing/libfuzzer/pdf_codec_tiff_fuzzer.cc create mode 100644 testing/libfuzzer/xfa_codec_fuzzer.h (limited to 'testing/libfuzzer') diff --git a/testing/libfuzzer/BUILD.gn b/testing/libfuzzer/BUILD.gn index e1152f9b69..5382313e01 100644 --- a/testing/libfuzzer/BUILD.gn +++ b/testing/libfuzzer/BUILD.gn @@ -51,6 +51,67 @@ if (pdf_enable_xfa) { testonly = true sources = [ "pdf_codec_png_fuzzer.cc", + "xfa_codec_fuzzer.h", + ] + deps = [ + "//third_party/pdfium:pdfium", + ] + configs -= [ "//build/config/compiler:chromium_code" ] + configs += [ + "//build/config/compiler:no_chromium_code", + ":libfuzzer_config", + ] + } + source_set("pdf_codec_jpeg_fuzzer") { + testonly = true + sources = [ + "pdf_codec_jpeg_fuzzer.cc", + "xfa_codec_fuzzer.h", + ] + deps = [ + "//third_party/pdfium:pdfium", + ] + configs -= [ "//build/config/compiler:chromium_code" ] + configs += [ + "//build/config/compiler:no_chromium_code", + ":libfuzzer_config", + ] + } + source_set("pdf_codec_gif_fuzzer") { + testonly = true + sources = [ + "pdf_codec_gif_fuzzer.cc", + "xfa_codec_fuzzer.h", + ] + deps = [ + "//third_party/pdfium:pdfium", + ] + configs -= [ "//build/config/compiler:chromium_code" ] + configs += [ + "//build/config/compiler:no_chromium_code", + ":libfuzzer_config", + ] + } + source_set("pdf_codec_bmp_fuzzer") { + testonly = true + sources = [ + "pdf_codec_bmp_fuzzer.cc", + "xfa_codec_fuzzer.h", + ] + deps = [ + "//third_party/pdfium:pdfium", + ] + configs -= [ "//build/config/compiler:chromium_code" ] + configs += [ + "//build/config/compiler:no_chromium_code", + ":libfuzzer_config", + ] + } + source_set("pdf_codec_tiff_fuzzer") { + testonly = true + sources = [ + "pdf_codec_tiff_fuzzer.cc", + "xfa_codec_fuzzer.h", ] deps = [ "//third_party/pdfium:pdfium", diff --git a/testing/libfuzzer/fuzzers.gyp b/testing/libfuzzer/fuzzers.gyp index 2339b5812e..3f1d8123b6 100644 --- a/testing/libfuzzer/fuzzers.gyp +++ b/testing/libfuzzer/fuzzers.gyp @@ -68,6 +68,55 @@ 'sources': [ 'pdf_codec_png_fuzzer.cc', 'unittest_main.cc', + 'xfa_codec_fuzzer.h', + ], + }, + { + 'target_name': 'pdf_codec_jpeg_fuzzer', + 'type': 'executable', + 'dependencies': [ + '../../pdfium.gyp:pdfium', + ], + 'sources': [ + 'pdf_codec_jpeg_fuzzer.cc', + 'unittest_main.cc', + 'xfa_codec_fuzzer.h', + ], + }, + { + 'target_name': 'pdf_codec_gif_fuzzer', + 'type': 'executable', + 'dependencies': [ + '../../pdfium.gyp:pdfium', + ], + 'sources': [ + 'pdf_codec_gif_fuzzer.cc', + 'unittest_main.cc', + 'xfa_codec_fuzzer.h', + ], + }, + { + 'target_name': 'pdf_codec_bmp_fuzzer', + 'type': 'executable', + 'dependencies': [ + '../../pdfium.gyp:pdfium', + ], + 'sources': [ + 'pdf_codec_bmp_fuzzer.cc', + 'unittest_main.cc', + 'xfa_codec_fuzzer.h', + ], + }, + { + 'target_name': 'pdf_codec_tiff_fuzzer', + 'type': 'executable', + 'dependencies': [ + '../../pdfium.gyp:pdfium', + ], + 'sources': [ + 'pdf_codec_tiff_fuzzer.cc', + 'unittest_main.cc', + 'xfa_codec_fuzzer.h', ], }, ], diff --git a/testing/libfuzzer/pdf_codec_bmp_fuzzer.cc b/testing/libfuzzer/pdf_codec_bmp_fuzzer.cc new file mode 100644 index 0000000000..6c80fb58b9 --- /dev/null +++ b/testing/libfuzzer/pdf_codec_bmp_fuzzer.cc @@ -0,0 +1,9 @@ +// Copyright 2016 The PDFium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "testing/libfuzzer/xfa_codec_fuzzer.h" + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + return XFACodecFuzzer::Fuzz(data, size, FXCODEC_IMAGE_BMP); +} diff --git a/testing/libfuzzer/pdf_codec_gif_fuzzer.cc b/testing/libfuzzer/pdf_codec_gif_fuzzer.cc new file mode 100644 index 0000000000..613ed1e37d --- /dev/null +++ b/testing/libfuzzer/pdf_codec_gif_fuzzer.cc @@ -0,0 +1,9 @@ +// Copyright 2016 The PDFium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "testing/libfuzzer/xfa_codec_fuzzer.h" + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + return XFACodecFuzzer::Fuzz(data, size, FXCODEC_IMAGE_GIF); +} diff --git a/testing/libfuzzer/pdf_codec_jpeg_fuzzer.cc b/testing/libfuzzer/pdf_codec_jpeg_fuzzer.cc new file mode 100644 index 0000000000..862bfad535 --- /dev/null +++ b/testing/libfuzzer/pdf_codec_jpeg_fuzzer.cc @@ -0,0 +1,9 @@ +// Copyright 2016 The PDFium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "testing/libfuzzer/xfa_codec_fuzzer.h" + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + return XFACodecFuzzer::Fuzz(data, size, FXCODEC_IMAGE_JPG); +} diff --git a/testing/libfuzzer/pdf_codec_png_fuzzer.cc b/testing/libfuzzer/pdf_codec_png_fuzzer.cc index 5422a2f758..94e9321fd7 100644 --- a/testing/libfuzzer/pdf_codec_png_fuzzer.cc +++ b/testing/libfuzzer/pdf_codec_png_fuzzer.cc @@ -2,59 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#include - -#include "core/fxcodec/codec/include/ccodec_progressivedecoder.h" -#include "core/fxcodec/include/fx_codec.h" -#include "core/fxcrt/include/fx_stream.h" - -namespace { - -class Reader : public IFX_FileRead { - public: - Reader(const uint8_t* data, size_t size) : m_data(data), m_size(size) {} - ~Reader() {} - - void Release() override {} - - FX_BOOL ReadBlock(void* buffer, FX_FILESIZE offset, size_t size) override { - if (offset + size > m_size) - size = m_size - offset; - memcpy(buffer, m_data + offset, size); - return TRUE; - } - - FX_FILESIZE GetSize() override { return static_cast(m_size); } - - private: - const uint8_t* const m_data; - size_t m_size; -}; - -} // namespace +#include "testing/libfuzzer/xfa_codec_fuzzer.h" extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { - std::unique_ptr mgr(new CCodec_ModuleMgr()); - std::unique_ptr decoder( - mgr->CreateProgressiveDecoder()); - Reader source(data, size); - - FXCODEC_STATUS status = - decoder->LoadImageInfo(&source, FXCODEC_IMAGE_PNG, nullptr); - if (status != FXCODEC_STATUS_FRAME_READY) - return 0; - - std::unique_ptr bitmap(new CFX_DIBitmap); - bitmap->Create(decoder->GetWidth(), decoder->GetHeight(), FXDIB_Argb); - - int32_t frames; - if (decoder->GetFrames(frames) != FXCODEC_STATUS_DECODE_READY || frames == 0) - return 0; - - status = decoder->StartDecode(bitmap.get(), 0, 0, bitmap->GetWidth(), - bitmap->GetHeight()); - while (status == FXCODEC_STATUS_DECODE_TOBECONTINUE) - status = decoder->ContinueDecode(); - - return 0; + return XFACodecFuzzer::Fuzz(data, size, FXCODEC_IMAGE_PNG); } diff --git a/testing/libfuzzer/pdf_codec_tiff_fuzzer.cc b/testing/libfuzzer/pdf_codec_tiff_fuzzer.cc new file mode 100644 index 0000000000..483ac28306 --- /dev/null +++ b/testing/libfuzzer/pdf_codec_tiff_fuzzer.cc @@ -0,0 +1,9 @@ +// Copyright 2016 The PDFium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "testing/libfuzzer/xfa_codec_fuzzer.h" + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + return XFACodecFuzzer::Fuzz(data, size, FXCODEC_IMAGE_TIF); +} diff --git a/testing/libfuzzer/xfa_codec_fuzzer.h b/testing/libfuzzer/xfa_codec_fuzzer.h new file mode 100644 index 0000000000..f3a3517a12 --- /dev/null +++ b/testing/libfuzzer/xfa_codec_fuzzer.h @@ -0,0 +1,65 @@ +// Copyright 2016 The PDFium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef TESTING_LIBFUZZER_XFA_CODEC_FUZZER_H_ +#define TESTING_LIBFUZZER_XFA_CODEC_FUZZER_H_ + +#include + +#include "core/fxcodec/codec/include/ccodec_progressivedecoder.h" +#include "core/fxcodec/include/fx_codec.h" +#include "core/fxcrt/include/fx_stream.h" + +class XFACodecFuzzer { + public: + static int Fuzz(const uint8_t* data, size_t size, FXCODEC_IMAGE_TYPE type) { + std::unique_ptr mgr(new CCodec_ModuleMgr()); + std::unique_ptr decoder( + mgr->CreateProgressiveDecoder()); + Reader source(data, size); + + FXCODEC_STATUS status = decoder->LoadImageInfo(&source, type, nullptr); + if (status != FXCODEC_STATUS_FRAME_READY) + return 0; + + std::unique_ptr bitmap(new CFX_DIBitmap); + bitmap->Create(decoder->GetWidth(), decoder->GetHeight(), FXDIB_Argb); + + int32_t frames; + if (decoder->GetFrames(frames) != FXCODEC_STATUS_DECODE_READY || + frames == 0) + return 0; + + status = decoder->StartDecode(bitmap.get(), 0, 0, bitmap->GetWidth(), + bitmap->GetHeight()); + while (status == FXCODEC_STATUS_DECODE_TOBECONTINUE) + status = decoder->ContinueDecode(); + + return 0; + } + + private: + class Reader : public IFX_FileRead { + public: + Reader(const uint8_t* data, size_t size) : m_data(data), m_size(size) {} + ~Reader() {} + + void Release() override {} + + FX_BOOL ReadBlock(void* buffer, FX_FILESIZE offset, size_t size) override { + if (offset + size > m_size) + size = m_size - offset; + memcpy(buffer, m_data + offset, size); + return TRUE; + } + + FX_FILESIZE GetSize() override { return static_cast(m_size); } + + private: + const uint8_t* const m_data; + size_t m_size; + }; +}; + +#endif // TESTING_LIBFUZZER_XFA_CODEC_FUZZER_H_ -- cgit v1.2.3