OSS-Fuzz: Add fuzz target for lossless JPEG
This commit is contained in:
DRC
@@ -54,6 +54,8 @@ add_fuzz_target(compress compress.cc)
|
||||
|
||||
add_fuzz_target(compress_yuv compress_yuv.cc)
|
||||
|
||||
add_fuzz_target(compress_lossless compress_lossless.cc)
|
||||
|
||||
# NOTE: This target is named libjpeg_turbo_fuzzer instead of decompress_fuzzer
|
||||
# in order to preserve the corpora from Google's OSS-Fuzz target for
|
||||
# libjpeg-turbo, which this target replaces.
|
||||
|
||||
@@ -21,6 +21,7 @@ cp $SRC/compress_fuzzer_seed_corpus.zip $OUT/cjpeg_fuzzer${FUZZER_SUFFIX}_seed_c
|
||||
cp $SRC/compress_fuzzer_seed_corpus.zip $OUT/cjpeg12_fuzzer${FUZZER_SUFFIX}_seed_corpus.zip
|
||||
cp $SRC/compress_fuzzer_seed_corpus.zip $OUT/compress_fuzzer${FUZZER_SUFFIX}_seed_corpus.zip
|
||||
cp $SRC/compress_fuzzer_seed_corpus.zip $OUT/compress_yuv_fuzzer${FUZZER_SUFFIX}_seed_corpus.zip
|
||||
cp $SRC/compress_fuzzer_seed_corpus.zip $OUT/compress_lossless_fuzzer${FUZZER_SUFFIX}_seed_corpus.zip
|
||||
cp $SRC/decompress_fuzzer_seed_corpus.zip $OUT/libjpeg_turbo_fuzzer${FUZZER_SUFFIX}_seed_corpus.zip
|
||||
cp $SRC/decompress_fuzzer_seed_corpus.zip $OUT/decompress_yuv_fuzzer${FUZZER_SUFFIX}_seed_corpus.zip
|
||||
cp $SRC/decompress_fuzzer_seed_corpus.zip $OUT/transform_fuzzer${FUZZER_SUFFIX}_seed_corpus.zip
|
||||
|
||||
@@ -56,6 +56,14 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
|
||||
(char *)"-quality", (char *)"90,80,70", (char *)"-rgb",
|
||||
(char *)"-sample", (char *)"2x1", (char *)"-smooth", (char *)"50", NULL
|
||||
};
|
||||
char *argv3[] = {
|
||||
(char *)"cjpeg", (char *)"-precision", (char *)"12",
|
||||
(char *)"-lossless", (char *)"1,4", NULL
|
||||
};
|
||||
char *argv4[] = {
|
||||
(char *)"cjpeg", (char *)"-precision", (char *)"12",
|
||||
(char *)"-lossless", (char *)"4,0", NULL
|
||||
};
|
||||
int fd = -1;
|
||||
#if defined(__has_feature) && __has_feature(memory_sanitizer)
|
||||
char env[18] = "JSIMD_FORCENONE=1";
|
||||
@@ -69,10 +77,12 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
|
||||
if ((fd = mkstemp(filename)) < 0 || write(fd, data, size) < 0)
|
||||
goto bailout;
|
||||
|
||||
argv1[12] = argv2[13] = filename;
|
||||
argv1[12] = argv2[13] = argv3[5] = argv4[5] = filename;
|
||||
|
||||
cjpeg_main(13, argv1);
|
||||
cjpeg_main(14, argv2);
|
||||
cjpeg_main(6, argv3);
|
||||
cjpeg_main(6, argv4);
|
||||
|
||||
bailout:
|
||||
if (fd >= 0) {
|
||||
|
||||
131
fuzz/compress_lossless.cc
Normal file
131
fuzz/compress_lossless.cc
Normal file
@@ -0,0 +1,131 @@
|
||||
/*
|
||||
* Copyright (C)2021-2022 D. R. Commander. All Rights Reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are met:
|
||||
*
|
||||
* - Redistributions of source code must retain the above copyright notice,
|
||||
* this list of conditions and the following disclaimer.
|
||||
* - Redistributions in binary form must reproduce the above copyright notice,
|
||||
* this list of conditions and the following disclaimer in the documentation
|
||||
* and/or other materials provided with the distribution.
|
||||
* - Neither the name of the libjpeg-turbo Project nor the names of its
|
||||
* contributors may be used to endorse or promote products derived from this
|
||||
* software without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS",
|
||||
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
|
||||
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
* POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include <turbojpeg.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <stdint.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
|
||||
#define NUMTESTS 7
|
||||
/* Private flag that triggers different TurboJPEG API behavior when fuzzing */
|
||||
#define TJFLAG_FUZZING (1 << 30)
|
||||
|
||||
|
||||
struct test {
|
||||
enum TJPF pf;
|
||||
int psv, pt;
|
||||
};
|
||||
|
||||
|
||||
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
|
||||
{
|
||||
tjhandle handle = NULL;
|
||||
unsigned char *srcBuf = NULL, *dstBuf = NULL;
|
||||
int width = 0, height = 0, fd = -1, i, ti;
|
||||
char filename[FILENAME_MAX] = { 0 };
|
||||
struct test tests[NUMTESTS] = {
|
||||
{ TJPF_RGB, 1, 0 },
|
||||
{ TJPF_BGR, 2, 2 },
|
||||
{ TJPF_RGBX, 3, 4 },
|
||||
{ TJPF_BGRA, 4, 7 },
|
||||
{ TJPF_XRGB, 5, 5 },
|
||||
{ TJPF_GRAY, 6, 3 },
|
||||
{ TJPF_CMYK, 7, 0 }
|
||||
};
|
||||
#if defined(__has_feature) && __has_feature(memory_sanitizer)
|
||||
char env[18] = "JSIMD_FORCENONE=1";
|
||||
|
||||
/* The libjpeg-turbo SIMD extensions produce false positives with
|
||||
MemorySanitizer. */
|
||||
putenv(env);
|
||||
#endif
|
||||
|
||||
snprintf(filename, FILENAME_MAX, "/tmp/libjpeg-turbo_compress_fuzz.XXXXXX");
|
||||
if ((fd = mkstemp(filename)) < 0 || write(fd, data, size) < 0)
|
||||
goto bailout;
|
||||
|
||||
if ((handle = tjInitCompress()) == NULL)
|
||||
goto bailout;
|
||||
|
||||
for (ti = 0; ti < NUMTESTS; ti++) {
|
||||
int flags = TJFLAG_FUZZING | TJFLAG_LOSSLESS, sum = 0, pf = tests[ti].pf;
|
||||
unsigned long dstSize = 0, maxBufSize;
|
||||
|
||||
/* Test non-default compression options on specific iterations. */
|
||||
if (ti == 0)
|
||||
flags |= TJFLAG_BOTTOMUP;
|
||||
if (ti != 2)
|
||||
flags |= TJFLAG_NOREALLOC;
|
||||
|
||||
/* tjLoadImage() refuses to load images larger than 1 Megapixel when
|
||||
FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION is defined (yes, that's a dirty
|
||||
hack), so we don't need to check the width and height here. */
|
||||
if ((srcBuf = tjLoadImage(filename, &width, 1, &height, &pf,
|
||||
flags)) == NULL)
|
||||
continue;
|
||||
|
||||
maxBufSize = tjBufSize(width, height, TJSAMP_444);
|
||||
if (flags & TJFLAG_NOREALLOC) {
|
||||
if ((dstBuf = (unsigned char *)malloc(maxBufSize)) == NULL)
|
||||
goto bailout;
|
||||
} else
|
||||
dstBuf = NULL;
|
||||
|
||||
if (tjCompress2(handle, srcBuf, width, 0, height, pf, &dstBuf, &dstSize,
|
||||
TJSAMP_444, tests[ti].psv * 10 + tests[ti].pt,
|
||||
flags) == 0) {
|
||||
/* Touch all of the output pixels in order to catch uninitialized reads
|
||||
when using MemorySanitizer. */
|
||||
for (i = 0; i < dstSize; i++)
|
||||
sum += dstBuf[i];
|
||||
}
|
||||
|
||||
free(dstBuf);
|
||||
dstBuf = NULL;
|
||||
tjFree(srcBuf);
|
||||
srcBuf = NULL;
|
||||
|
||||
/* Prevent the code above from being optimized out. This test should never
|
||||
be true, but the compiler doesn't know that. */
|
||||
if (sum > 255 * maxBufSize)
|
||||
goto bailout;
|
||||
}
|
||||
|
||||
bailout:
|
||||
free(dstBuf);
|
||||
tjFree(srcBuf);
|
||||
if (fd >= 0) {
|
||||
close(fd);
|
||||
if (strlen(filename) > 0) unlink(filename);
|
||||
}
|
||||
if (handle) tjDestroy(handle);
|
||||
return 0;
|
||||
}
|
||||
Reference in New Issue
Block a user