ryan/mozjpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Decompress fuzzer: Fix uninitialized memory access

Browse Source 
(regression introduced by fc01f4673b)

Oops.  In the process of migrating the fuzzers to the TurboJPEG 3 API,
I accidentally left out the code in decompress.cc that updates the width
and height based on the scaling factor (but I apparently included that
code in decompress_yuv.cc.)

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55573
This commit is contained in:
DRC
2023-02-01 12:24:00 -06:00
parent dd89ce6cd6
commit 89ceac8c85
1 changed files with 8 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
fuzz/decompress.cc
View File

@@ -71,6 +71,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
tj3Set(handle, TJPARAM_SCANLIMIT, 500); tj3Set(handle, TJPARAM_SCANLIMIT, 500);
for (pfi = 0; pfi < NUMPF; pfi++) { for (pfi = 0; pfi < NUMPF; pfi++) {
int w = width, h = height;
int pf = pixelFormats[pfi], i; int pf = pixelFormats[pfi], i;
int64_t sum = 0; int64_t sum = 0;
@@ -84,20 +85,21 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
if (pfi == 1) { if (pfi == 1) {
tjscalingfactor sf = { 1, 2 }; tjscalingfactor sf = { 1, 2 };
tj3SetScalingFactor(handle, sf); tj3SetScalingFactor(handle, sf);
w = TJSCALED(width, sf);
h = TJSCALED(height, sf);
} else } else
tj3SetScalingFactor(handle, TJUNSCALED); tj3SetScalingFactor(handle, TJUNSCALED);
/* Test partial image decompression on the fourth iteration, if the image /* Test partial image decompression on the fourth iteration, if the image
is large enough. */ is large enough. */
if (pfi == 3 && width >= 97 && height >= 75) { if (pfi == 3 && w >= 97 && h >= 75) {
tjregion cr = { 32, 16, 65, 59 }; tjregion cr = { 32, 16, 65, 59 };
tj3SetCroppingRegion(handle, cr); tj3SetCroppingRegion(handle, cr);
} else } else
tj3SetCroppingRegion(handle, TJUNCROPPED); tj3SetCroppingRegion(handle, TJUNCROPPED);
} }
if ((dstBuf = malloc(width * height * tjPixelSize[pf] * if ((dstBuf = malloc(w * h * tjPixelSize[pf] * sampleSize)) == NULL)
sampleSize)) == NULL)
goto bailout; goto bailout;
if (precision == 8) { if (precision == 8) {
@@ -105,14 +107,14 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
pf) == 0) { pf) == 0) {
/* Touch all of the output pixels in order to catch uninitialized reads /* Touch all of the output pixels in order to catch uninitialized reads
when using MemorySanitizer. */ when using MemorySanitizer. */
for (i = 0; i < width * height * tjPixelSize[pf]; i++) for (i = 0; i < w * h * tjPixelSize[pf]; i++)
sum += ((unsigned char *)dstBuf)[i]; sum += ((unsigned char *)dstBuf)[i];
} }
} else if (precision == 12) { } else if (precision == 12) {
if (tj3Decompress12(handle, data, size, (short *)dstBuf, 0, pf) == 0) { if (tj3Decompress12(handle, data, size, (short *)dstBuf, 0, pf) == 0) {
/* Touch all of the output pixels in order to catch uninitialized reads /* Touch all of the output pixels in order to catch uninitialized reads
when using MemorySanitizer. */ when using MemorySanitizer. */
for (i = 0; i < width * height * tjPixelSize[pf]; i++) for (i = 0; i < w * h * tjPixelSize[pf]; i++)
sum += ((short *)dstBuf)[i]; sum += ((short *)dstBuf)[i];
} }
} else { } else {
@@ -120,7 +122,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
pf) == 0) { pf) == 0) {
/* Touch all of the output pixels in order to catch uninitialized reads /* Touch all of the output pixels in order to catch uninitialized reads
when using MemorySanitizer. */ when using MemorySanitizer. */
for (i = 0; i < width * height * tjPixelSize[pf]; i++) for (i = 0; i < w * h * tjPixelSize[pf]; i++)
sum += ((unsigned short *)dstBuf)[i]; sum += ((unsigned short *)dstBuf)[i];
} }
} }