Add 2 fuzz targets for image decoding (oss-fuzz)
This also adds in a few small guards to prevent libfuzzer from frequently
running out of memory when an image claims to have billions of pixels.
Bug: skia:
Change-Id: I47a9daac832c4d85a42000698482b61721c38880
Reviewed-on: https://skia-review.googlesource.com/106264
Commit-Queue: Kevin Lubick <kjlubick@google.com>
Reviewed-by: Leon Scroggins <scroggo@google.com>
diff --git a/BUILD.gn b/BUILD.gn
index d45f692..364cde7 100644
--- a/BUILD.gn
+++ b/BUILD.gn
@@ -1730,6 +1730,8 @@
"fuzz/FuzzPathop.cpp",
"fuzz/FuzzScaleToSides.cpp",
"fuzz/fuzz.cpp",
+ "fuzz/oss_fuzz/FuzzAnimatedImage.cpp",
+ "fuzz/oss_fuzz/FuzzImage.cpp",
"fuzz/oss_fuzz/FuzzImageFilterDeserialize.cpp",
"fuzz/oss_fuzz/FuzzPathDeserialize.cpp",
"fuzz/oss_fuzz/FuzzRegionDeserialize.cpp",
diff --git a/fuzz/fuzz.cpp b/fuzz/fuzz.cpp
index 945518a..657879e 100644
--- a/fuzz/fuzz.cpp
+++ b/fuzz/fuzz.cpp
@@ -42,10 +42,12 @@
"PNG with this name.");
DEFINE_bool2(verbose, v, false, "Print more information while fuzzing.");
DEFINE_string2(type, t, "", "How to interpret --bytes, one of:\n"
+ "animated_image_decode\n"
"api\n"
"color_deserialize\n"
"filter_fuzz (equivalent to Chrome's filter_fuzz_stub)\n"
"icc\n"
+ "image_decode\n"
"image_mode\n"
"image_scale\n"
"path_deserialize\n"
@@ -63,6 +65,8 @@
static void fuzz_color_deserialize(sk_sp<SkData>);
static void fuzz_filter_fuzz(sk_sp<SkData>);
static void fuzz_icc(sk_sp<SkData>);
+static void fuzz_img2(sk_sp<SkData>);
+static void fuzz_animated_img(sk_sp<SkData>);
static void fuzz_img(sk_sp<SkData>, uint8_t, uint8_t);
static void fuzz_path_deserialize(sk_sp<SkData>);
static void fuzz_region_deserialize(sk_sp<SkData>);
@@ -106,6 +110,10 @@
}
if (!FLAGS_type.isEmpty()) {
+ if (0 == strcmp("animated_image_decode", FLAGS_type[0])) {
+ fuzz_animated_img(bytes);
+ return 0;
+ }
if (0 == strcmp("api", FLAGS_type[0])) {
fuzz_api(bytes);
return 0;
@@ -118,6 +126,10 @@
fuzz_icc(bytes);
return 0;
}
+ if (0 == strcmp("image_decode", FLAGS_type[0])) {
+ fuzz_img2(bytes);
+ return 0;
+ }
if (0 == strcmp("image_scale", FLAGS_type[0])) {
uint8_t option = calculate_option(bytes.get());
fuzz_img(bytes, option, 0);
@@ -209,6 +221,20 @@
}
}
+void FuzzAnimatedImage(sk_sp<SkData> bytes);
+
+static void fuzz_animated_img(sk_sp<SkData> bytes) {
+ FuzzAnimatedImage(bytes);
+ SkDebugf("[terminated] Didn't crash while decoding/drawing animated image!\n");
+}
+
+void FuzzImage(sk_sp<SkData> bytes);
+
+static void fuzz_img2(sk_sp<SkData> bytes) {
+ FuzzImage(bytes);
+ SkDebugf("[terminated] Didn't crash while decoding/drawing image!\n");
+}
+
static void fuzz_img(sk_sp<SkData> bytes, uint8_t scale, uint8_t mode) {
// We can scale 1x, 2x, 4x, 8x, 16x
scale = scale % 5;
diff --git a/fuzz/oss_fuzz/FuzzAnimatedImage.cpp b/fuzz/oss_fuzz/FuzzAnimatedImage.cpp
new file mode 100644
index 0000000..af43334
--- /dev/null
+++ b/fuzz/oss_fuzz/FuzzAnimatedImage.cpp
@@ -0,0 +1,47 @@
+/*
+ * Copyright 2018 Google Inc.
+ *
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "SkAndroidCodec.h"
+#include "SkAnimatedImage.h"
+#include "SkPaint.h"
+#include "SkCanvas.h"
+#include "SkData.h"
+#include "SkSurface.h"
+
+void FuzzAnimatedImage(sk_sp<SkData> bytes) {
+ auto codec = SkAndroidCodec::MakeFromData(bytes);
+ if (nullptr == codec) {
+ return;
+ }
+ auto aImg = SkAnimatedImage::Make(std::move(codec));
+ if (nullptr == aImg) {
+ return;
+ }
+
+ auto s = SkSurface::MakeRasterN32Premul(128, 128);
+ if (!s) {
+ // May return nullptr in memory-constrained fuzzing environments
+ return;
+ }
+
+ SkPaint p;
+ int escape = 0;
+ while (!aImg->isFinished() && escape < 100) {
+ aImg->draw(s->getCanvas());
+ escape++;
+ aImg->decodeNextFrame();
+ }
+
+}
+
+#if defined(IS_FUZZING_WITH_LIBFUZZER)
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ auto bytes = SkData::MakeWithoutCopy(data, size);
+ FuzzAnimatedImage(bytes);
+ return 0;
+}
+#endif
diff --git a/fuzz/oss_fuzz/FuzzImage.cpp b/fuzz/oss_fuzz/FuzzImage.cpp
new file mode 100644
index 0000000..0f0f6f5
--- /dev/null
+++ b/fuzz/oss_fuzz/FuzzImage.cpp
@@ -0,0 +1,37 @@
+/*
+ * Copyright 2018 Google Inc.
+ *
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "SkImage.h"
+#include "SkPaint.h"
+#include "SkCanvas.h"
+#include "SkData.h"
+#include "SkSurface.h"
+
+void FuzzImage(sk_sp<SkData> bytes) {
+ auto img = SkImage::MakeFromEncoded(bytes);
+ if (nullptr == img.get()) {
+ return;
+ }
+
+ auto s = SkSurface::MakeRasterN32Premul(128, 128);
+ if (!s) {
+ // May return nullptr in memory-constrained fuzzing environments
+ return;
+ }
+
+ SkPaint p;
+ s->getCanvas()->drawImage(img, 0, 0, &p);
+
+}
+
+#if defined(IS_FUZZING_WITH_LIBFUZZER)
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ auto bytes = SkData::MakeWithoutCopy(data, size);
+ FuzzImage(bytes);
+ return 0;
+}
+#endif
diff --git a/include/private/SkMalloc.h b/include/private/SkMalloc.h
index 178e1b8..0e41073 100644
--- a/include/private/SkMalloc.h
+++ b/include/private/SkMalloc.h
@@ -64,6 +64,13 @@
}
static inline void* sk_calloc_canfail(size_t size) {
+#if defined(IS_FUZZING_WITH_LIBFUZZER)
+ // The Libfuzzer environment is very susceptible to OOM, so to avoid those
+ // just pretend we can't allocate more than 200kb.
+ if (size > 200000) {
+ return nullptr;
+ }
+#endif
return sk_malloc_flags(size, SK_MALLOC_ZERO_INITIALIZE);
}
@@ -76,6 +83,13 @@
* These variants return nullptr on failure
*/
static inline void* sk_malloc_canfail(size_t size) {
+#if defined(IS_FUZZING_WITH_LIBFUZZER)
+ // The Libfuzzer environment is very susceptible to OOM, so to avoid those
+ // just pretend we can't allocate more than 200kb.
+ if (size > 200000) {
+ return nullptr;
+ }
+#endif
return sk_malloc_flags(size, 0);
}
SK_API extern void* sk_malloc_canfail(size_t count, size_t elemSize);
diff --git a/src/codec/SkRawCodec.cpp b/src/codec/SkRawCodec.cpp
index 4fda120..5e6f54a 100644
--- a/src/codec/SkRawCodec.cpp
+++ b/src/codec/SkRawCodec.cpp
@@ -447,6 +447,12 @@
*/
static SkDngImage* NewFromStream(SkRawStream* stream) {
std::unique_ptr<SkDngImage> dngImage(new SkDngImage(stream));
+#if defined(IS_FUZZING_WITH_LIBFUZZER)
+ // Libfuzzer easily runs out of memory after here. To avoid that
+ // We just pretend all streams are invalid. Our AFL-fuzzer
+ // should still exercise this code; it's more resistant to OOM.
+ return nullptr;
+#endif
if (!dngImage->initFromPiex() && !dngImage->readDng()) {
return nullptr;
}
diff --git a/src/ports/SkMemory_malloc.cpp b/src/ports/SkMemory_malloc.cpp
index d935113..29e7543 100644
--- a/src/ports/SkMemory_malloc.cpp
+++ b/src/ports/SkMemory_malloc.cpp
@@ -15,7 +15,7 @@
static inline void sk_out_of_memory(size_t size) {
SK_DEBUGFAILF("sk_out_of_memory (asked for " SK_SIZE_T_SPECIFIER " bytes)",
size);
-#if defined(IS_FUZZING)
+#if defined(IS_FUZZING_WITH_AFL)
exit(1);
#else
abort();
@@ -37,9 +37,6 @@
#endif
#if defined(SK_DEBUG) && defined(SK_BUILD_FOR_WIN)
__debugbreak();
-#endif
-#if defined(IS_FUZZING)
- exit(1);
#else
abort();
#endif