commit 2416f968a69ff71f83eb17e97d1cb6448c916a69
author Kevin Lubick <kjlubick@google.com> Mon Feb 12 08:26:39 2018 -0500
committer Skia Commit-Bot <skia-commit-bot@chromium.org> Mon Feb 12 15:25:59 2018 +0000
tree 91e1846328cae9f649f0768b9401faea7ab11885
parent 77295347c229fa4353e09d97961546ce3c9391e5

Add 2 fuzz targets for image decoding (oss-fuzz)

This also adds in a few small guards to prevent libfuzzer from frequently
running out of memory when an image claims to have billions of pixels.

Bug: skia:
Change-Id: I47a9daac832c4d85a42000698482b61721c38880
Reviewed-on: https://skia-review.googlesource.com/106264
Commit-Queue: Kevin Lubick <kjlubick@google.com>
Reviewed-by: Leon Scroggins <scroggo@google.com>

fuzz/fuzz.cpp

diff --git a/fuzz/fuzz.cpp b/fuzz/fuzz.cpp
index 945518a..657879e 100644
--- a/fuzz/fuzz.cpp
+++ b/fuzz/fuzz.cpp
@@ -42,10 +42,12 @@
         "PNG with this name.");
 DEFINE_bool2(verbose, v, false, "Print more information while fuzzing.");
 DEFINE_string2(type, t, "", "How to interpret --bytes, one of:\n"
+                            "animated_image_decode\n"
                             "api\n"
                             "color_deserialize\n"
                             "filter_fuzz (equivalent to Chrome's filter_fuzz_stub)\n"
                             "icc\n"
+                            "image_decode\n"
                             "image_mode\n"
                             "image_scale\n"
                             "path_deserialize\n"
@@ -63,6 +65,8 @@
 static void fuzz_color_deserialize(sk_sp<SkData>);
 static void fuzz_filter_fuzz(sk_sp<SkData>);
 static void fuzz_icc(sk_sp<SkData>);
+static void fuzz_img2(sk_sp<SkData>);
+static void fuzz_animated_img(sk_sp<SkData>);
 static void fuzz_img(sk_sp<SkData>, uint8_t, uint8_t);
 static void fuzz_path_deserialize(sk_sp<SkData>);
 static void fuzz_region_deserialize(sk_sp<SkData>);
@@ -106,6 +110,10 @@
     }
 
     if (!FLAGS_type.isEmpty()) {
+        if (0 == strcmp("animated_image_decode", FLAGS_type[0])) {
+            fuzz_animated_img(bytes);
+            return 0;
+        }
         if (0 == strcmp("api", FLAGS_type[0])) {
             fuzz_api(bytes);
             return 0;
@@ -118,6 +126,10 @@
             fuzz_icc(bytes);
             return 0;
         }
+        if (0 == strcmp("image_decode", FLAGS_type[0])) {
+            fuzz_img2(bytes);
+            return 0;
+        }
         if (0 == strcmp("image_scale", FLAGS_type[0])) {
             uint8_t option = calculate_option(bytes.get());
             fuzz_img(bytes, option, 0);
@@ -209,6 +221,20 @@
     }
 }
 
+void FuzzAnimatedImage(sk_sp<SkData> bytes);
+
+static void fuzz_animated_img(sk_sp<SkData> bytes) {
+    FuzzAnimatedImage(bytes);
+    SkDebugf("[terminated] Didn't crash while decoding/drawing animated image!\n");
+}
+
+void FuzzImage(sk_sp<SkData> bytes);
+
+static void fuzz_img2(sk_sp<SkData> bytes) {
+    FuzzImage(bytes);
+    SkDebugf("[terminated] Didn't crash while decoding/drawing image!\n");
+}
+
 static void fuzz_img(sk_sp<SkData> bytes, uint8_t scale, uint8_t mode) {
     // We can scale 1x, 2x, 4x, 8x, 16x
     scale = scale % 5;

fuzz/oss_fuzz/FuzzAnimatedImage.cpp

diff --git a/fuzz/oss_fuzz/FuzzAnimatedImage.cpp b/fuzz/oss_fuzz/FuzzAnimatedImage.cpp
new file mode 100644
index 0000000..af43334
--- /dev/null
+++ b/fuzz/oss_fuzz/FuzzAnimatedImage.cpp
@@ -0,0 +1,47 @@
+/*
+ * Copyright 2018 Google Inc.
+ *
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "SkAndroidCodec.h"
+#include "SkAnimatedImage.h"
+#include "SkPaint.h"
+#include "SkCanvas.h"
+#include "SkData.h"
+#include "SkSurface.h"
+
+void FuzzAnimatedImage(sk_sp<SkData> bytes) {
+    auto codec = SkAndroidCodec::MakeFromData(bytes);
+    if (nullptr == codec) {
+        return;
+    }
+    auto aImg = SkAnimatedImage::Make(std::move(codec));
+    if (nullptr == aImg) {
+        return;
+    }
+
+    auto s = SkSurface::MakeRasterN32Premul(128, 128);
+    if (!s) {
+        // May return nullptr in memory-constrained fuzzing environments
+        return;
+    }
+
+    SkPaint p;
+    int escape = 0;
+    while (!aImg->isFinished() && escape < 100) {
+        aImg->draw(s->getCanvas());
+        escape++;
+        aImg->decodeNextFrame();
+    }
+
+}
+
+#if defined(IS_FUZZING_WITH_LIBFUZZER)
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    auto bytes = SkData::MakeWithoutCopy(data, size);
+    FuzzAnimatedImage(bytes);
+    return 0;
+}
+#endif

fuzz/oss_fuzz/FuzzImage.cpp

diff --git a/fuzz/oss_fuzz/FuzzImage.cpp b/fuzz/oss_fuzz/FuzzImage.cpp
new file mode 100644
index 0000000..0f0f6f5
--- /dev/null
+++ b/fuzz/oss_fuzz/FuzzImage.cpp
@@ -0,0 +1,37 @@
+/*
+ * Copyright 2018 Google Inc.
+ *
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "SkImage.h"
+#include "SkPaint.h"
+#include "SkCanvas.h"
+#include "SkData.h"
+#include "SkSurface.h"
+
+void FuzzImage(sk_sp<SkData> bytes) {
+    auto img = SkImage::MakeFromEncoded(bytes);
+    if (nullptr == img.get()) {
+        return;
+    }
+
+    auto s = SkSurface::MakeRasterN32Premul(128, 128);
+    if (!s) {
+        // May return nullptr in memory-constrained fuzzing environments
+        return;
+    }
+
+    SkPaint p;
+    s->getCanvas()->drawImage(img, 0, 0, &p);
+
+}
+
+#if defined(IS_FUZZING_WITH_LIBFUZZER)
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    auto bytes = SkData::MakeWithoutCopy(data, size);
+    FuzzImage(bytes);
+    return 0;
+}
+#endif