Blame - fuzz/FuzzPathop.cpp - platform/external/skia

blob: 30dc2a944e32bbc8962263be88f48db4a48fe78c [file] [log] [blame]

kjlubick	e565450	2016-07-19 16:50:03 -0700	[diff] [blame]	1	/*
				2	* Copyright 2016 Google Inc.
				3	*
				4	* Use of this source code is governed by a BSD-style license that can be
				5	* found in the LICENSE file.
				6	*/
				7
Mike Klein	c0bd9f9	2019-04-23 12:05:21 -0500	[diff] [blame]	8	#include "fuzz/Fuzz.h"
				9	#include "fuzz/FuzzCommon.h"
				10	#include "include/core/SkPath.h"
				11	#include "include/core/SkRect.h"
				12	#include "include/pathops/SkPathOps.h"
kjlubick	e565450	2016-07-19 16:50:03 -0700	[diff] [blame]	13
Kevin Lubick	0a5152e	2018-10-11 11:20:04 -0400	[diff] [blame]	14	const uint8_t MAX_OPS = 20;
kjlubick	e565450	2016-07-19 16:50:03 -0700	[diff] [blame]	15
kjlubick	e565450	2016-07-19 16:50:03 -0700	[diff] [blame]	16	DEF_FUZZ(Pathop, fuzz) {
kjlubick	e565450	2016-07-19 16:50:03 -0700	[diff] [blame]	17
Kevin Lubick	0a5152e	2018-10-11 11:20:04 -0400	[diff] [blame]	18	uint8_t choice;
				19	fuzz->nextRange(&choice, 0, 4);
				20	switch (choice) {
				21	case 0: {
Kevin Lubick	0a5152e	2018-10-11 11:20:04 -0400	[diff] [blame]	22	uint8_t ops;
				23	fuzz->nextRange(&ops, 0, MAX_OPS);
				24	SkOpBuilder builder;
Kevin Lubick	1f0170c	2018-10-23 09:40:32 -0400	[diff] [blame]	25	for (uint8_t i = 0; i < ops && !fuzz->exhausted(); i++) {
				26	SkPath path;
				27	FuzzEvilPath(fuzz, &path, SkPath::Verb::kDone_Verb);
Mike Reed	7d34dc7	2019-11-26 12:17:17 -0500	[diff] [blame]	28	SkPathFillType ft;
				29	fuzz->nextRange(&ft, 0, (int)SkPathFillType::kInverseEvenOdd);
Kevin Lubick	1f0170c	2018-10-23 09:40:32 -0400	[diff] [blame]	30	path.setFillType(ft);
				31
Kevin Lubick	0a5152e	2018-10-11 11:20:04 -0400	[diff] [blame]	32	SkPathOp op;
Mike Klein	f88f5ef	2018-11-19 12:21:46 -0500	[diff] [blame]	33	fuzz->nextRange(&op, 0, SkPathOp::kReverseDifference_SkPathOp);
Kevin Lubick	0a5152e	2018-10-11 11:20:04 -0400	[diff] [blame]	34	builder.add(path, op);
				35	}
kjlubick	e565450	2016-07-19 16:50:03 -0700	[diff] [blame]	36
Kevin Lubick	0a5152e	2018-10-11 11:20:04 -0400	[diff] [blame]	37	SkPath result;
				38	builder.resolve(&result);
				39	break;
				40	}
				41	case 1: {
				42	SkPath path;
				43	FuzzEvilPath(fuzz, &path, SkPath::Verb::kDone_Verb);
Mike Reed	7d34dc7	2019-11-26 12:17:17 -0500	[diff] [blame]	44	SkPathFillType ft;
				45	fuzz->nextRange(&ft, 0, (int)SkPathFillType::kInverseEvenOdd);
Kevin Lubick	0a5152e	2018-10-11 11:20:04 -0400	[diff] [blame]	46	path.setFillType(ft);
				47
				48	SkPath result;
				49	bool isSame;
				50	fuzz->next(&isSame);
				51	if (isSame) {
				52	result = path;
				53	}
				54	Simplify(path, &result);
				55	break;
				56	}
				57	case 2: {
				58	SkPath path;
				59	FuzzEvilPath(fuzz, &path, SkPath::Verb::kDone_Verb);
Mike Reed	7d34dc7	2019-11-26 12:17:17 -0500	[diff] [blame]	60	SkPathFillType ft;
				61	fuzz->nextRange(&ft, 0, SkPathFillType::kInverseEvenOdd);
Kevin Lubick	0a5152e	2018-10-11 11:20:04 -0400	[diff] [blame]	62	path.setFillType(ft);
				63
				64	SkPath path2;
				65	FuzzEvilPath(fuzz, &path2, SkPath::Verb::kDone_Verb);
Mike Reed	7d34dc7	2019-11-26 12:17:17 -0500	[diff] [blame]	66	fuzz->nextRange(&ft, 0, SkPathFillType::kInverseEvenOdd);
Kevin Lubick	0a5152e	2018-10-11 11:20:04 -0400	[diff] [blame]	67	path.setFillType(ft);
				68
				69	SkPathOp op;
Mike Klein	f88f5ef	2018-11-19 12:21:46 -0500	[diff] [blame]	70	fuzz->nextRange(&op, 0, SkPathOp::kReverseDifference_SkPathOp);
Kevin Lubick	0a5152e	2018-10-11 11:20:04 -0400	[diff] [blame]	71
				72	SkPath result;
				73	uint8_t pickOutput;
				74	fuzz->nextRange(&pickOutput, 0, 2);
				75	if (pickOutput == 1) {
				76	result = path;
				77	} else if (pickOutput == 2) {
				78	result = path2;
				79	}
				80	Op(path, path2, op, &result);
				81	break;
				82	}
				83	case 3: {
				84	SkPath path;
				85	FuzzEvilPath(fuzz, &path, SkPath::Verb::kDone_Verb);
Mike Reed	7d34dc7	2019-11-26 12:17:17 -0500	[diff] [blame]	86	SkPathFillType ft;
				87	fuzz->nextRange(&ft, 0, SkPathFillType::kInverseEvenOdd);
Kevin Lubick	0a5152e	2018-10-11 11:20:04 -0400	[diff] [blame]	88	path.setFillType(ft);
				89
				90	SkPath result;
				91	bool isSame;
				92	fuzz->next(&isSame);
				93	if (isSame) {
				94	result = path;
				95	}
				96	AsWinding(path, &result);
				97	break;
				98	}
				99	case 4: {
				100	SkPath path;
				101	FuzzEvilPath(fuzz, &path, SkPath::Verb::kDone_Verb);
Mike Reed	7d34dc7	2019-11-26 12:17:17 -0500	[diff] [blame]	102	SkPathFillType ft;
				103	fuzz->nextRange(&ft, 0, SkPathFillType::kInverseEvenOdd);
Kevin Lubick	0a5152e	2018-10-11 11:20:04 -0400	[diff] [blame]	104	path.setFillType(ft);
				105
				106	SkRect result;
				107	TightBounds(path, &result);
				108	break;
				109	}
				110	default: {
				111	SkASSERT(false);
				112	break;
				113	}
				114	}
kjlubick	e565450	2016-07-19 16:50:03 -0700	[diff] [blame]	115	}
Kevin Lubick	f84ded2	2018-10-23 09:28:48 -0400	[diff] [blame]	116
				117
				118	const int kLastOp = SkPathOp::kReverseDifference_SkPathOp;
				119
				120	void BuildPath(Fuzz* fuzz, SkPath* path) {
				121	while (!fuzz->exhausted()) {
				122	// Use a uint8_t to conserve bytes. This makes our "fuzzed bytes footprint"
				123	// smaller, which leads to more efficient fuzzing.
				124	uint8_t operation;
				125	fuzz->next(&operation);
				126	SkScalar a,b,c,d,e,f;
				127
				128	switch (operation % (SkPath::Verb::kDone_Verb + 1)) {
				129	case SkPath::Verb::kMove_Verb:
				130	if (fuzz->remaining() < (2*sizeof(SkScalar))) {
				131	fuzz->deplete();
				132	return;
				133	}
				134	fuzz->next(&a, &b);
				135	path->moveTo(a, b);
				136	break;
				137
				138	case SkPath::Verb::kLine_Verb:
				139	if (fuzz->remaining() < (2*sizeof(SkScalar))) {
				140	fuzz->deplete();
				141	return;
				142	}
				143	fuzz->next(&a, &b);
				144	path->lineTo(a, b);
				145	break;
				146
				147	case SkPath::Verb::kQuad_Verb:
				148	if (fuzz->remaining() < (4*sizeof(SkScalar))) {
				149	fuzz->deplete();
				150	return;
				151	}
				152	fuzz->next(&a, &b, &c, &d);
				153	path->quadTo(a, b, c, d);
				154	break;
				155
				156	case SkPath::Verb::kConic_Verb:
				157	if (fuzz->remaining() < (5*sizeof(SkScalar))) {
				158	fuzz->deplete();
				159	return;
				160	}
				161	fuzz->next(&a, &b, &c, &d, &e);
				162	path->conicTo(a, b, c, d, e);
				163	break;
				164
				165	case SkPath::Verb::kCubic_Verb:
				166	if (fuzz->remaining() < (6*sizeof(SkScalar))) {
				167	fuzz->deplete();
				168	return;
				169	}
				170	fuzz->next(&a, &b, &c, &d, &e, &f);
				171	path->cubicTo(a, b, c, d, e, f);
				172	break;
				173
				174	case SkPath::Verb::kClose_Verb:
				175	path->close();
				176	break;
				177
				178	case SkPath::Verb::kDone_Verb:
				179	// In this case, simply exit.
				180	return;
				181	}
				182	}
				183	}
				184
				185	DEF_FUZZ(LegacyChromiumPathop, fuzz) {
				186	// See https://cs.chromium.org/chromium/src/testing/libfuzzer/fuzzers/skia_pathop_fuzzer.cc
				187	SkOpBuilder builder;
				188	while (!fuzz->exhausted()) {
				189	SkPath path;
				190	uint8_t op;
				191	fuzz->next(&op);
				192	if (fuzz->exhausted()) {
				193	break;
				194	}
				195
				196	BuildPath(fuzz, &path);
				197	builder.add(path, static_cast<SkPathOp>(op % (kLastOp + 1)));
				198	}
				199
				200	SkPath result;
				201	builder.resolve(&result);
				202	}