From 16a5cac2e352cfd661ee56f113103d451afd8b64 Mon Sep 17 00:00:00 2001 From: Oscar Mira Date: Mon, 19 Aug 2019 15:59:55 +0200 Subject: [PATCH] add fuzzers for vips_smartcrop and vip_mosaic --- fuzz/Makefile.am | 4 +- fuzz/mosaic_fuzzer.cc | 63 ++++++++++++++++++++++++++++++ fuzz/mosaic_fuzzer_corpus/.keep | 0 fuzz/smartcrop_fuzzer.cc | 39 ++++++++++++++++++ fuzz/smartcrop_fuzzer_corpus/.keep | 0 5 files changed, 105 insertions(+), 1 deletion(-) create mode 100644 fuzz/mosaic_fuzzer.cc create mode 100644 fuzz/mosaic_fuzzer_corpus/.keep create mode 100644 fuzz/smartcrop_fuzzer.cc create mode 100644 fuzz/smartcrop_fuzzer_corpus/.keep diff --git a/fuzz/Makefile.am b/fuzz/Makefile.am index 6169da14..64f75318 100644 --- a/fuzz/Makefile.am +++ b/fuzz/Makefile.am @@ -6,7 +6,9 @@ FUZZPROGS = \ pngsave_buffer_fuzzer \ webpsave_buffer_fuzzer \ sharpen_fuzzer \ - thumbnail_fuzzer + thumbnail_fuzzer \ + smartcrop_fuzzer \ + mosaic_fuzzer AM_DEFAULT_SOURCE_EXT = .cc diff --git a/fuzz/mosaic_fuzzer.cc b/fuzz/mosaic_fuzzer.cc new file mode 100644 index 00000000..a7b7a12d --- /dev/null +++ b/fuzz/mosaic_fuzzer.cc @@ -0,0 +1,63 @@ +#include + +struct mosaic_opt { + guint8 dir : 1; + guint16 xref; + guint16 yref; + guint16 xsec; + guint16 ysec; +}; + +extern "C" int +LLVMFuzzerInitialize( int *argc, char ***argv ) +{ + vips_concurrency_set( 1 ); + return( 0 ); +} + +extern "C" int +LLVMFuzzerTestOneInput( const guint8 *data, size_t size ) +{ + VipsImage *ref, *sec, *out; + struct mosaic_opt *opt; + double d; + + if( size < sizeof(struct mosaic_opt) ) + return( 0 ); + + if( !(ref = vips_image_new_from_buffer( data, size, "", NULL )) ) + return( 0 ); + + /* Skip big images. They are likely to timeout. + */ + if( ref->Xsize > 1024 || + ref->Ysize > 1024 || + ref->Bands > 10 ) { + g_object_unref( ref ); + return( 0 ); + } + + if( vips_rot180( ref, &sec, NULL ) ) { + g_object_unref( ref ); + return( 0 ); + } + + /* Extract some bytes from the tail to fuzz the arguments of the API. + */ + opt = (struct mosaic_opt *) (data + size - sizeof(struct mosaic_opt)); + + if( vips_mosaic( ref, sec, &out, (VipsDirection) opt->dir, + opt->xref, opt->yref, opt->xsec, opt->ysec, NULL ) ) { + g_object_unref( sec ); + g_object_unref( ref ); + return( 0 ); + } + + vips_max( out, &d, NULL ); + + g_object_unref( out ); + g_object_unref( sec ); + g_object_unref( ref ); + + return( 0 ); +} diff --git a/fuzz/mosaic_fuzzer_corpus/.keep b/fuzz/mosaic_fuzzer_corpus/.keep new file mode 100644 index 00000000..e69de29b diff --git a/fuzz/smartcrop_fuzzer.cc b/fuzz/smartcrop_fuzzer.cc new file mode 100644 index 00000000..30e349d1 --- /dev/null +++ b/fuzz/smartcrop_fuzzer.cc @@ -0,0 +1,39 @@ +#include + +extern "C" int +LLVMFuzzerInitialize( int *argc, char ***argv ) +{ + vips_concurrency_set( 1 ); + return( 0 ); +} + +extern "C" int +LLVMFuzzerTestOneInput( const guint8 *data, size_t size ) +{ + VipsImage *image, *out; + double d; + + if( !(image = vips_image_new_from_buffer( data, size, "", NULL )) ) + return( 0 ); + + /* Skip big images. They are likely to timeout. + */ + if( image->Xsize > 1024 || + image->Ysize > 1024 || + image->Bands > 10 ) { + g_object_unref( image ); + return( 0 ); + } + + if( vips_smartcrop( image, &out, 32, 32, NULL ) ) { + g_object_unref( image ); + return( 0 ); + } + + vips_min( out, &d, NULL ); + + g_object_unref( out ); + g_object_unref( image ); + + return( 0 ); +} diff --git a/fuzz/smartcrop_fuzzer_corpus/.keep b/fuzz/smartcrop_fuzzer_corpus/.keep new file mode 100644 index 00000000..e69de29b