Merge pull request #1397 from omira-sch/more-fuzzers

add fuzzers for vips_smartcrop and vip_mosaic
2019-08-19 18:21:58 +01:00 · 2019-08-19 18:21:58 +01:00 · c8296ecd15
commit c8296ecd15
parent d70c431961 16a5cac2e3
5 changed files with 105 additions and 1 deletions
--- a/fuzz/Makefile.am
+++ b/fuzz/Makefile.am
@ -6,7 +6,9 @@ FUZZPROGS = \
 	pngsave_buffer_fuzzer \
 	webpsave_buffer_fuzzer \
 	sharpen_fuzzer \
-	thumbnail_fuzzer
+	thumbnail_fuzzer \
+	smartcrop_fuzzer \
+	mosaic_fuzzer

 AM_DEFAULT_SOURCE_EXT = .cc

--- a/fuzz/mosaic_fuzzer.cc
+++ b/fuzz/mosaic_fuzzer.cc
@ -0,0 +1,63 @@
+#include <vips/vips.h>
+
+struct mosaic_opt {
+	guint8 dir : 1;
+	guint16 xref;
+	guint16 yref;
+	guint16 xsec;
+	guint16 ysec;
+};
+
+extern "C" int
+LLVMFuzzerInitialize( int *argc, char ***argv )
+{
+	vips_concurrency_set( 1 );
+	return( 0 );
+}
+
+extern "C" int
+LLVMFuzzerTestOneInput( const guint8 *data, size_t size )
+{
+	VipsImage *ref, *sec, *out;
+	struct mosaic_opt *opt;
+	double d;
+
+	if( size < sizeof(struct mosaic_opt) )
+		return( 0 );
+
+	if( !(ref = vips_image_new_from_buffer( data, size, "", NULL )) )
+		return( 0 );
+
+	/* Skip big images. They are likely to timeout.
+	 */
+	if( ref->Xsize > 1024 ||
+	    ref->Ysize > 1024 ||
+	    ref->Bands > 10 ) {
+		g_object_unref( ref );
+		return( 0 );
+	}
+
+	if( vips_rot180( ref, &sec, NULL ) ) {
+		g_object_unref( ref );
+		return( 0 );
+	}
+
+	/* Extract some bytes from the tail to fuzz the arguments of the API.
+	 */
+	opt = (struct mosaic_opt *) (data + size - sizeof(struct mosaic_opt));
+
+	if( vips_mosaic( ref, sec, &out, (VipsDirection) opt->dir,
+	                 opt->xref, opt->yref, opt->xsec, opt->ysec, NULL ) ) {
+		g_object_unref( sec );
+		g_object_unref( ref );
+		return( 0 );
+	}
+
+	vips_max( out, &d, NULL );
+
+	g_object_unref( out );
+	g_object_unref( sec );
+	g_object_unref( ref );
+
+	return( 0 );
+}
--- a/fuzz/mosaic_fuzzer_corpus/.keep
+++ b/fuzz/mosaic_fuzzer_corpus/.keep
--- a/fuzz/smartcrop_fuzzer.cc
+++ b/fuzz/smartcrop_fuzzer.cc
@ -0,0 +1,39 @@
+#include <vips/vips.h>
+
+extern "C" int
+LLVMFuzzerInitialize( int *argc, char ***argv )
+{
+	vips_concurrency_set( 1 );
+	return( 0 );
+}
+
+extern "C" int
+LLVMFuzzerTestOneInput( const guint8 *data, size_t size )
+{
+	VipsImage *image, *out;
+	double d;
+
+	if( !(image = vips_image_new_from_buffer( data, size, "", NULL )) )
+		return( 0 );
+
+	/* Skip big images. They are likely to timeout.
+	 */
+	if( image->Xsize > 1024 ||
+	    image->Ysize > 1024 ||
+	    image->Bands > 10 ) {
+		g_object_unref( image );
+		return( 0 );
+	}
+
+	if( vips_smartcrop( image, &out, 32, 32, NULL ) ) {
+		g_object_unref( image );
+		return( 0 );
+	}
+
+	vips_min( out, &d, NULL );
+
+	g_object_unref( out );
+	g_object_unref( image );
+
+	return( 0 );
+}
--- a/fuzz/smartcrop_fuzzer_corpus/.keep
+++ b/fuzz/smartcrop_fuzzer_corpus/.keep