1 // Copyright 2018 Google Inc.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ////////////////////////////////////////////////////////////////////////////////
16
17 #include <stdint.h>
18 #include <string.h>
19
20 #include "./fuzz_utils.h"
21 #include "src/utils/rescaler_utils.h"
22 #include "src/webp/decode.h"
23
LLVMFuzzerTestOneInput(const uint8_t * const data,size_t size)24 int LLVMFuzzerTestOneInput(const uint8_t* const data, size_t size) {
25 WebPDecoderConfig config;
26 if (!WebPInitDecoderConfig(&config)) return 0;
27 if (WebPGetFeatures(data, size, &config.input) != VP8_STATUS_OK) return 0;
28 if ((size_t)config.input.width * config.input.height > kFuzzPxLimit) return 0;
29
30 // Using two independent criteria ensures that all combinations of options
31 // can reach each path at the decoding stage, with meaningful differences.
32
33 const uint8_t value = FuzzHash(data, size);
34 const float factor = value / 255.f; // 0-1
35
36 config.options.flip = value & 1;
37 config.options.bypass_filtering = value & 2;
38 config.options.no_fancy_upsampling = value & 4;
39 config.options.use_threads = value & 8;
40 if (size & 1) {
41 config.options.use_cropping = 1;
42 config.options.crop_width = (int)(config.input.width * (1 - factor));
43 config.options.crop_height = (int)(config.input.height * (1 - factor));
44 config.options.crop_left = config.input.width - config.options.crop_width;
45 config.options.crop_top = config.input.height - config.options.crop_height;
46 }
47 if (size & 2) {
48 int strength = (int)(factor * 100);
49 config.options.dithering_strength = strength;
50 config.options.alpha_dithering_strength = 100 - strength;
51 }
52 if (size & 4) {
53 config.options.use_scaling = 1;
54 config.options.scaled_width = (int)(config.input.width * factor * 2);
55 config.options.scaled_height = (int)(config.input.height * factor * 2);
56 }
57
58 #if defined(WEBP_REDUCE_CSP)
59 config.output.colorspace = (value & 1)
60 ? ((value & 2) ? MODE_RGBA : MODE_BGRA)
61 : ((value & 2) ? MODE_rgbA : MODE_bgrA);
62 #else
63 config.output.colorspace = (WEBP_CSP_MODE)(value % MODE_LAST);
64 #endif // WEBP_REDUCE_CSP
65
66 for (int i = 0; i < 2; ++i) {
67 if (i == 1) {
68 // Use the bitstream data to generate extreme ranges for the options. An
69 // alternative approach would be to use a custom corpus containing webp
70 // files prepended with sizeof(config.options) zeroes to allow the fuzzer
71 // to modify these independently.
72 const int data_offset = 50;
73 if (data_offset + sizeof(config.options) >= size) break;
74 memcpy(&config.options, data + data_offset, sizeof(config.options));
75
76 // Skip easily avoidable out-of-memory fuzzing errors.
77 if (config.options.use_scaling) {
78 int scaled_width = config.options.scaled_width;
79 int scaled_height = config.options.scaled_height;
80 if (WebPRescalerGetScaledDimensions(config.input.width,
81 config.input.height, &scaled_width,
82 &scaled_height)) {
83 size_t fuzz_px_limit = kFuzzPxLimit;
84 if (scaled_width != config.input.width ||
85 scaled_height != config.input.height) {
86 // Using the WebPRescalerImport internally can significantly slow
87 // down the execution. Avoid timeouts due to that.
88 fuzz_px_limit /= 2;
89 }
90 // A big output canvas can lead to out-of-memory and timeout issues,
91 // but a big internal working buffer can too. Also, rescaling from a
92 // very wide input image to a very tall canvas can be as slow as
93 // decoding a huge number of pixels. Avoid timeouts due to these.
94 const uint64_t max_num_operations =
95 (uint64_t)Max(scaled_width, config.input.width) *
96 Max(scaled_height, config.input.height);
97 if (max_num_operations > fuzz_px_limit) {
98 break;
99 }
100 }
101 }
102 }
103 if (size % 3) {
104 // Decodes incrementally in chunks of increasing size.
105 WebPIDecoder* idec = WebPIDecode(NULL, 0, &config);
106 if (!idec) return 0;
107 VP8StatusCode status;
108 if (size & 8) {
109 size_t available_size = value + 1;
110 while (1) {
111 if (available_size > size) available_size = size;
112 status = WebPIUpdate(idec, data, available_size);
113 if (status != VP8_STATUS_SUSPENDED || available_size == size) break;
114 available_size *= 2;
115 }
116 } else {
117 // WebPIAppend expects new data and its size with each call.
118 // Implemented here by simply advancing the pointer into data.
119 const uint8_t* new_data = data;
120 size_t new_size = value + 1;
121 while (1) {
122 if (new_data + new_size > data + size) {
123 new_size = data + size - new_data;
124 }
125 status = WebPIAppend(idec, new_data, new_size);
126 if (status != VP8_STATUS_SUSPENDED || new_size == 0) break;
127 new_data += new_size;
128 new_size *= 2;
129 }
130 }
131 WebPIDelete(idec);
132 } else {
133 (void)WebPDecode(data, size, &config);
134 }
135
136 WebPFreeDecBuffer(&config.output);
137 }
138 return 0;
139 }
140