xref: /aosp_15_r20/external/webp/tests/fuzzer/animdecoder_fuzzer.cc (revision b2055c353e87c8814eb2b6b1b11112a1562253bd) 
1*b2055c35SXin Li // Copyright 2020 Google Inc.
2*b2055c35SXin Li //
3*b2055c35SXin Li // Licensed under the Apache License, Version 2.0 (the "License");
4*b2055c35SXin Li // you may not use this file except in compliance with the License.
5*b2055c35SXin Li // You may obtain a copy of the License at
6*b2055c35SXin Li //
7*b2055c35SXin Li //      http://www.apache.org/licenses/LICENSE-2.0
8*b2055c35SXin Li //
9*b2055c35SXin Li // Unless required by applicable law or agreed to in writing, software
10*b2055c35SXin Li // distributed under the License is distributed on an "AS IS" BASIS,
11*b2055c35SXin Li // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12*b2055c35SXin Li // See the License for the specific language governing permissions and
13*b2055c35SXin Li // limitations under the License.
14*b2055c35SXin Li //
15*b2055c35SXin Li ////////////////////////////////////////////////////////////////////////////////
16*b2055c35SXin Li 
17*b2055c35SXin Li #include <cstddef>
18*b2055c35SXin Li #include <cstdint>
19*b2055c35SXin Li 
20*b2055c35SXin Li #include "imageio/imageio_util.h"
21*b2055c35SXin Li #include "src/webp/decode.h"
22*b2055c35SXin Li #include "src/webp/demux.h"
23*b2055c35SXin Li #include "src/webp/mux_types.h"
24*b2055c35SXin Li 
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)25*b2055c35SXin Li extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
26*b2055c35SXin Li   // WebPAnimDecoderGetInfo() is too late to check the canvas size as
27*b2055c35SXin Li   // WebPAnimDecoderNew() will handle the allocations.
28*b2055c35SXin Li   const size_t kMaxNumBytes = 2684354560;  // RSS (resident set size) limit.
29*b2055c35SXin Li   const size_t kMaxNumPixels = kMaxNumBytes / 4;       // At most ARGB.
30*b2055c35SXin Li   const size_t kMaxNumPixelsSafe = kMaxNumPixels / 2;  // Allow one buffer copy.
31*b2055c35SXin Li   WebPBitstreamFeatures features;
32*b2055c35SXin Li   if (WebPGetFeatures(data, size, &features) == VP8_STATUS_OK) {
33*b2055c35SXin Li     if (!ImgIoUtilCheckSizeArgumentsOverflow(features.width * 4,
34*b2055c35SXin Li                                              features.height) ||
35*b2055c35SXin Li         static_cast<size_t>(features.width) * features.height >
36*b2055c35SXin Li             kMaxNumPixelsSafe) {
37*b2055c35SXin Li       return 0;
38*b2055c35SXin Li     }
39*b2055c35SXin Li   }
40*b2055c35SXin Li 
41*b2055c35SXin Li   // decode everything as an animation
42*b2055c35SXin Li   WebPData webp_data = {data, size};
43*b2055c35SXin Li   WebPAnimDecoder* const dec = WebPAnimDecoderNew(&webp_data, nullptr);
44*b2055c35SXin Li   if (dec == nullptr) return 0;
45*b2055c35SXin Li 
46*b2055c35SXin Li   WebPAnimInfo info;
47*b2055c35SXin Li   if (!WebPAnimDecoderGetInfo(dec, &info)) goto End;
48*b2055c35SXin Li   if (!ImgIoUtilCheckSizeArgumentsOverflow(info.canvas_width * 4,
49*b2055c35SXin Li                                            info.canvas_height)) {
50*b2055c35SXin Li     goto End;
51*b2055c35SXin Li   }
52*b2055c35SXin Li 
53*b2055c35SXin Li   while (WebPAnimDecoderHasMoreFrames(dec)) {
54*b2055c35SXin Li     uint8_t* buf;
55*b2055c35SXin Li     int timestamp;
56*b2055c35SXin Li     if (!WebPAnimDecoderGetNext(dec, &buf, &timestamp)) break;
57*b2055c35SXin Li   }
58*b2055c35SXin Li End:
59*b2055c35SXin Li   WebPAnimDecoderDelete(dec);
60*b2055c35SXin Li   return 0;
61*b2055c35SXin Li }
62