1*b2055c35SXin Li // Copyright 2018 Google Inc.
2*b2055c35SXin Li //
3*b2055c35SXin Li // Licensed under the Apache License, Version 2.0 (the "License");
4*b2055c35SXin Li // you may not use this file except in compliance with the License.
5*b2055c35SXin Li // You may obtain a copy of the License at
6*b2055c35SXin Li //
7*b2055c35SXin Li // http://www.apache.org/licenses/LICENSE-2.0
8*b2055c35SXin Li //
9*b2055c35SXin Li // Unless required by applicable law or agreed to in writing, software
10*b2055c35SXin Li // distributed under the License is distributed on an "AS IS" BASIS,
11*b2055c35SXin Li // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12*b2055c35SXin Li // See the License for the specific language governing permissions and
13*b2055c35SXin Li // limitations under the License.
14*b2055c35SXin Li //
15*b2055c35SXin Li ////////////////////////////////////////////////////////////////////////////////
16*b2055c35SXin Li
17*b2055c35SXin Li #include <stdio.h>
18*b2055c35SXin Li #include <stdlib.h>
19*b2055c35SXin Li
20*b2055c35SXin Li #include "./fuzz_utils.h"
21*b2055c35SXin Li #include "src/webp/encode.h"
22*b2055c35SXin Li #include "src/webp/mux.h"
23*b2055c35SXin Li
24*b2055c35SXin Li namespace {
25*b2055c35SXin Li
26*b2055c35SXin Li const VP8CPUInfo default_VP8GetCPUInfo = VP8GetCPUInfo;
27*b2055c35SXin Li
AddFrame(WebPAnimEncoder ** const enc,const WebPAnimEncoderOptions & anim_config,int * const width,int * const height,int timestamp_ms,const uint8_t data[],size_t size,uint32_t * const bit_pos)28*b2055c35SXin Li int AddFrame(WebPAnimEncoder** const enc,
29*b2055c35SXin Li const WebPAnimEncoderOptions& anim_config, int* const width,
30*b2055c35SXin Li int* const height, int timestamp_ms, const uint8_t data[],
31*b2055c35SXin Li size_t size, uint32_t* const bit_pos) {
32*b2055c35SXin Li if (enc == nullptr || width == nullptr || height == nullptr) {
33*b2055c35SXin Li fprintf(stderr, "NULL parameters.\n");
34*b2055c35SXin Li if (enc != nullptr) WebPAnimEncoderDelete(*enc);
35*b2055c35SXin Li abort();
36*b2055c35SXin Li }
37*b2055c35SXin Li
38*b2055c35SXin Li // Init the source picture.
39*b2055c35SXin Li WebPPicture pic;
40*b2055c35SXin Li if (!WebPPictureInit(&pic)) {
41*b2055c35SXin Li fprintf(stderr, "WebPPictureInit failed.\n");
42*b2055c35SXin Li WebPAnimEncoderDelete(*enc);
43*b2055c35SXin Li abort();
44*b2055c35SXin Li }
45*b2055c35SXin Li pic.use_argb = Extract(1, data, size, bit_pos);
46*b2055c35SXin Li
47*b2055c35SXin Li // Read the source picture.
48*b2055c35SXin Li if (!ExtractSourcePicture(&pic, data, size, bit_pos)) {
49*b2055c35SXin Li const WebPEncodingError error_code = pic.error_code;
50*b2055c35SXin Li WebPAnimEncoderDelete(*enc);
51*b2055c35SXin Li WebPPictureFree(&pic);
52*b2055c35SXin Li if (error_code == VP8_ENC_ERROR_OUT_OF_MEMORY) return 0;
53*b2055c35SXin Li fprintf(stderr, "Can't read input image. Error code: %d\n", error_code);
54*b2055c35SXin Li abort();
55*b2055c35SXin Li }
56*b2055c35SXin Li
57*b2055c35SXin Li // Crop and scale.
58*b2055c35SXin Li if (*enc == nullptr) { // First frame will set canvas width and height.
59*b2055c35SXin Li if (!ExtractAndCropOrScale(&pic, data, size, bit_pos)) {
60*b2055c35SXin Li const WebPEncodingError error_code = pic.error_code;
61*b2055c35SXin Li WebPPictureFree(&pic);
62*b2055c35SXin Li if (error_code == VP8_ENC_ERROR_OUT_OF_MEMORY) return 0;
63*b2055c35SXin Li fprintf(stderr, "ExtractAndCropOrScale failed. Error code: %d\n",
64*b2055c35SXin Li error_code);
65*b2055c35SXin Li abort();
66*b2055c35SXin Li }
67*b2055c35SXin Li } else { // Other frames will be resized to the first frame's dimensions.
68*b2055c35SXin Li if (!WebPPictureRescale(&pic, *width, *height)) {
69*b2055c35SXin Li const WebPEncodingError error_code = pic.error_code;
70*b2055c35SXin Li WebPAnimEncoderDelete(*enc);
71*b2055c35SXin Li WebPPictureFree(&pic);
72*b2055c35SXin Li if (error_code == VP8_ENC_ERROR_OUT_OF_MEMORY) return 0;
73*b2055c35SXin Li fprintf(stderr,
74*b2055c35SXin Li "WebPPictureRescale failed. Size: %d,%d. Error code: %d\n",
75*b2055c35SXin Li *width, *height, error_code);
76*b2055c35SXin Li abort();
77*b2055c35SXin Li }
78*b2055c35SXin Li }
79*b2055c35SXin Li
80*b2055c35SXin Li // Create encoder if it doesn't exist.
81*b2055c35SXin Li if (*enc == nullptr) {
82*b2055c35SXin Li *width = pic.width;
83*b2055c35SXin Li *height = pic.height;
84*b2055c35SXin Li *enc = WebPAnimEncoderNew(*width, *height, &anim_config);
85*b2055c35SXin Li if (*enc == nullptr) {
86*b2055c35SXin Li WebPPictureFree(&pic);
87*b2055c35SXin Li return 0;
88*b2055c35SXin Li }
89*b2055c35SXin Li }
90*b2055c35SXin Li
91*b2055c35SXin Li // Create frame encoding config.
92*b2055c35SXin Li WebPConfig config;
93*b2055c35SXin Li if (!ExtractWebPConfig(&config, data, size, bit_pos)) {
94*b2055c35SXin Li fprintf(stderr, "ExtractWebPConfig failed.\n");
95*b2055c35SXin Li WebPAnimEncoderDelete(*enc);
96*b2055c35SXin Li WebPPictureFree(&pic);
97*b2055c35SXin Li abort();
98*b2055c35SXin Li }
99*b2055c35SXin Li // Skip slow settings on big images, it's likely to timeout.
100*b2055c35SXin Li if (pic.width * pic.height > 32 * 32) {
101*b2055c35SXin Li config.method = (config.method > 4) ? 4 : config.method;
102*b2055c35SXin Li config.quality = (config.quality > 99.0f) ? 99.0f : config.quality;
103*b2055c35SXin Li config.alpha_quality =
104*b2055c35SXin Li (config.alpha_quality > 99) ? 99 : config.alpha_quality;
105*b2055c35SXin Li }
106*b2055c35SXin Li
107*b2055c35SXin Li // Encode.
108*b2055c35SXin Li if (!WebPAnimEncoderAdd(*enc, &pic, timestamp_ms, &config)) {
109*b2055c35SXin Li const WebPEncodingError error_code = pic.error_code;
110*b2055c35SXin Li WebPAnimEncoderDelete(*enc);
111*b2055c35SXin Li WebPPictureFree(&pic);
112*b2055c35SXin Li // Tolerate failures when running under the nallocfuzz engine as
113*b2055c35SXin Li // WebPAnimEncoderAdd() may fail due to memory allocation errors outside of
114*b2055c35SXin Li // the encoder; in muxer functions that return booleans for instance.
115*b2055c35SXin Li if (error_code == VP8_ENC_ERROR_OUT_OF_MEMORY ||
116*b2055c35SXin Li error_code == VP8_ENC_ERROR_BAD_WRITE ||
117*b2055c35SXin Li getenv("NALLOC_FUZZ_VERSION") != nullptr) {
118*b2055c35SXin Li return 0;
119*b2055c35SXin Li }
120*b2055c35SXin Li fprintf(stderr, "WebPEncode failed. Error code: %d\n", error_code);
121*b2055c35SXin Li abort();
122*b2055c35SXin Li }
123*b2055c35SXin Li
124*b2055c35SXin Li WebPPictureFree(&pic);
125*b2055c35SXin Li return 1;
126*b2055c35SXin Li }
127*b2055c35SXin Li
128*b2055c35SXin Li } // namespace
129*b2055c35SXin Li
LLVMFuzzerTestOneInput(const uint8_t * const data,size_t size)130*b2055c35SXin Li extern "C" int LLVMFuzzerTestOneInput(const uint8_t* const data, size_t size) {
131*b2055c35SXin Li WebPAnimEncoder* enc = nullptr;
132*b2055c35SXin Li int width = 0, height = 0, timestamp_ms = 0;
133*b2055c35SXin Li uint32_t bit_pos = 0;
134*b2055c35SXin Li
135*b2055c35SXin Li ExtractAndDisableOptimizations(default_VP8GetCPUInfo, data, size, &bit_pos);
136*b2055c35SXin Li
137*b2055c35SXin Li // Extract a configuration from the packed bits.
138*b2055c35SXin Li WebPAnimEncoderOptions anim_config;
139*b2055c35SXin Li if (!WebPAnimEncoderOptionsInit(&anim_config)) {
140*b2055c35SXin Li fprintf(stderr, "WebPAnimEncoderOptionsInit failed.\n");
141*b2055c35SXin Li abort();
142*b2055c35SXin Li }
143*b2055c35SXin Li anim_config.minimize_size = Extract(1, data, size, &bit_pos);
144*b2055c35SXin Li anim_config.kmax = Extract(15, data, size, &bit_pos);
145*b2055c35SXin Li const int min_kmin = (anim_config.kmax > 1) ? (anim_config.kmax / 2) : 0;
146*b2055c35SXin Li const int max_kmin = (anim_config.kmax > 1) ? (anim_config.kmax - 1) : 0;
147*b2055c35SXin Li anim_config.kmin =
148*b2055c35SXin Li min_kmin + Extract((uint32_t)(max_kmin - min_kmin), data, size, &bit_pos);
149*b2055c35SXin Li anim_config.allow_mixed = Extract(1, data, size, &bit_pos);
150*b2055c35SXin Li anim_config.verbose = 0;
151*b2055c35SXin Li
152*b2055c35SXin Li const int nb_frames = 1 + Extract(15, data, size, &bit_pos);
153*b2055c35SXin Li
154*b2055c35SXin Li // For each frame.
155*b2055c35SXin Li for (int i = 0; i < nb_frames; ++i) {
156*b2055c35SXin Li if (!AddFrame(&enc, anim_config, &width, &height, timestamp_ms, data, size,
157*b2055c35SXin Li &bit_pos)) {
158*b2055c35SXin Li return 0;
159*b2055c35SXin Li }
160*b2055c35SXin Li
161*b2055c35SXin Li timestamp_ms += (1 << (2 + Extract(15, data, size, &bit_pos))) +
162*b2055c35SXin Li Extract(1, data, size, &bit_pos); // [1..131073], arbitrary
163*b2055c35SXin Li }
164*b2055c35SXin Li
165*b2055c35SXin Li // Assemble.
166*b2055c35SXin Li if (!WebPAnimEncoderAdd(enc, nullptr, timestamp_ms, nullptr)) {
167*b2055c35SXin Li fprintf(stderr, "Last WebPAnimEncoderAdd failed: %s.\n",
168*b2055c35SXin Li WebPAnimEncoderGetError(enc));
169*b2055c35SXin Li WebPAnimEncoderDelete(enc);
170*b2055c35SXin Li abort();
171*b2055c35SXin Li }
172*b2055c35SXin Li WebPData webp_data;
173*b2055c35SXin Li WebPDataInit(&webp_data);
174*b2055c35SXin Li // Tolerate failures when running under the nallocfuzz engine as allocations
175*b2055c35SXin Li // during assembly may fail.
176*b2055c35SXin Li if (!WebPAnimEncoderAssemble(enc, &webp_data) &&
177*b2055c35SXin Li getenv("NALLOC_FUZZ_VERSION") == nullptr) {
178*b2055c35SXin Li fprintf(stderr, "WebPAnimEncoderAssemble failed: %s.\n",
179*b2055c35SXin Li WebPAnimEncoderGetError(enc));
180*b2055c35SXin Li WebPAnimEncoderDelete(enc);
181*b2055c35SXin Li WebPDataClear(&webp_data);
182*b2055c35SXin Li abort();
183*b2055c35SXin Li }
184*b2055c35SXin Li
185*b2055c35SXin Li WebPAnimEncoderDelete(enc);
186*b2055c35SXin Li WebPDataClear(&webp_data);
187*b2055c35SXin Li return 0;
188*b2055c35SXin Li }
189