diff options
| author |  Google AutoFuzz Team <security-tps@google.com> | 2020-05-29 12:01:23 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2020-05-29 20:01:23 +1000 |
| commit | 8284b6bbddcfce2432cd946d29f74a66f1819494 (patch) | |
| tree | 8f6536b8cfd4cfeac5d9800c50db7b3fef2bc8da | |
| parent | 5b114cdc02f77cd18575eff0d99a71c1fdde6468 (diff) | |
[libgd] Add another fuzzer to libgd (#3892)
| -rw-r--r-- | projects/libgd/Dockerfile | 2 | ||||
| -rwxr-xr-x | projects/libgd/build.sh | 7 | ||||
| -rw-r--r-- | projects/libgd/gd_image_string_fuzzer.cc | 53 |
3 files changed, 61 insertions, 1 deletions
diff --git a/projects/libgd/Dockerfile b/projects/libgd/Dockerfile index a85269ee..617b0a50 100644 --- a/projects/libgd/Dockerfile +++ b/projects/libgd/Dockerfile @@ -21,4 +21,4 @@ RUN apt-get update && \ RUN git clone --depth 1 https://github.com/libgd/libgd ADD https://lcamtuf.coredump.cx/afl/demo/afl_testcases.tgz $SRC/afl_testcases.tgz WORKDIR libgd -COPY build.sh parser_target.cc $SRC/ +COPY build.sh *.cc $SRC/ diff --git a/projects/libgd/build.sh b/projects/libgd/build.sh index c49d21b4..4aabb063 100755 --- a/projects/libgd/build.sh +++ b/projects/libgd/build.sh @@ -32,6 +32,13 @@ for target in Bmp Gd Gd2 Gif Jpeg Png Tga Tiff WBMP Webp; do $LIB_FUZZING_ENGINE -lgd -Wl,-Bstatic -lz -Wl,-Bdynamic done +for fuzzers in $(find $SRC -name '*_fuzzer.cc'); do + fuzz_basename=$(basename -s .cc $fuzzers) + $CXX $CXXFLAGS -std=c++11 -I"$WORK/include" -L"$WORK/lib" \ + $fuzzers -o $OUT/$fuzz_basename \ + $LIB_FUZZING_ENGINE -lgd -Wl,-Bstatic -lz -Wl,-Bdynamic +done + mkdir afl_testcases (cd afl_testcases; tar xvf "$SRC/afl_testcases.tgz") for format in bmp gif png webp; do diff --git a/projects/libgd/gd_image_string_fuzzer.cc b/projects/libgd/gd_image_string_fuzzer.cc new file mode 100644 index 00000000..f3435cc7 --- /dev/null +++ b/projects/libgd/gd_image_string_fuzzer.cc @@ -0,0 +1,53 @@ +// Copyright 2020 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +///////////////////////////////////////////////////////////////////////////// + +#include <fuzzer/FuzzedDataProvider.h> + +#include <cstddef> +#include <cstdint> +#include <cstdlib> +#include <string> + +#include "gd.h" +#include "gdfontg.h" +#include "gdfontl.h" +#include "gdfontmb.h" +#include "gdfonts.h" +#include "gdfontt.h" + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + FuzzedDataProvider stream(data, size); + const uint8_t slate_width = stream.ConsumeIntegral<uint8_t>(); + const uint8_t slate_height = stream.ConsumeIntegral<uint8_t>(); + gdImagePtr slate_image = gdImageCreateTrueColor(slate_width, slate_height); + if (slate_image == nullptr) { + return 0; + } + + const int x_position = stream.ConsumeIntegral<int>(); + const int y_position = stream.ConsumeIntegral<int>(); + const int text_color = stream.ConsumeIntegral<int>(); + const gdFontPtr font_ptr = stream.PickValueInArray( + {gdFontGetGiant(), gdFontGetLarge(), gdFontGetMediumBold(), + gdFontGetSmall(), gdFontGetTiny()}); + const std::string text = stream.ConsumeRemainingBytesAsString(); + + gdImageString(slate_image, font_ptr, x_position, y_position, + reinterpret_cast<uint8_t*>(const_cast<char*>(text.c_str())), + text_color); + gdImageDestroy(slate_image); + return 0; +} |