New fuzzers for Poppler (#4635)

* Initial commit: cpp and glib work. qt5 compilation fails * changing static libs to shared libs (freetype, lcms, openjp2) * qt5 compiles * build works for all three libs - todo: dict names * Creating copies of dict for each fuzz target * Remove tail command from build script * Trying to fix build checks - export LD_LIBRARY_PATH * change libpng and libz to static libraries * retrigger checks * ld cannot find -lgcc_s * WIP for qt5 * Build check passes locally * Remove -fno-rtti to make undefined sanitizer work. Remove MSan.
author: ecalp-tps <72207867+ecalp-tps@users.noreply.github.com> 2020-11-26 18:26:40 +0100
committer: GitHub <noreply@github.com> 2020-11-26 09:26:40 -0800
commit: bc358f33ad3243e06c3c9934b54561d31a2aee6b (patch)
tree: 947b0da17c66c091100738d787150f65d7d54aab /projects
parent: d6957a1a36a2d83ba0a80a9adc4e773c36f13451 (diff)
4 files changed, 163 insertions, 79 deletions
diff --git a/projects/poppler/Dockerfile b/projects/poppler/Dockerfile
index 0780e4ae..afb48902 100644
--- a/projects/poppler/Dockerfile
+++ b/projects/poppler/Dockerfile
@@ -13,17 +13,30 @@
 # limitations under the License.
 #
 ################################################################################
-
 FROM gcr.io/oss-fuzz-base/base-builder
-RUN apt-get update && apt-get install -y make autoconf automake libtool pkg-config cmake
-RUN git clone --depth 1 https://anongit.freedesktop.org/git/poppler/poppler.git
+RUN apt-get update && apt-get install -y wget autoconf automake libtool \
+    pkg-config cmake gtk-doc-tools libffi-dev zlib1g-dev libfontconfig1-dev
+RUN pip3 install meson==0.55.3 ninja
+
 RUN git clone --depth 1 git://git.sv.nongnu.org/freetype/freetype2.git
 RUN git clone --depth 1 https://github.com/mm2/Little-CMS.git
 RUN git clone --depth 1 https://github.com/uclouvain/openjpeg
+RUN git clone --depth 1 https://github.com/glennrp/libpng.git
+RUN git clone --depth 1 https://gitlab.freedesktop.org/cairo/cairo.git
+RUN git clone --branch 5.15 --depth 1 --shallow-submodules \
+        --recurse-submodules=qtbase \
+        --recurse-submodules=qtsvg \
+        git://code.qt.io/qt/qt5.git qt
+ADD http://ftp.gnome.org/pub/gnome/sources/pango/1.48/pango-1.48.0.tar.xz $SRC
+RUN tar xvJf $SRC/pango-1.48.0.tar.xz
+ADD https://ftp.gnome.org/pub/gnome/sources/glib/2.64/glib-2.64.2.tar.xz $SRC
+RUN tar xvJf $SRC/glib-2.64.2.tar.xz
+RUN git clone --depth 1 --single-branch --branch fuzzing https://gitlab.freedesktop.org/ceyhunalp/poppler.git
+
 RUN git clone --depth 1 https://github.com/mozilla/pdf.js pdf.js && \
-    zip -q $SRC/pdf_fuzzer_seed_corpus.zip pdf.js/test/pdfs/*.pdf && \
-    rm -rf pdf.js
-ADD https://raw.githubusercontent.com/google/fuzzing/master/dictionaries/pdf.dict $SRC/pdf_fuzzer.dict
+        zip -q $SRC/poppler_seed_corpus.zip pdf.js/test/pdfs/*.pdf && \
+        rm -rf pdf.js
+ADD https://raw.githubusercontent.com/google/fuzzing/master/dictionaries/pdf.dict $SRC/poppler.dict
+
 WORKDIR $SRC/poppler
-COPY *.cc $SRC/fuzz/
 COPY build.sh $SRC/
diff --git a/projects/poppler/build.sh b/projects/poppler/build.sh
index a2ac4a5f..6d06090e 100755
--- a/projects/poppler/build.sh
+++ b/projects/poppler/build.sh
@@ -14,62 +14,189 @@
 # limitations under the License.
 #
 ################################################################################
+PREFIX=$WORK/prefix
+mkdir -p $PREFIX
+
+export PKG_CONFIG="`which pkg-config` --static"
+export PKG_CONFIG_PATH=$PREFIX/lib/pkgconfig
+export PATH=$PREFIX/bin:$PATH
+
+BUILD=$WORK/build
+
+rm -rf $WORK/*
+rm -rf $BUILD
+mkdir -p $BUILD
+
+pushd $SRC/glib-2.64.2
+meson \
+    --prefix=$PREFIX \
+    --libdir=lib \
+    --default-library=static \
+    -Db_lundef=false \
+    -Doss_fuzz=enabled \
+    -Dlibmount=disabled \
+    -Dinternal_pcre=true \
+    _builddir
+ninja -C _builddir
+ninja -C _builddir install
+popd
 
 pushd $SRC/freetype2
 ./autogen.sh
-./configure --prefix="$WORK" --disable-shared PKG_CONFIG_PATH="$WORK/lib/pkgconfig"
+./configure --prefix="$PREFIX" --disable-shared PKG_CONFIG_PATH="$PKG_CONFIG_PATH"
 make -j$(nproc)
 make install
 
 pushd $SRC/Little-CMS
-./configure --prefix="$WORK" --disable-shared PKG_CONFIG_PATH="$WORK/lib/pkgconfig"
+./configure --prefix="$PREFIX" --disable-shared PKG_CONFIG_PATH="$PKG_CONFIG_PATH"
 make -j$(nproc)
 make install
 
 mkdir -p $SRC/openjpeg/build
 pushd $SRC/openjpeg/build
-cmake .. -DBUILD_SHARED_LIBS=OFF -DCMAKE_INSTALL_PREFIX=$WORK
+cmake .. -DBUILD_SHARED_LIBS=OFF -DCMAKE_INSTALL_PREFIX=$PREFIX
 make -j$(nproc) install
 
+pushd $SRC/libpng
+autoreconf -fi
+./configure --prefix="$PREFIX" --disable-shared --disable-dependency-tracking
+make -j$(nproc)
+make install
+
+pushd $SRC/cairo
+meson \
+    --prefix=$PREFIX \
+    --libdir=lib \
+    --default-library=static \
+    _builddir
+ninja -C _builddir
+ninja -C _builddir install
+popd
+
+pushd $SRC/pango-1.48.0
+meson \
+    -Ddefault_library=static \
+    --prefix=$PREFIX \
+    --libdir=lib \
+    _builddir
+sed -i -e 's/ -Werror=implicit-fallthrough//g' _builddir/build.ninja
+ninja -C _builddir
+ninja -C _builddir install
+popd
+
+pushd $SRC/qt
+# Add the flags to Qt build, borrowed from qt
+sed -i -e "s/QMAKE_CXXFLAGS    += -stdlib=libc++/QMAKE_CXXFLAGS    += -stdlib=libc++  $CXXFLAGS\nQMAKE_CFLAGS += $CFLAGS/g" qtbase/mkspecs/linux-clang-libc++/qmake.conf
+sed -i -e "s/QMAKE_LFLAGS      += -stdlib=libc++/QMAKE_LFLAGS      += -stdlib=libc++ -lpthread $CXXFLAGS/g" qtbase/mkspecs/linux-clang-libc++/qmake.conf
+# remove -fno-rtti which conflicts with -fsanitize=vptr when building with sanitizer undefined
+sed -i -e "s/QMAKE_CXXFLAGS_RTTI_OFF    = -fno-rtti/QMAKE_CXXFLAGS_RTTI_OFF    = /g" qtbase/mkspecs/common/gcc-base.conf
+MAKEFLAGS=-j$(nproc) $SRC/qt/configure -qt-libmd4c -platform linux-clang-libc++ -static -opensource -confirm-license -no-opengl -no-glib -nomake tests -nomake examples -prefix $PREFIX -D QT_NO_DEPRECATED_WARNINGS
+make -j$(nproc) > /dev/null
+make install
+popd
+
+# Poppler complains when PKG_CONFIG is set to `which pkg-config --static` so
+# temporarily removing it
+export PKG_CONFIG="`which pkg-config`"
+
 mkdir -p $SRC/poppler/build
 pushd $SRC/poppler/build
 cmake .. \
   -DCMAKE_BUILD_TYPE=debug \
   -DBUILD_SHARED_LIBS=OFF \
   -DFONT_CONFIGURATION=generic \
+  -DENABLE_FUZZER=OFF \
   -DENABLE_DCTDECODER=none \
+  -DENABLE_GOBJECT_INTROSPECTION=OFF \
   -DENABLE_LIBPNG=OFF \
   -DENABLE_ZLIB=OFF \
   -DENABLE_LIBTIFF=OFF \
   -DENABLE_LIBJPEG=OFF \
-  -DENABLE_GLIB=OFF \
+  -DENABLE_GLIB=ON \
   -DENABLE_LIBCURL=OFF \
-  -DENABLE_QT5=OFF \
+  -DENABLE_QT5=ON \
   -DENABLE_UTILS=OFF \
-  -DWITH_Cairo=OFF \
+  -DWITH_Cairo=ON \
   -DWITH_NSS3=OFF \
-  -DCMAKE_INSTALL_PREFIX=$WORK
-make -j$(nproc) poppler poppler-cpp
+  -DCMAKE_INSTALL_PREFIX=$PREFIX \
+  -DCMAKE_PREFIX_PATH=$PREFIX
+
+export PKG_CONFIG="`which pkg-config` --static"
+make -j$(nproc) poppler poppler-cpp poppler-glib poppler-qt5
 
-fuzz_target=pdf_fuzzer
+PREDEPS_LDFLAGS="-Wl,-Bdynamic -ldl -lm -lc -lz -pthread -lrt -lpthread"
+DEPS="gmodule-2.0 glib-2.0 gio-2.0 gobject-2.0 freetype2 lcms2 libopenjp2 libpng cairo cairo-gobject pango"
+BUILD_CFLAGS="$CFLAGS `pkg-config --static --cflags $DEPS`"
+BUILD_LDFLAGS="-Wl,-static `pkg-config --static --libs $DEPS`"
 
-$CXX $CXXFLAGS -std=c++11 -I$SRC/poppler/cpp \
-    $SRC/fuzz/pdf_fuzzer.cc -o $OUT/$fuzz_target \
+fuzzers=$(find $SRC/poppler/cpp/tests/fuzzing/ -name "*_fuzzer.cc")
+for f in $fuzzers; do
+  fuzzer_name=$(basename $f .cc)
+
+  $CXX $CXXFLAGS -std=c++11 -I$SRC/poppler/cpp \
+    $BUILD_CFLAGS \
+    $f -o $OUT/$fuzzer_name \
+    $PREDEPS_LDFLAGS \
+    $SRC/poppler/build/cpp/libpoppler-cpp.a \
+    $SRC/poppler/build/libpoppler.a \
+    $BUILD_LDFLAGS \
     $LIB_FUZZING_ENGINE \
+    -Wl,-Bdynamic
+done
+
+fuzzers=$(find $SRC/poppler/glib/tests/fuzzing/ -name "*_fuzzer.cc")
+for f in $fuzzers; do
+  fuzzer_name=$(basename $f .cc)
+
+  $CXX $CXXFLAGS -std=c++11 -I$SRC/poppler/glib -I$SRC/poppler/build/glib \
+    $BUILD_CFLAGS \
+    $f -o $OUT/$fuzzer_name \
+    $PREDEPS_LDFLAGS \
+    $SRC/poppler/build/glib/libpoppler-glib.a \
     $SRC/poppler/build/cpp/libpoppler-cpp.a \
     $SRC/poppler/build/libpoppler.a \
-    $WORK/lib/libfreetype.a \
-    $WORK/lib/liblcms2.a \
-    $WORK/lib/libopenjp2.a
+    $BUILD_LDFLAGS \
+    $LIB_FUZZING_ENGINE \
+    -Wl,-Bdynamic
+done
+
+PREDEPS_LDFLAGS="-Wl,-Bdynamic -ldl -lm -lc -lz -pthread -lrt -lpthread"
+DEPS="gmodule-2.0 glib-2.0 gio-2.0 gobject-2.0 freetype2 lcms2 libopenjp2 libpng Qt5Core Qt5Gui Qt5Xml"
+BUILD_CFLAGS="$CFLAGS `pkg-config --static --cflags $DEPS`"
+BUILD_LDFLAGS="-Wl,-static `pkg-config --static --libs $DEPS`"
+
+fuzzers=$(find $SRC/poppler/qt5/tests/fuzzing/ -name "*_fuzzer.cc")
+for f in $fuzzers; do
+  fuzzer_name=$(basename $f .cc)
+
+  $CXX $CXXFLAGS -std=c++11 -fPIC \
+    -I$SRC/poppler/qt5/src \
+    $BUILD_CFLAGS \
+    $f -o $OUT/$fuzzer_name \
+    $PREDEPS_LDFLAGS \
+    $SRC/poppler/build/qt5/src/libpoppler-qt5.a \
+    $SRC/poppler/build/cpp/libpoppler-cpp.a \
+    $SRC/poppler/build/libpoppler.a \
+    $BUILD_LDFLAGS \
+    $LIB_FUZZING_ENGINE \
+    -Wl,-Bdynamic
+done
 
 mv $SRC/{*.zip,*.dict} $OUT
 
-if [ ! -f "${OUT}/${fuzz_target}_seed_corpus.zip" ]; then
+if [ ! -f "${OUT}/poppler_seed_corpus.zip" ]; then
   echo "missing seed corpus"
   exit 1
 fi
 
-if [ ! -f "${OUT}/${fuzz_target}.dict" ]; then
+if [ ! -f "${OUT}/poppler.dict" ]; then
   echo "missing dictionary"
   exit 1
 fi
+
+fuzzers=$(find $OUT -name "*_fuzzer")
+for f in $fuzzers; do
+  fuzzer_name=$(basename $f)
+  ln -sf $OUT/poppler_seed_corpus.zip $OUT/${fuzzer_name}_seed_corpus.zip
+  ln -sf $OUT/poppler.dict $OUT/${fuzzer_name}.dict
+done
diff --git a/projects/poppler/pdf_fuzzer.cc b/projects/poppler/pdf_fuzzer.cc
deleted file mode 100644
index 0f158bd8..00000000
--- a/projects/poppler/pdf_fuzzer.cc
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
-# Copyright 2018 Google Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-################################################################################
-*/
-
-#include <cstdint>
-
-#include <poppler-destination.h>
-#include <poppler-global.h>
-#include <poppler-document.h>
-#include <poppler-page.h>
-#include <poppler-page-renderer.h>
-
-static void nop_func(const std::string& msg, void*) {};
-
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
-  poppler::set_debug_error_function(nop_func, nullptr);
-
-  poppler::document *doc = poppler::document::load_from_raw_data((const char *)data, size);
-  if (!doc || doc->is_locked()) {
-    delete doc;
-    return 0;
-  }
-  doc->metadata();
-  doc->create_destination_map();
-  doc->embedded_files();
-  doc->fonts();
-
-  poppler::page_renderer r;
-  for (int i = 0; i < doc->pages(); i++) {
-    poppler::page *p = doc->create_page(i);
-    if (!p) {
-      continue;
-    }
-    r.render_page(p);
-    p->text_list(poppler::page::text_list_include_font);
-    delete p;
-  }
-
-  delete doc;
-  return 0;
-}
diff --git a/projects/poppler/project.yaml b/projects/poppler/project.yaml
index 88e7f0f5..68201fa6 100644
--- a/projects/poppler/project.yaml
+++ b/projects/poppler/project.yaml
@@ -3,7 +3,6 @@ language: c++
 primary_contact: tsdgeos@gmail.com
 sanitizers:
   - address
-  - memory
   - undefined
 auto_ccs:
   - jonathan@titanous.com
author	ecalp-tps <72207867+ecalp-tps@users.noreply.github.com>	2020-11-26 18:26:40 +0100
committer	GitHub <noreply@github.com>	2020-11-26 09:26:40 -0800
commit	bc358f33ad3243e06c3c9934b54561d31a2aee6b (patch)
tree	947b0da17c66c091100738d787150f65d7d54aab /projects
parent	d6957a1a36a2d83ba0a80a9adc4e773c36f13451 (diff)