From a5352add98f844a556bf7ecf8ec6b6de12f8461a Mon Sep 17 00:00:00 2001
From: DavidKorczynski <david@adalogics.com>
Date: Thu, 14 Jul 2022 23:59:09 +0100
Subject: ghostscript: add tiff fuzzer (#8012)

* ghostscript: add tiff fuzzer

Similar to all other devices with exception it writes to file instead of
/dev/null. This is needed because tiff writing requires seek abilities.
---
 projects/ghostscript/build.sh                     |  5 +++--
 projects/ghostscript/gs_device_pdfwrite_fuzzer.cc |  2 +-
 projects/ghostscript/gs_device_pgmraw_fuzzer.cc   |  2 +-
 projects/ghostscript/gs_device_png16m_fuzzer.cc   |  2 +-
 projects/ghostscript/gs_device_ps2write_fuzzer.cc |  2 +-
 projects/ghostscript/gs_device_pxlmono_fuzzer.cc  |  2 +-
 projects/ghostscript/gs_device_tiffsep1_fuzzer.cc | 26 +++++++++++++++++++++++
 projects/ghostscript/gs_fuzzlib.h                 | 13 +++++++-----
 8 files changed, 42 insertions(+), 12 deletions(-)
 create mode 100644 projects/ghostscript/gs_device_tiffsep1_fuzzer.cc

diff --git a/projects/ghostscript/build.sh b/projects/ghostscript/build.sh
index 18325d8e..23fa7a6a 100755
--- a/projects/ghostscript/build.sh
+++ b/projects/ghostscript/build.sh
@@ -45,7 +45,7 @@ CPPFLAGS="${CPPFLAGS:-} $CUPS_CFLAGS -DPACIFY_VALGRIND" ./autogen.sh \
   CUPSCONFIG=$CUPSCONFIG \
   --enable-freetype --enable-fontconfig \
   --enable-cups --with-ijs --with-jbig2dec \
-  --with-drivers=pdfwrite,cups,ljet4,laserjet,pxlmono,pxlcolor,pcl3,uniprint,pgmraw,ps2write,png16m
+  --with-drivers=pdfwrite,cups,ljet4,laserjet,pxlmono,pxlcolor,pcl3,uniprint,pgmraw,ps2write,png16m,tiffsep1
 make -j$(nproc) libgs
 
 fuzzers="gstoraster_fuzzer            \
@@ -56,7 +56,8 @@ fuzzers="gstoraster_fuzzer            \
          gs_device_pxlmono_fuzzer     \
          gs_device_pgmraw_fuzzer      \
          gs_device_ps2write_fuzzer    \
-         gs_device_png16m_fuzzer"
+         gs_device_png16m_fuzzer      \
+         gs_device_tiffsep1_fuzzer"
 
 for fuzzer in $fuzzers; do
   $CXX $CXXFLAGS $CUPS_LDFLAGS -std=c++11 -I. -I$SRC \
diff --git a/projects/ghostscript/gs_device_pdfwrite_fuzzer.cc b/projects/ghostscript/gs_device_pdfwrite_fuzzer.cc
index 6e01c542..3f116c3c 100644
--- a/projects/ghostscript/gs_device_pdfwrite_fuzzer.cc
+++ b/projects/ghostscript/gs_device_pdfwrite_fuzzer.cc
@@ -15,6 +15,6 @@ limitations under the License.
 #include "gs_fuzzlib.h"
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
-	fuzz_gs_device(data, size, 1, "pdfwrite");
+	fuzz_gs_device(data, size, 1, "pdfwrite", "/dev/null");
 	return 0;
 }
diff --git a/projects/ghostscript/gs_device_pgmraw_fuzzer.cc b/projects/ghostscript/gs_device_pgmraw_fuzzer.cc
index 30e51c5b..b9725059 100644
--- a/projects/ghostscript/gs_device_pgmraw_fuzzer.cc
+++ b/projects/ghostscript/gs_device_pgmraw_fuzzer.cc
@@ -15,6 +15,6 @@ limitations under the License.
 #include "gs_fuzzlib.h"
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
-	fuzz_gs_device(data, size, 1, "pgmraw");
+	fuzz_gs_device(data, size, 1, "pgmraw", "/dev/null");
 	return 0;
 }
diff --git a/projects/ghostscript/gs_device_png16m_fuzzer.cc b/projects/ghostscript/gs_device_png16m_fuzzer.cc
index 0d522ce3..645e300d 100644
--- a/projects/ghostscript/gs_device_png16m_fuzzer.cc
+++ b/projects/ghostscript/gs_device_png16m_fuzzer.cc
@@ -15,6 +15,6 @@ limitations under the License.
 #include "gs_fuzzlib.h"
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
-	fuzz_gs_device(data, size, 1, "png16m");
+	fuzz_gs_device(data, size, 1, "png16m", "/dev/null");
 	return 0;
 }
diff --git a/projects/ghostscript/gs_device_ps2write_fuzzer.cc b/projects/ghostscript/gs_device_ps2write_fuzzer.cc
index d551e2d3..eb62c813 100644
--- a/projects/ghostscript/gs_device_ps2write_fuzzer.cc
+++ b/projects/ghostscript/gs_device_ps2write_fuzzer.cc
@@ -15,6 +15,6 @@ limitations under the License.
 #include "gs_fuzzlib.h"
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
-	fuzz_gs_device(data, size, 1, "ps2write");
+	fuzz_gs_device(data, size, 1, "ps2write", "/dev/null");
 	return 0;
 }
diff --git a/projects/ghostscript/gs_device_pxlmono_fuzzer.cc b/projects/ghostscript/gs_device_pxlmono_fuzzer.cc
index bdae304a..5869fe23 100644
--- a/projects/ghostscript/gs_device_pxlmono_fuzzer.cc
+++ b/projects/ghostscript/gs_device_pxlmono_fuzzer.cc
@@ -15,6 +15,6 @@ limitations under the License.
 #include "gs_fuzzlib.h"
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
-	fuzz_gs_device(data, size, 1, "pxlmono");
+	fuzz_gs_device(data, size, 1, "pxlmono", "/dev/null");
 	return 0;
 }
diff --git a/projects/ghostscript/gs_device_tiffsep1_fuzzer.cc b/projects/ghostscript/gs_device_tiffsep1_fuzzer.cc
new file mode 100644
index 00000000..b42edbae
--- /dev/null
+++ b/projects/ghostscript/gs_device_tiffsep1_fuzzer.cc
@@ -0,0 +1,26 @@
+/* Copyright 2022 Google LLC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+#include <sys/types.h>
+#include <unistd.h>
+#include <stdio.h>
+
+#include "gs_fuzzlib.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+	char filename[256];
+	sprintf(filename, "/tmp/libfuzzer.%d.tiff", getpid());
+	fuzz_gs_device(data, size, 1, "tiffsep1", filename);
+	return 0;
+}
diff --git a/projects/ghostscript/gs_fuzzlib.h b/projects/ghostscript/gs_fuzzlib.h
index 1a77a8ea..1ee6078d 100644
--- a/projects/ghostscript/gs_fuzzlib.h
+++ b/projects/ghostscript/gs_fuzzlib.h
@@ -31,7 +31,8 @@ int fuzz_gs_device(
 	const unsigned char *buf,
 	size_t size,
 	int color_scheme,
-	const char *device_target
+	const char *device_target,
+	const char *output_file
 );
 
 #define min(x, y) ((x) < (y) ? (x) : (y))
@@ -61,28 +62,30 @@ int gs_to_raster_fuzz(
 	int color_scheme
 )
 {
-	return fuzz_gs_device(buf, size, color_scheme, "cups");
+	return fuzz_gs_device(buf, size, color_scheme, "cups", "/dev/null");
 }
 
 int fuzz_gs_device(
 	const unsigned char *buf,
 	size_t size,
 	int color_scheme,
-	const char *device_target
+	const char *device_target,
+	const char *output_file
 )
 {
 	int ret;
 	void *gs = NULL;
 	char color_space[50];
 	char gs_device[50];
+	char gs_o[100];
 	/*
 	 * We are expecting color_scheme to be in the [0:62] interval.
 	 * This corresponds to the color schemes defined here:
 	 * https://github.com/ArtifexSoftware/ghostpdl/blob/8c97d5adce0040ac38a1fb4d7954499c65f582ff/cups/libs/cups/raster.h#L102
 	 */
 	sprintf(color_space, "-dcupsColorSpace=%d", color_scheme);
-
 	sprintf(gs_device, "-sDEVICE=%s", device_target);
+	sprintf(gs_o, "-sOutputFile=%s", output_file);
 	/* Mostly stolen from cups-filters gstoraster. */
 	char *args[] = {
 		"gs",
@@ -100,7 +103,7 @@ int fuzz_gs_device(
 		"-dNOINTERPOLATE",
 		"-dNOMEDIAATTRS",
 		"-sstdout=%%stderr",
-		"-sOutputFile=/dev/null",
+		gs_o,
 		gs_device,
 		"-_",
 	};
-- 
cgit v1.2.3