diff options
author | Kevin Lubick <kjlubick@google.com> | 2018-02-12 08:26:39 -0500 |
---|---|---|
committer | Skia Commit-Bot <skia-commit-bot@chromium.org> | 2018-02-12 15:25:59 +0000 |
commit | 2416f968a69ff71f83eb17e97d1cb6448c916a69 (patch) | |
tree | 91e1846328cae9f649f0768b9401faea7ab11885 /fuzz/fuzz.cpp | |
parent | 77295347c229fa4353e09d97961546ce3c9391e5 (diff) |
Add 2 fuzz targets for image decoding (oss-fuzz)
This also adds in a few small guards to prevent libfuzzer from frequently
running out of memory when an image claims to have billions of pixels.
Bug: skia:
Change-Id: I47a9daac832c4d85a42000698482b61721c38880
Reviewed-on: https://skia-review.googlesource.com/106264
Commit-Queue: Kevin Lubick <kjlubick@google.com>
Reviewed-by: Leon Scroggins <scroggo@google.com>
Diffstat (limited to 'fuzz/fuzz.cpp')
-rw-r--r-- | fuzz/fuzz.cpp | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/fuzz/fuzz.cpp b/fuzz/fuzz.cpp index 945518a3c3..657879ea9b 100644 --- a/fuzz/fuzz.cpp +++ b/fuzz/fuzz.cpp @@ -42,10 +42,12 @@ DEFINE_string2(dump, d, "", "If not empty, dump 'image*' or 'skp' types as a " "PNG with this name."); DEFINE_bool2(verbose, v, false, "Print more information while fuzzing."); DEFINE_string2(type, t, "", "How to interpret --bytes, one of:\n" + "animated_image_decode\n" "api\n" "color_deserialize\n" "filter_fuzz (equivalent to Chrome's filter_fuzz_stub)\n" "icc\n" + "image_decode\n" "image_mode\n" "image_scale\n" "path_deserialize\n" @@ -63,6 +65,8 @@ static void fuzz_api(sk_sp<SkData>); static void fuzz_color_deserialize(sk_sp<SkData>); static void fuzz_filter_fuzz(sk_sp<SkData>); static void fuzz_icc(sk_sp<SkData>); +static void fuzz_img2(sk_sp<SkData>); +static void fuzz_animated_img(sk_sp<SkData>); static void fuzz_img(sk_sp<SkData>, uint8_t, uint8_t); static void fuzz_path_deserialize(sk_sp<SkData>); static void fuzz_region_deserialize(sk_sp<SkData>); @@ -106,6 +110,10 @@ static int fuzz_file(const char* path) { } if (!FLAGS_type.isEmpty()) { + if (0 == strcmp("animated_image_decode", FLAGS_type[0])) { + fuzz_animated_img(bytes); + return 0; + } if (0 == strcmp("api", FLAGS_type[0])) { fuzz_api(bytes); return 0; @@ -118,6 +126,10 @@ static int fuzz_file(const char* path) { fuzz_icc(bytes); return 0; } + if (0 == strcmp("image_decode", FLAGS_type[0])) { + fuzz_img2(bytes); + return 0; + } if (0 == strcmp("image_scale", FLAGS_type[0])) { uint8_t option = calculate_option(bytes.get()); fuzz_img(bytes, option, 0); @@ -209,6 +221,20 @@ static void dump_png(SkBitmap bitmap) { } } +void FuzzAnimatedImage(sk_sp<SkData> bytes); + +static void fuzz_animated_img(sk_sp<SkData> bytes) { + FuzzAnimatedImage(bytes); + SkDebugf("[terminated] Didn't crash while decoding/drawing animated image!\n"); +} + +void FuzzImage(sk_sp<SkData> bytes); + +static void fuzz_img2(sk_sp<SkData> bytes) { + FuzzImage(bytes); + SkDebugf("[terminated] Didn't crash while decoding/drawing image!\n"); +} + static void fuzz_img(sk_sp<SkData> bytes, uint8_t scale, uint8_t mode) { // We can scale 1x, 2x, 4x, 8x, 16x scale = scale % 5; |