Break some fuzzer targets out so oss-fuzz can use them

FuzzImageFilterDeserialize is already being used in oss-fuzz
but the target lived there and not here.  This moves it here.

Then we can turn on:
 - FuzzPathDeserialize
 - FuzzTextBlobDeserialize


Bug: skia:
Change-Id: I7baee8386fb7aeebc43a68abfff9a670ba16f82c
Reviewed-on: https://skia-review.googlesource.com/105763
Reviewed-by: Mike Klein <mtklein@google.com>
Commit-Queue: Kevin Lubick <kjlubick@google.com>

3 files changed, 115 insertions, 0 deletions

diff --git a/fuzz/oss_fuzz/FuzzImageFilterDeserialize.cpp b/fuzz/oss_fuzz/FuzzImageFilterDeserialize.cpp
new file mode 100644
index 0000000000..f9d9598892
--- /dev/null
+++ b/fuzz/oss_fuzz/FuzzImageFilterDeserialize.cpp
@@ -0,0 +1,46 @@
+/*
+ * Copyright 2018 Google Inc.
+ *
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+
+#include "SkBitmap.h"
+#include "SkCanvas.h"
+#include "SkData.h"
+#include "SkImageFilter.h"
+#include "SkPaint.h"
+
+void FuzzImageFilterDeserialize(sk_sp<SkData> bytes) {
+    const int BitmapSize = 24;
+    SkBitmap bitmap;
+    bitmap.allocN32Pixels(BitmapSize, BitmapSize);
+    SkCanvas canvas(bitmap);
+    canvas.clear(0x00000000);
+
+    auto flattenable = SkImageFilter::Deserialize(bytes->data(), bytes->size());
+
+    if (flattenable != nullptr) {
+        // Let's see if using the filters can cause any trouble...
+        SkPaint paint;
+        paint.setImageFilter(flattenable);
+        canvas.save();
+        canvas.clipRect(SkRect::MakeXYWH(
+            0, 0, SkIntToScalar(BitmapSize), SkIntToScalar(BitmapSize)));
+
+        // This call shouldn't crash or cause ASAN to flag any memory issues
+        // If nothing bad happens within this call, everything is fine
+        canvas.drawBitmap(bitmap, 0, 0, &paint);
+
+        canvas.restore();
+    }
+}
+
+#if defined(IS_FUZZING_WITH_LIBFUZZER)
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    auto bytes = SkData::MakeWithoutCopy(data, size);
+    FuzzImageFilterDeserialize(bytes);
+    return 0;
+}
+#endif
diff --git a/fuzz/oss_fuzz/FuzzPathDeserialize.cpp b/fuzz/oss_fuzz/FuzzPathDeserialize.cpp
new file mode 100644
index 0000000000..b18f719f4f
--- /dev/null
+++ b/fuzz/oss_fuzz/FuzzPathDeserialize.cpp
@@ -0,0 +1,35 @@
+/*
+ * Copyright 2018 Google Inc.
+ *
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "SkCanvas.h"
+#include "SkPaint.h"
+#include "SkPath.h"
+#include "SkReadBuffer.h"
+#include "SkSurface.h"
+
+void FuzzPathDeserialize(SkReadBuffer& buf) {
+    SkPath path;
+    buf.readPath(&path);
+    if (!buf.isValid()) {
+        return;
+    }
+
+    auto s = SkSurface::MakeRasterN32Premul(128, 128);
+    if (!s) {
+        // May return nullptr in memory-constrained fuzzing environments
+        return;
+    }
+    s->getCanvas()->drawPath(path, SkPaint());
+}
+
+#if defined(IS_FUZZING_WITH_LIBFUZZER)
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    SkReadBuffer buf(data, size);
+    FuzzPathDeserialize(buf);
+    return 0;
+}
+#endif
diff --git a/fuzz/oss_fuzz/FuzzTextBlobDeserialize.cpp b/fuzz/oss_fuzz/FuzzTextBlobDeserialize.cpp
new file mode 100644
index 0000000000..36c7057dbc
--- /dev/null
+++ b/fuzz/oss_fuzz/FuzzTextBlobDeserialize.cpp
@@ -0,0 +1,34 @@
+/*
+ * Copyright 2018 Google Inc.
+ *
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "SkCanvas.h"
+#include "SkPaint.h"
+#include "SkReadBuffer.h"
+#include "SkSurface.h"
+#include "SkTextBlob.h"
+
+void FuzzTextBlobDeserialize(SkReadBuffer& buf) {
+    auto tb = SkTextBlob::MakeFromBuffer(buf);
+    if (!buf.isValid()) {
+        return;
+    }
+
+    auto s = SkSurface::MakeRasterN32Premul(128, 128);
+    if (!s) {
+        // May return nullptr in memory-constrained fuzzing environments
+        return;
+    }
+    s->getCanvas()->drawTextBlob(tb, 200, 200, SkPaint());
+}
+
+#if defined(IS_FUZZING_WITH_LIBFUZZER)
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    SkReadBuffer buf(data, size);
+    FuzzTextBlobDeserialize(buf);
+    return 0;
+}
+#endif