Add Skottie fuzzer (via json input)

Bug: skia:
Change-Id: I97543b73755fca73f2ad014113ae8cd2c9227cf3
Reviewed-on: https://skia-review.googlesource.com/125820
Reviewed-by: Florin Malita <fmalita@chromium.org>
Commit-Queue: Kevin Lubick <kjlubick@google.com>

2 files changed, 53 insertions, 4 deletions

diff --git a/fuzz/fuzz.cpp b/fuzz/fuzz.cpp
index baaefd390d..c2a8ca0dc3 100644
--- a/fuzz/fuzz.cpp
+++ b/fuzz/fuzz.cpp
@@ -18,6 +18,7 @@
 #include "SkPaint.h"
 #include "SkPath.h"
 #include "SkPicture.h"
+#include "Skottie.h"
 #include "SkPipe.h"
 #include "SkReadBuffer.h"
 #include "SkStream.h"
@@ -58,6 +59,7 @@ DEFINE_string2(type, t, "", "How to interpret --bytes, one of:\n"
                             "region_set_path\n"
                             "skp\n"
                             "sksl2glsl\n"
+                            "skottie_json\n"
                             "textblob");
 
 static int fuzz_file(SkString path, SkString type);
@@ -74,6 +76,7 @@ static void fuzz_img(sk_sp<SkData>, uint8_t, uint8_t);
 static void fuzz_path_deserialize(sk_sp<SkData>);
 static void fuzz_region_deserialize(sk_sp<SkData>);
 static void fuzz_region_set_path(sk_sp<SkData>);
+static void fuzz_skottie_json(sk_sp<SkData>);
 static void fuzz_skp(sk_sp<SkData>);
 static void fuzz_skpipe(sk_sp<SkData>);
 static void fuzz_textblob_deserialize(sk_sp<SkData>);
@@ -158,6 +161,10 @@ static int fuzz_file(SkString path, SkString type) {
         fuzz_img(bytes, 0, option);
         return 0;
     }
+    if (type.equals("filter_fuzz")) {
+        fuzz_filter_fuzz(bytes);
+        return 0;
+    }
     if (type.equals("path_deserialize")) {
         fuzz_path_deserialize(bytes);
         return 0;
@@ -174,12 +181,12 @@ static int fuzz_file(SkString path, SkString type) {
         fuzz_skpipe(bytes);
         return 0;
     }
-    if (type.equals("skp")) {
-        fuzz_skp(bytes);
+    if (type.equals("skottie_json")) {
+        fuzz_skottie_json(bytes);
         return 0;
     }
-    if (type.equals("filter_fuzz")) {
-        fuzz_filter_fuzz(bytes);
+    if (type.equals("skp")) {
+        fuzz_skp(bytes);
         return 0;
     }
     if (type.equals("textblob")) {
@@ -257,6 +264,13 @@ static SkString try_auto_detect(SkString path, SkString* name) {
     return SkString("");
 }
 
+void FuzzSkottieJSON(sk_sp<SkData> bytes);
+
+static void fuzz_skottie_json(sk_sp<SkData> bytes){
+    FuzzSkottieJSON(bytes);
+    SkDebugf("[terminated] Done animating!\n");
+}
+
 // This adds up the first 1024 bytes and returns it as an 8 bit integer.  This allows afl-fuzz to
 // deterministically excercise different paths, or *options* (such as different scaling sizes or
 // different image modes) without needing to introduce a parameter.  This way we don't need a
diff --git a/fuzz/oss_fuzz/FuzzSkottieJSON.cpp b/fuzz/oss_fuzz/FuzzSkottieJSON.cpp
new file mode 100644
index 0000000000..e4f19ccad7
--- /dev/null
+++ b/fuzz/oss_fuzz/FuzzSkottieJSON.cpp
@@ -0,0 +1,35 @@
+/*
+ * Copyright 2018 Google, LLC
+ *
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "SkData.h"
+#include "Skottie.h"
+#include "SkStream.h"
+
+void FuzzSkottieJSON(sk_sp<SkData> bytes) {
+    // Always returns nullptr to any resource
+    class EmptyResourceProvider final : public skottie::ResourceProvider {
+    public:
+        std::unique_ptr<SkStream> openStream(const char resource[]) const override {
+            return nullptr;
+        }
+    };
+    SkMemoryStream stream(bytes);
+    EmptyResourceProvider erp;
+    auto animation = skottie::Animation::Make(&stream, erp);
+    if (!animation) {
+        return;
+    }
+    animation->animationTick(1337); // A "nothing up my sleeve" number
+}
+
+#if defined(IS_FUZZING_WITH_LIBFUZZER)
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    auto bytes = SkData::MakeWithoutCopy(data, size);
+    FuzzSkottieJSON(bytes);
+    return 0;
+}
+#endif