aboutsummaryrefslogtreecommitdiffhomepage
path: root/fuzz
diff options
context:
space:
mode:
authorGravatar Kevin Lubick <kjlubick@google.com>2018-03-30 15:05:13 -0400
committerGravatar Skia Commit-Bot <skia-commit-bot@chromium.org>2018-03-30 19:31:56 +0000
commite4be55dc28479a0ee103e5d65cd00c441feb5ff2 (patch)
tree5040210babb9a4877247f90024fa1d53981e02e3 /fuzz
parent6b6fcc78620270ec2dcd57bd520ec500f60f4505 (diff)
Add Encoder fuzzers
This also includes a helper "fuzzer" for making a corpus. Point it at an image or folder of images and it will decode those images and write the SkPixmap's bytes to disk, such that the fuzzer will be able to read in those bytes as if it had decoded the image (or gotten it from another source). Bug: skia: Change-Id: Iaf223a39078f2b62908fb47929add5d63f22d973 Reviewed-on: https://skia-review.googlesource.com/117367 Reviewed-by: Leon Scroggins <scroggo@google.com> Commit-Queue: Kevin Lubick <kjlubick@google.com>
Diffstat (limited to 'fuzz')
-rw-r--r--fuzz/Fuzz.h1
-rw-r--r--fuzz/FuzzEncoders.cpp118
-rw-r--r--fuzz/oss_fuzz/FuzzJPEGEncoder.cpp16
-rw-r--r--fuzz/oss_fuzz/FuzzPNGEncoder.cpp16
-rw-r--r--fuzz/oss_fuzz/FuzzWEBPEncoder.cpp16
5 files changed, 167 insertions, 0 deletions
diff --git a/fuzz/Fuzz.h b/fuzz/Fuzz.h
index 203a57fd9f..4fb7396ecc 100644
--- a/fuzz/Fuzz.h
+++ b/fuzz/Fuzz.h
@@ -62,6 +62,7 @@ private:
sk_sp<SkData> fBytes;
size_t fNextByte;
+ friend void fuzz__MakeEncoderCorpus(Fuzz*);
};
// UBSAN reminds us that bool can only legally hold 0 or 1.
diff --git a/fuzz/FuzzEncoders.cpp b/fuzz/FuzzEncoders.cpp
new file mode 100644
index 0000000000..7ca4a48d9c
--- /dev/null
+++ b/fuzz/FuzzEncoders.cpp
@@ -0,0 +1,118 @@
+/*
+ * Copyright 2018 Google LLC
+ *
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "Fuzz.h"
+#include "SkBitmap.h"
+#include "SkImage.h"
+#include "SkImageInfo.h"
+#include "SkJpegEncoder.h"
+#include "SkPixmap.h"
+#include "SkPngEncoder.h"
+#include "SkRandom.h"
+#include "SkWebpEncoder.h"
+#include "SkOSFile.h"
+
+#include <vector>
+
+// These values were picked arbitrarily to hopefully limit the size of the
+// serialized SkPixmaps.
+constexpr int MAX_WIDTH = 512;
+constexpr int MAX_HEIGHT = 512;
+
+static SkBitmap make_fuzzed_bitmap(Fuzz* fuzz) {
+ SkBitmap bm;
+ uint32_t w, h;
+ fuzz->nextRange(&w, 1, MAX_WIDTH);
+ fuzz->nextRange(&h, 1, MAX_HEIGHT);
+ if (!bm.tryAllocPixels(SkImageInfo::MakeN32Premul(w, h))) {
+ return bm;
+ }
+ uint32_t n = w * h;
+ fuzz->nextN((SkPMColor*)bm.getPixels(), n);
+ return bm;
+}
+
+DEF_FUZZ(PNGEncoder, fuzz) {
+ auto bm = make_fuzzed_bitmap(fuzz);
+
+ auto opts = SkPngEncoder::Options{};
+ fuzz->nextRange(&opts.fZLibLevel, 0, 9);
+
+ SkDynamicMemoryWStream dest;
+ SkPngEncoder::Encode(&dest, bm.pixmap(), opts);
+}
+
+DEF_FUZZ(JPEGEncoder, fuzz) {
+ auto bm = make_fuzzed_bitmap(fuzz);
+
+ auto opts = SkJpegEncoder::Options{};
+ fuzz->nextRange(&opts.fQuality, 0, 100);
+
+ SkDynamicMemoryWStream dest;
+ (void)SkJpegEncoder::Encode(&dest, bm.pixmap(), opts);
+}
+
+DEF_FUZZ(WEBPEncoder, fuzz) {
+ auto bm = make_fuzzed_bitmap(fuzz);
+
+ auto opts = SkWebpEncoder::Options{};
+ fuzz->nextRange(&opts.fQuality, 0.0f, 100.0f);
+ bool lossy;
+ fuzz->next(&lossy);
+ if (lossy) {
+ opts.fCompression = SkWebpEncoder::Compression::kLossy;
+ } else {
+ opts.fCompression = SkWebpEncoder::Compression::kLossless;
+ }
+
+ SkDynamicMemoryWStream dest;
+ (void)SkWebpEncoder::Encode(&dest, bm.pixmap(), opts);
+}
+
+// Not a real fuzz endpoint, but a helper to take in real, good images
+// and dump out a corpus for this fuzzer.
+DEF_FUZZ(_MakeEncoderCorpus, fuzz) {
+ auto bytes = fuzz->fBytes;
+ SkDebugf("bytes %d\n", bytes->size());
+ auto img = SkImage::MakeFromEncoded(bytes);
+ if (nullptr == img.get()) {
+ SkDebugf("invalid image, could not decode\n");
+ return;
+ }
+ if (img->width() > MAX_WIDTH || img->height() > MAX_HEIGHT) {
+ SkDebugf("Too big (%d x %d)\n", img->width(), img->height());
+ return;
+ }
+ std::vector<int32_t> dstPixels;
+ int rowBytes = img->width() * 4;
+ dstPixels.resize(img->height() * rowBytes);
+ SkPixmap pm(SkImageInfo::MakeN32Premul(img->width(), img->height()),
+ &dstPixels.front(), rowBytes);
+ if (!img->readPixels(pm, 0, 0)) {
+ SkDebugf("Could not read pixmap\n");
+ return;
+ }
+
+ SkString s("./encoded_corpus/enc_");
+ static SkRandom rand;
+ s.appendU32(rand.nextU());
+ auto file = sk_fopen(s.c_str(), SkFILE_Flags::kWrite_SkFILE_Flag);
+ if (!file) {
+ SkDebugf("Can't initialize file\n");
+ return;
+ }
+ auto total = pm.info().bytesPerPixel() * pm.width() * pm.height();
+ SkDebugf("Writing %d (%d x %d) bytes\n", total, pm.width(), pm.height());
+ // Write out the size in two bytes since that's what the fuzzer will
+ // read first.
+ uint32_t w = pm.width();
+ sk_fwrite(&w, sizeof(uint32_t), file);
+ uint32_t h = pm.height();
+ sk_fwrite(&h, sizeof(uint32_t), file);
+ sk_fwrite(pm.addr(), total, file);
+ sk_fclose(file);
+}
diff --git a/fuzz/oss_fuzz/FuzzJPEGEncoder.cpp b/fuzz/oss_fuzz/FuzzJPEGEncoder.cpp
new file mode 100644
index 0000000000..3d5ce412e7
--- /dev/null
+++ b/fuzz/oss_fuzz/FuzzJPEGEncoder.cpp
@@ -0,0 +1,16 @@
+/*
+ * Copyright 2018 Google, LLC
+ *
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "../Fuzz.h"
+
+void fuzz_JPEGEncoder(Fuzz* f);
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ auto fuzz = Fuzz(SkData::MakeWithoutCopy(data, size));
+ fuzz_JPEGEncoder(&fuzz);
+ return 0;
+}
diff --git a/fuzz/oss_fuzz/FuzzPNGEncoder.cpp b/fuzz/oss_fuzz/FuzzPNGEncoder.cpp
new file mode 100644
index 0000000000..8e104166cf
--- /dev/null
+++ b/fuzz/oss_fuzz/FuzzPNGEncoder.cpp
@@ -0,0 +1,16 @@
+/*
+ * Copyright 2018 Google, LLC
+ *
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "../Fuzz.h"
+
+void fuzz_PNGEncoder(Fuzz* f);
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ auto fuzz = Fuzz(SkData::MakeWithoutCopy(data, size));
+ fuzz_PNGEncoder(&fuzz);
+ return 0;
+}
diff --git a/fuzz/oss_fuzz/FuzzWEBPEncoder.cpp b/fuzz/oss_fuzz/FuzzWEBPEncoder.cpp
new file mode 100644
index 0000000000..f1da38d6ca
--- /dev/null
+++ b/fuzz/oss_fuzz/FuzzWEBPEncoder.cpp
@@ -0,0 +1,16 @@
+/*
+ * Copyright 2018 Google, LLC
+ *
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "../Fuzz.h"
+
+void fuzz_WEBPEncoder(Fuzz* f);
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ auto fuzz = Fuzz(SkData::MakeWithoutCopy(data, size));
+ fuzz_WEBPEncoder(&fuzz);
+ return 0;
+}