From 2416f968a69ff71f83eb17e97d1cb6448c916a69 Mon Sep 17 00:00:00 2001 From: Kevin Lubick Date: Mon, 12 Feb 2018 08:26:39 -0500 Subject: Add 2 fuzz targets for image decoding (oss-fuzz) This also adds in a few small guards to prevent libfuzzer from frequently running out of memory when an image claims to have billions of pixels. Bug: skia: Change-Id: I47a9daac832c4d85a42000698482b61721c38880 Reviewed-on: https://skia-review.googlesource.com/106264 Commit-Queue: Kevin Lubick Reviewed-by: Leon Scroggins --- BUILD.gn | 2 ++ fuzz/fuzz.cpp | 26 ++++++++++++++++++++ fuzz/oss_fuzz/FuzzAnimatedImage.cpp | 47 +++++++++++++++++++++++++++++++++++++ fuzz/oss_fuzz/FuzzImage.cpp | 37 +++++++++++++++++++++++++++++ include/private/SkMalloc.h | 14 +++++++++++ src/codec/SkRawCodec.cpp | 6 +++++ src/ports/SkMemory_malloc.cpp | 5 +--- 7 files changed, 133 insertions(+), 4 deletions(-) create mode 100644 fuzz/oss_fuzz/FuzzAnimatedImage.cpp create mode 100644 fuzz/oss_fuzz/FuzzImage.cpp diff --git a/BUILD.gn b/BUILD.gn index d45f692edd..364cde700d 100644 --- a/BUILD.gn +++ b/BUILD.gn @@ -1730,6 +1730,8 @@ if (skia_enable_tools) { "fuzz/FuzzPathop.cpp", "fuzz/FuzzScaleToSides.cpp", "fuzz/fuzz.cpp", + "fuzz/oss_fuzz/FuzzAnimatedImage.cpp", + "fuzz/oss_fuzz/FuzzImage.cpp", "fuzz/oss_fuzz/FuzzImageFilterDeserialize.cpp", "fuzz/oss_fuzz/FuzzPathDeserialize.cpp", "fuzz/oss_fuzz/FuzzRegionDeserialize.cpp", diff --git a/fuzz/fuzz.cpp b/fuzz/fuzz.cpp index 945518a3c3..657879ea9b 100644 --- a/fuzz/fuzz.cpp +++ b/fuzz/fuzz.cpp @@ -42,10 +42,12 @@ DEFINE_string2(dump, d, "", "If not empty, dump 'image*' or 'skp' types as a " "PNG with this name."); DEFINE_bool2(verbose, v, false, "Print more information while fuzzing."); DEFINE_string2(type, t, "", "How to interpret --bytes, one of:\n" + "animated_image_decode\n" "api\n" "color_deserialize\n" "filter_fuzz (equivalent to Chrome's filter_fuzz_stub)\n" "icc\n" + "image_decode\n" "image_mode\n" "image_scale\n" "path_deserialize\n" @@ -63,6 +65,8 @@ static void fuzz_api(sk_sp); static void fuzz_color_deserialize(sk_sp); static void fuzz_filter_fuzz(sk_sp); static void fuzz_icc(sk_sp); +static void fuzz_img2(sk_sp); +static void fuzz_animated_img(sk_sp); static void fuzz_img(sk_sp, uint8_t, uint8_t); static void fuzz_path_deserialize(sk_sp); static void fuzz_region_deserialize(sk_sp); @@ -106,6 +110,10 @@ static int fuzz_file(const char* path) { } if (!FLAGS_type.isEmpty()) { + if (0 == strcmp("animated_image_decode", FLAGS_type[0])) { + fuzz_animated_img(bytes); + return 0; + } if (0 == strcmp("api", FLAGS_type[0])) { fuzz_api(bytes); return 0; @@ -118,6 +126,10 @@ static int fuzz_file(const char* path) { fuzz_icc(bytes); return 0; } + if (0 == strcmp("image_decode", FLAGS_type[0])) { + fuzz_img2(bytes); + return 0; + } if (0 == strcmp("image_scale", FLAGS_type[0])) { uint8_t option = calculate_option(bytes.get()); fuzz_img(bytes, option, 0); @@ -209,6 +221,20 @@ static void dump_png(SkBitmap bitmap) { } } +void FuzzAnimatedImage(sk_sp bytes); + +static void fuzz_animated_img(sk_sp bytes) { + FuzzAnimatedImage(bytes); + SkDebugf("[terminated] Didn't crash while decoding/drawing animated image!\n"); +} + +void FuzzImage(sk_sp bytes); + +static void fuzz_img2(sk_sp bytes) { + FuzzImage(bytes); + SkDebugf("[terminated] Didn't crash while decoding/drawing image!\n"); +} + static void fuzz_img(sk_sp bytes, uint8_t scale, uint8_t mode) { // We can scale 1x, 2x, 4x, 8x, 16x scale = scale % 5; diff --git a/fuzz/oss_fuzz/FuzzAnimatedImage.cpp b/fuzz/oss_fuzz/FuzzAnimatedImage.cpp new file mode 100644 index 0000000000..af433348c5 --- /dev/null +++ b/fuzz/oss_fuzz/FuzzAnimatedImage.cpp @@ -0,0 +1,47 @@ +/* + * Copyright 2018 Google Inc. + * + * Use of this source code is governed by a BSD-style license that can be + * found in the LICENSE file. + */ + +#include "SkAndroidCodec.h" +#include "SkAnimatedImage.h" +#include "SkPaint.h" +#include "SkCanvas.h" +#include "SkData.h" +#include "SkSurface.h" + +void FuzzAnimatedImage(sk_sp bytes) { + auto codec = SkAndroidCodec::MakeFromData(bytes); + if (nullptr == codec) { + return; + } + auto aImg = SkAnimatedImage::Make(std::move(codec)); + if (nullptr == aImg) { + return; + } + + auto s = SkSurface::MakeRasterN32Premul(128, 128); + if (!s) { + // May return nullptr in memory-constrained fuzzing environments + return; + } + + SkPaint p; + int escape = 0; + while (!aImg->isFinished() && escape < 100) { + aImg->draw(s->getCanvas()); + escape++; + aImg->decodeNextFrame(); + } + +} + +#if defined(IS_FUZZING_WITH_LIBFUZZER) +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + auto bytes = SkData::MakeWithoutCopy(data, size); + FuzzAnimatedImage(bytes); + return 0; +} +#endif diff --git a/fuzz/oss_fuzz/FuzzImage.cpp b/fuzz/oss_fuzz/FuzzImage.cpp new file mode 100644 index 0000000000..0f0f6f5a43 --- /dev/null +++ b/fuzz/oss_fuzz/FuzzImage.cpp @@ -0,0 +1,37 @@ +/* + * Copyright 2018 Google Inc. + * + * Use of this source code is governed by a BSD-style license that can be + * found in the LICENSE file. + */ + +#include "SkImage.h" +#include "SkPaint.h" +#include "SkCanvas.h" +#include "SkData.h" +#include "SkSurface.h" + +void FuzzImage(sk_sp bytes) { + auto img = SkImage::MakeFromEncoded(bytes); + if (nullptr == img.get()) { + return; + } + + auto s = SkSurface::MakeRasterN32Premul(128, 128); + if (!s) { + // May return nullptr in memory-constrained fuzzing environments + return; + } + + SkPaint p; + s->getCanvas()->drawImage(img, 0, 0, &p); + +} + +#if defined(IS_FUZZING_WITH_LIBFUZZER) +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + auto bytes = SkData::MakeWithoutCopy(data, size); + FuzzImage(bytes); + return 0; +} +#endif diff --git a/include/private/SkMalloc.h b/include/private/SkMalloc.h index 178e1b83a7..0e41073b0b 100644 --- a/include/private/SkMalloc.h +++ b/include/private/SkMalloc.h @@ -64,6 +64,13 @@ static inline void* sk_calloc_throw(size_t size) { } static inline void* sk_calloc_canfail(size_t size) { +#if defined(IS_FUZZING_WITH_LIBFUZZER) + // The Libfuzzer environment is very susceptible to OOM, so to avoid those + // just pretend we can't allocate more than 200kb. + if (size > 200000) { + return nullptr; + } +#endif return sk_malloc_flags(size, SK_MALLOC_ZERO_INITIALIZE); } @@ -76,6 +83,13 @@ SK_API extern void* sk_realloc_throw(void* buffer, size_t count, size_t elemSize * These variants return nullptr on failure */ static inline void* sk_malloc_canfail(size_t size) { +#if defined(IS_FUZZING_WITH_LIBFUZZER) + // The Libfuzzer environment is very susceptible to OOM, so to avoid those + // just pretend we can't allocate more than 200kb. + if (size > 200000) { + return nullptr; + } +#endif return sk_malloc_flags(size, 0); } SK_API extern void* sk_malloc_canfail(size_t count, size_t elemSize); diff --git a/src/codec/SkRawCodec.cpp b/src/codec/SkRawCodec.cpp index 4fda120bb8..5e6f54a950 100644 --- a/src/codec/SkRawCodec.cpp +++ b/src/codec/SkRawCodec.cpp @@ -447,6 +447,12 @@ public: */ static SkDngImage* NewFromStream(SkRawStream* stream) { std::unique_ptr dngImage(new SkDngImage(stream)); +#if defined(IS_FUZZING_WITH_LIBFUZZER) + // Libfuzzer easily runs out of memory after here. To avoid that + // We just pretend all streams are invalid. Our AFL-fuzzer + // should still exercise this code; it's more resistant to OOM. + return nullptr; +#endif if (!dngImage->initFromPiex() && !dngImage->readDng()) { return nullptr; } diff --git a/src/ports/SkMemory_malloc.cpp b/src/ports/SkMemory_malloc.cpp index d9351134b1..29e75433b9 100644 --- a/src/ports/SkMemory_malloc.cpp +++ b/src/ports/SkMemory_malloc.cpp @@ -15,7 +15,7 @@ static inline void sk_out_of_memory(size_t size) { SK_DEBUGFAILF("sk_out_of_memory (asked for " SK_SIZE_T_SPECIFIER " bytes)", size); -#if defined(IS_FUZZING) +#if defined(IS_FUZZING_WITH_AFL) exit(1); #else abort(); @@ -37,9 +37,6 @@ void sk_abort_no_print() { #endif #if defined(SK_DEBUG) && defined(SK_BUILD_FOR_WIN) __debugbreak(); -#endif -#if defined(IS_FUZZING) - exit(1); #else abort(); #endif -- cgit v1.2.3