From 9eeede2e710f0e5fab0f65e06e8d40a40cdaebcd Mon Sep 17 00:00:00 2001 From: Kevin Lubick Date: Thu, 3 May 2018 16:26:10 -0400 Subject: Add Skottie fuzzer (via json input) Bug: skia: Change-Id: I97543b73755fca73f2ad014113ae8cd2c9227cf3 Reviewed-on: https://skia-review.googlesource.com/125820 Reviewed-by: Florin Malita Commit-Queue: Kevin Lubick --- fuzz/fuzz.cpp | 22 ++++++++++++++++++---- fuzz/oss_fuzz/FuzzSkottieJSON.cpp | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+), 4 deletions(-) create mode 100644 fuzz/oss_fuzz/FuzzSkottieJSON.cpp (limited to 'fuzz') diff --git a/fuzz/fuzz.cpp b/fuzz/fuzz.cpp index baaefd390d..c2a8ca0dc3 100644 --- a/fuzz/fuzz.cpp +++ b/fuzz/fuzz.cpp @@ -18,6 +18,7 @@ #include "SkPaint.h" #include "SkPath.h" #include "SkPicture.h" +#include "Skottie.h" #include "SkPipe.h" #include "SkReadBuffer.h" #include "SkStream.h" @@ -58,6 +59,7 @@ DEFINE_string2(type, t, "", "How to interpret --bytes, one of:\n" "region_set_path\n" "skp\n" "sksl2glsl\n" + "skottie_json\n" "textblob"); static int fuzz_file(SkString path, SkString type); @@ -74,6 +76,7 @@ static void fuzz_img(sk_sp, uint8_t, uint8_t); static void fuzz_path_deserialize(sk_sp); static void fuzz_region_deserialize(sk_sp); static void fuzz_region_set_path(sk_sp); +static void fuzz_skottie_json(sk_sp); static void fuzz_skp(sk_sp); static void fuzz_skpipe(sk_sp); static void fuzz_textblob_deserialize(sk_sp); @@ -158,6 +161,10 @@ static int fuzz_file(SkString path, SkString type) { fuzz_img(bytes, 0, option); return 0; } + if (type.equals("filter_fuzz")) { + fuzz_filter_fuzz(bytes); + return 0; + } if (type.equals("path_deserialize")) { fuzz_path_deserialize(bytes); return 0; @@ -174,12 +181,12 @@ static int fuzz_file(SkString path, SkString type) { fuzz_skpipe(bytes); return 0; } - if (type.equals("skp")) { - fuzz_skp(bytes); + if (type.equals("skottie_json")) { + fuzz_skottie_json(bytes); return 0; } - if (type.equals("filter_fuzz")) { - fuzz_filter_fuzz(bytes); + if (type.equals("skp")) { + fuzz_skp(bytes); return 0; } if (type.equals("textblob")) { @@ -257,6 +264,13 @@ static SkString try_auto_detect(SkString path, SkString* name) { return SkString(""); } +void FuzzSkottieJSON(sk_sp bytes); + +static void fuzz_skottie_json(sk_sp bytes){ + FuzzSkottieJSON(bytes); + SkDebugf("[terminated] Done animating!\n"); +} + // This adds up the first 1024 bytes and returns it as an 8 bit integer. This allows afl-fuzz to // deterministically excercise different paths, or *options* (such as different scaling sizes or // different image modes) without needing to introduce a parameter. This way we don't need a diff --git a/fuzz/oss_fuzz/FuzzSkottieJSON.cpp b/fuzz/oss_fuzz/FuzzSkottieJSON.cpp new file mode 100644 index 0000000000..e4f19ccad7 --- /dev/null +++ b/fuzz/oss_fuzz/FuzzSkottieJSON.cpp @@ -0,0 +1,35 @@ +/* + * Copyright 2018 Google, LLC + * + * Use of this source code is governed by a BSD-style license that can be + * found in the LICENSE file. + */ + +#include "SkData.h" +#include "Skottie.h" +#include "SkStream.h" + +void FuzzSkottieJSON(sk_sp bytes) { + // Always returns nullptr to any resource + class EmptyResourceProvider final : public skottie::ResourceProvider { + public: + std::unique_ptr openStream(const char resource[]) const override { + return nullptr; + } + }; + SkMemoryStream stream(bytes); + EmptyResourceProvider erp; + auto animation = skottie::Animation::Make(&stream, erp); + if (!animation) { + return; + } + animation->animationTick(1337); // A "nothing up my sleeve" number +} + +#if defined(IS_FUZZING_WITH_LIBFUZZER) +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + auto bytes = SkData::MakeWithoutCopy(data, size); + FuzzSkottieJSON(bytes); + return 0; +} +#endif -- cgit v1.2.3