1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
/*
* Copyright 2018 Google LLC
*
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
#include "Fuzz.h"
#include "SkBitmap.h"
#include "SkImage.h"
#include "SkImageInfo.h"
#include "SkJpegEncoder.h"
#include "SkPixmap.h"
#include "SkPngEncoder.h"
#include "SkRandom.h"
#include "SkWebpEncoder.h"
#include "SkOSFile.h"
#include <vector>
// These values were picked arbitrarily to hopefully limit the size of the
// serialized SkPixmaps.
constexpr int MAX_WIDTH = 512;
constexpr int MAX_HEIGHT = 512;
static SkBitmap make_fuzzed_bitmap(Fuzz* fuzz) {
SkBitmap bm;
uint32_t w, h;
fuzz->nextRange(&w, 1, MAX_WIDTH);
fuzz->nextRange(&h, 1, MAX_HEIGHT);
if (!bm.tryAllocPixels(SkImageInfo::MakeN32Premul(w, h))) {
return bm;
}
uint32_t n = w * h;
fuzz->nextN((SkPMColor*)bm.getPixels(), n);
return bm;
}
DEF_FUZZ(PNGEncoder, fuzz) {
auto bm = make_fuzzed_bitmap(fuzz);
auto opts = SkPngEncoder::Options{};
fuzz->nextRange(&opts.fZLibLevel, 0, 9);
SkDynamicMemoryWStream dest;
SkPngEncoder::Encode(&dest, bm.pixmap(), opts);
}
DEF_FUZZ(JPEGEncoder, fuzz) {
auto bm = make_fuzzed_bitmap(fuzz);
auto opts = SkJpegEncoder::Options{};
fuzz->nextRange(&opts.fQuality, 0, 100);
SkDynamicMemoryWStream dest;
(void)SkJpegEncoder::Encode(&dest, bm.pixmap(), opts);
}
DEF_FUZZ(WEBPEncoder, fuzz) {
auto bm = make_fuzzed_bitmap(fuzz);
auto opts = SkWebpEncoder::Options{};
fuzz->nextRange(&opts.fQuality, 0.0f, 100.0f);
bool lossy;
fuzz->next(&lossy);
if (lossy) {
opts.fCompression = SkWebpEncoder::Compression::kLossy;
} else {
opts.fCompression = SkWebpEncoder::Compression::kLossless;
}
SkDynamicMemoryWStream dest;
(void)SkWebpEncoder::Encode(&dest, bm.pixmap(), opts);
}
// Not a real fuzz endpoint, but a helper to take in real, good images
// and dump out a corpus for this fuzzer.
DEF_FUZZ(_MakeEncoderCorpus, fuzz) {
auto bytes = fuzz->fBytes;
SkDebugf("bytes %d\n", bytes->size());
auto img = SkImage::MakeFromEncoded(bytes);
if (nullptr == img.get()) {
SkDebugf("invalid image, could not decode\n");
return;
}
if (img->width() > MAX_WIDTH || img->height() > MAX_HEIGHT) {
SkDebugf("Too big (%d x %d)\n", img->width(), img->height());
return;
}
std::vector<int32_t> dstPixels;
int rowBytes = img->width() * 4;
dstPixels.resize(img->height() * rowBytes);
SkPixmap pm(SkImageInfo::MakeN32Premul(img->width(), img->height()),
&dstPixels.front(), rowBytes);
if (!img->readPixels(pm, 0, 0)) {
SkDebugf("Could not read pixmap\n");
return;
}
SkString s("./encoded_corpus/enc_");
static SkRandom rand;
s.appendU32(rand.nextU());
auto file = sk_fopen(s.c_str(), SkFILE_Flags::kWrite_SkFILE_Flag);
if (!file) {
SkDebugf("Can't initialize file\n");
return;
}
auto total = pm.info().bytesPerPixel() * pm.width() * pm.height();
SkDebugf("Writing %d (%d x %d) bytes\n", total, pm.width(), pm.height());
// Write out the size in two bytes since that's what the fuzzer will
// read first.
uint32_t w = pm.width();
sk_fwrite(&w, sizeof(uint32_t), file);
uint32_t h = pm.height();
sk_fwrite(&h, sizeof(uint32_t), file);
sk_fwrite(pm.addr(), total, file);
sk_fclose(file);
}
|