/src/cgif/fuzz/cgif_fuzzer.c

Source
#include <cgif.h>

#include <stddef.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>

typedef struct {
  const uint8_t* pData;
  size_t         numBytes;
  size_t         curPos;
} ByteStream;

static int readdata(ByteStream* pStream, void* pDest, size_t size) {
  if((pStream->curPos + size) <= pStream->numBytes) {
    memcpy(pDest, &pStream->pData[pStream->curPos], size);
    pStream->curPos += size;
    return 0;
  }
  // error: out of bounds
  pStream->curPos = pStream->numBytes; // mark stream as out of sync
  return -1;
}

static int read_gifconfig(ByteStream* pStream, CGIF_Config* pDest) {
  int r;

  memset(pDest, 0, sizeof(CGIF_Config));
  // width     : U16
  // height    : U16
  // attrFlags : U32
  // genFlags  : U32
  // sizeGCT   : U16
  // numLoops  : U16
  // pGCT      : U8[sizeGCT * 3]
  r  = readdata(pStream, &pDest->width,                   2);
  r |= readdata(pStream, &pDest->height,                  2);
  r |= readdata(pStream, &pDest->attrFlags,               4);
  r |= readdata(pStream, &pDest->genFlags,                4);
  r |= readdata(pStream, &pDest->numGlobalPaletteEntries, 2);
  if(!(pDest->attrFlags & CGIF_ATTR_NO_GLOBAL_TABLE)) {
    pDest->pGlobalPalette = (uint8_t*)malloc(pDest->numGlobalPaletteEntries * 3);
    if(pDest->pGlobalPalette == NULL) return 0; // malloc failed
    r |= readdata(pStream, pDest->pGlobalPalette, pDest->numGlobalPaletteEntries * 3);
  }
  if(r) {
    free(pDest->pGlobalPalette);
  }
  return (r ? 0 : 1);
}

static int read_frameconfig(ByteStream* pStream, CGIF_FrameConfig* pDest, size_t sizeImageData) {
  int r;

  memset(pDest, 0, sizeof(CGIF_FrameConfig));
  // attrFlags  : U16
  // genFlags   : U16
  // delay      : U16
  // transIndex : U8
  // sizeLCT    : U16
  // pLCT       : U8[sizeLCT * 3]
  // pImageData : U8[sizeImageData]
  r  = readdata(pStream, &pDest->attrFlags,              2);
  r |= readdata(pStream, &pDest->genFlags,               2);
  r |= readdata(pStream, &pDest->delay,                  2);
  r |= readdata(pStream, &pDest->transIndex,             1);
  r |= readdata(pStream, &pDest->numLocalPaletteEntries, 2);
  if(pDest->attrFlags & CGIF_FRAME_ATTR_USE_LOCAL_TABLE) {
    pDest->pLocalPalette = (uint8_t*)malloc(pDest->numLocalPaletteEntries * 3);
    if(pDest->pLocalPalette == NULL) return 0; // malloc failed
    r |= readdata(pStream, pDest->pLocalPalette, pDest->numLocalPaletteEntries * 3);
  }
  pDest->pImageData = (uint8_t*)malloc(sizeImageData);
  if(pDest->pImageData == NULL) return 0; // malloc failed
  r |= readdata(pStream, pDest->pImageData, sizeImageData);
  if(r) {
    free(pDest->pImageData);
    free(pDest->pLocalPalette);
  }
  return (r ? 0 : 1);
}

static int writecb(void* pContext, const uint8_t* pData, size_t size) {
  (void)pContext;
  (void)pData;
  (void)size;
  // eat input
  return 0;
}

static int processInput(ByteStream* pStream) {
  CGIF_Config      gconfig;
  CGIF_FrameConfig fconfig;
  CGIF*            pGIF;
  size_t           sizeImageData;
  int              r;
  int              numFrames;

  r = read_gifconfig(pStream, &gconfig);
  if(!r) {
    return -1;
  }
  sizeImageData    = (uint32_t)gconfig.width * (uint32_t)gconfig.height;
  // limit dimensions of GIF to be created
  if(sizeImageData > (10000 * 10000)) {
    free(gconfig.pGlobalPalette);
    return -1;
  }
  gconfig.pWriteFn = writecb; // discard output
  pGIF             = cgif_newgif(&gconfig);
  free(gconfig.pGlobalPalette);
  if(pGIF == NULL) {
    return -1;
  }
  r = read_frameconfig(pStream, &fconfig, sizeImageData);
  numFrames = 1;
  while(r) {
    cgif_addframe(pGIF, &fconfig);
    free(fconfig.pImageData);
    free(fconfig.pLocalPalette);
    if(numFrames >= 16) {
      // limit number of frames to avoid timeouts: 16 should be more than enough
      break;
    }
    numFrames++;
    r = read_frameconfig(pStream, &fconfig, sizeImageData);
  }
  r = cgif_close(pGIF);
  return r;
}

#ifdef __cplusplus
extern "C"
#endif
int LLVMFuzzerTestOneInput(const uint8_t* pData, size_t numBytes) {
  ByteStream input = { pData, numBytes, 0 };
  processInput(&input);
  return 0;
}

Line	Count	Source
1		#include <cgif.h>
2
3		#include <stddef.h>
4		#include <stdint.h>
5		#include <stdlib.h>
6		#include <string.h>
7
8		typedef struct {
9		const uint8_t* pData;
10		size_t numBytes;
11		size_t curPos;
12		} ByteStream;
13
14	54.4k	static int readdata(ByteStream* pStream, void* pDest, size_t size) {
15	54.4k	if((pStream->curPos + size) <= pStream->numBytes) {
16	44.0k	memcpy(pDest, &pStream->pData[pStream->curPos], size);
17	44.0k	pStream->curPos += size;
18	44.0k	return 0;
19	44.0k	}
20		// error: out of bounds
21	10.3k	pStream->curPos = pStream->numBytes; // mark stream as out of sync
22	10.3k	return -1;
23	54.4k	}
24
25	1.93k	static int read_gifconfig(ByteStream* pStream, CGIF_Config* pDest) {
26	1.93k	int r;
27
28	1.93k	memset(pDest, 0, sizeof(CGIF_Config));
29		// width : U16
30		// height : U16
31		// attrFlags : U32
32		// genFlags : U32
33		// sizeGCT : U16
34		// numLoops : U16
35		// pGCT : U8[sizeGCT * 3]
36	1.93k	r = readdata(pStream, &pDest->width, 2);
37	1.93k	r \|= readdata(pStream, &pDest->height, 2);
38	1.93k	r \|= readdata(pStream, &pDest->attrFlags, 4);
39	1.93k	r \|= readdata(pStream, &pDest->genFlags, 4);
40	1.93k	r \|= readdata(pStream, &pDest->numGlobalPaletteEntries, 2);
41	1.93k	if(!(pDest->attrFlags & CGIF_ATTR_NO_GLOBAL_TABLE)) {
42	1.79k	pDest->pGlobalPalette = (uint8_t)malloc(pDest->numGlobalPaletteEntries 3);
43	1.79k	if(pDest->pGlobalPalette == NULL) return 0; // malloc failed
44	1.79k	r \|= readdata(pStream, pDest->pGlobalPalette, pDest->numGlobalPaletteEntries * 3);
45	1.79k	}
46	1.93k	if(r) {
47	42	free(pDest->pGlobalPalette);
48	42	}
49	1.93k	return (r ? 0 : 1);
50	1.93k	}
51
52	6.97k	static int read_frameconfig(ByteStream* pStream, CGIF_FrameConfig* pDest, size_t sizeImageData) {
53	6.97k	int r;
54
55	6.97k	memset(pDest, 0, sizeof(CGIF_FrameConfig));
56		// attrFlags : U16
57		// genFlags : U16
58		// delay : U16
59		// transIndex : U8
60		// sizeLCT : U16
61		// pLCT : U8[sizeLCT * 3]
62		// pImageData : U8[sizeImageData]
63	6.97k	r = readdata(pStream, &pDest->attrFlags, 2);
64	6.97k	r \|= readdata(pStream, &pDest->genFlags, 2);
65	6.97k	r \|= readdata(pStream, &pDest->delay, 2);
66	6.97k	r \|= readdata(pStream, &pDest->transIndex, 1);
67	6.97k	r \|= readdata(pStream, &pDest->numLocalPaletteEntries, 2);
68	6.97k	if(pDest->attrFlags & CGIF_FRAME_ATTR_USE_LOCAL_TABLE) {
69	1.10k	pDest->pLocalPalette = (uint8_t)malloc(pDest->numLocalPaletteEntries 3);
70	1.10k	if(pDest->pLocalPalette == NULL) return 0; // malloc failed
71	1.10k	r \|= readdata(pStream, pDest->pLocalPalette, pDest->numLocalPaletteEntries * 3);
72	1.10k	}
73	6.97k	pDest->pImageData = (uint8_t*)malloc(sizeImageData);
74	6.97k	if(pDest->pImageData == NULL) return 0; // malloc failed
75	6.97k	r \|= readdata(pStream, pDest->pImageData, sizeImageData);
76	6.97k	if(r) {
77	1.81k	free(pDest->pImageData);
78	1.81k	free(pDest->pLocalPalette);
79	1.81k	}
80	6.97k	return (r ? 0 : 1);
81	6.97k	}
82
83	39.3k	static int writecb(void* pContext, const uint8_t* pData, size_t size) {
84	39.3k	(void)pContext;
85	39.3k	(void)pData;
86	39.3k	(void)size;
87		// eat input
88	39.3k	return 0;
89	39.3k	}
90
91	1.93k	static int processInput(ByteStream* pStream) {
92	1.93k	CGIF_Config gconfig;
93	1.93k	CGIF_FrameConfig fconfig;
94	1.93k	CGIF* pGIF;
95	1.93k	size_t sizeImageData;
96	1.93k	int r;
97	1.93k	int numFrames;
98
99	1.93k	r = read_gifconfig(pStream, &gconfig);
100	1.93k	if(!r) {
101	42	return -1;
102	42	}
103	1.89k	sizeImageData = (uint32_t)gconfig.width * (uint32_t)gconfig.height;
104		// limit dimensions of GIF to be created
105	1.89k	if(sizeImageData > (10000 * 10000)) {
106	9	free(gconfig.pGlobalPalette);
107	9	return -1;
108	9	}
109	1.88k	gconfig.pWriteFn = writecb; // discard output
110	1.88k	pGIF = cgif_newgif(&gconfig);
111	1.88k	free(gconfig.pGlobalPalette);
112	1.88k	if(pGIF == NULL) {
113	21	return -1;
114	21	}
115	1.86k	r = read_frameconfig(pStream, &fconfig, sizeImageData);
116	1.86k	numFrames = 1;
117	6.97k	while(r) {
118	5.15k	cgif_addframe(pGIF, &fconfig);
119	5.15k	free(fconfig.pImageData);
120	5.15k	free(fconfig.pLocalPalette);
121	5.15k	if(numFrames >= 16) {
122		// limit number of frames to avoid timeouts: 16 should be more than enough
123	43	break;
124	43	}
125	5.11k	numFrames++;
126	5.11k	r = read_frameconfig(pStream, &fconfig, sizeImageData);
127	5.11k	}
128	1.86k	r = cgif_close(pGIF);
129	1.86k	return r;
130	1.88k	}
131
132		#ifdef __cplusplus
133		extern "C"
134		#endif
135	1.93k	int LLVMFuzzerTestOneInput(const uint8_t* pData, size_t numBytes) {
136	1.93k	ByteStream input = { pData, numBytes, 0 };
137	1.93k	processInput(&input);
138	1.93k	return 0;
139	1.93k	}

Coverage Report

Created: 2025-11-24 06:08