Line | Count | Source |
1 | | /* Copyright 2026 Google LLC |
2 | | Licensed under the Apache License, Version 2.0 (the "License"); |
3 | | you may not use this file except in compliance with the License. |
4 | | You may obtain a copy of the License at |
5 | | http://www.apache.org/licenses/LICENSE-2.0 |
6 | | Unless required by applicable law or agreed to in writing, software |
7 | | distributed under the License is distributed on an "AS IS" BASIS, |
8 | | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
9 | | See the License for the specific language governing permissions and |
10 | | limitations under the License. |
11 | | */ |
12 | | |
13 | | /* |
14 | | * Fuzzer for Ghostscript's PXL (PCL XL / PCL6) interpreter. |
15 | | * |
16 | | * PXL is a binary tagged protocol identified by the stream header |
17 | | * ") HP-PCL XL". We write fuzz data to a temp file with this header |
18 | | * prepended so ghostpdl's auto-detection routes it to the PXL |
19 | | * interpreter (confidence 100 in pxl_detect_language). |
20 | | */ |
21 | | |
22 | | #include <base/gserrors.h> |
23 | | #include <psi/iapi.h> |
24 | | |
25 | | #include <stdint.h> |
26 | | #include <stdio.h> |
27 | | #include <stdlib.h> |
28 | | #include <string.h> |
29 | | #include <unistd.h> |
30 | | |
31 | | static int gs_stdnull(void *inst, const char *buf, int len) |
32 | 15.1k | { |
33 | 15.1k | return len; |
34 | 15.1k | } |
35 | | |
36 | | /* Minimal PXL stream header: binding=';2', protocol=';0', newline */ |
37 | | static const char pxl_header[] = ") HP-PCL XL;2;0\n"; |
38 | | |
39 | 6.05k | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { |
40 | 6.05k | if (size == 0) |
41 | 0 | return 0; |
42 | | |
43 | | /* Write fuzz data to temp file with PXL header prefix */ |
44 | 6.05k | char infile[256]; |
45 | 6.05k | sprintf(infile, "/tmp/fuzz_pxl.%d", getpid()); |
46 | 6.05k | FILE *f = fopen(infile, "wb"); |
47 | 6.05k | if (!f) |
48 | 0 | return 0; |
49 | 6.05k | fwrite(pxl_header, 1, sizeof(pxl_header) - 1, f); |
50 | 6.05k | fwrite(data, 1, size, f); |
51 | 6.05k | fclose(f); |
52 | | |
53 | 6.05k | void *gs = NULL; |
54 | 6.05k | int ret = gsapi_new_instance(&gs, NULL); |
55 | 6.05k | if (ret < 0) { |
56 | 0 | unlink(infile); |
57 | 0 | return 0; |
58 | 0 | } |
59 | | |
60 | 6.05k | gsapi_set_stdio(gs, NULL, gs_stdnull, gs_stdnull); |
61 | 6.05k | gsapi_set_arg_encoding(gs, GS_ARG_ENCODING_UTF8); |
62 | | |
63 | 6.05k | char *args[] = { |
64 | 6.05k | (char *)"gpdl", |
65 | 6.05k | (char *)"-dNOPAUSE", |
66 | 6.05k | (char *)"-dBATCH", |
67 | 6.05k | (char *)"-dQUIET", |
68 | 6.05k | (char *)"-dSAFER", |
69 | 6.05k | (char *)"-sDEVICE=nullpage", |
70 | 6.05k | (char *)"-sOutputFile=/dev/null", |
71 | 6.05k | (char *)"-r72x72", |
72 | 6.05k | infile, |
73 | 6.05k | }; |
74 | 6.05k | int argc = sizeof(args) / sizeof(args[0]); |
75 | | |
76 | 6.05k | ret = gsapi_init_with_args(gs, argc, args); |
77 | 6.05k | gsapi_exit(gs); |
78 | 6.05k | gsapi_delete_instance(gs); |
79 | | |
80 | 6.05k | unlink(infile); |
81 | 6.05k | return 0; |
82 | 6.05k | } |