Coverage Report

Created: 2025-08-11 07:07

/src/cms_transform_extended_fuzzer.c
Line
Count
Source (jump to first uncovered line)
1
/* Copyright 2022 Google LLC
2
Licensed under the Apache License, Version 2.0 (the "License");
3
you may not use this file except in compliance with the License.
4
You may obtain a copy of the License at
5
      http://www.apache.org/licenses/LICENSE-2.0
6
Unless required by applicable law or agreed to in writing, software
7
distributed under the License is distributed on an "AS IS" BASIS,
8
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
9
See the License for the specific language governing permissions and
10
limitations under the License.
11
*/
12
13
#include <stdint.h>
14
#include "lcms2.h"
15
16
// An extended cmsDoTransform fuzzer. The idea is to include a range of
17
// input/output source formats.
18
19
void
20
run_test(const uint8_t *data,
21
         size_t size,
22
         uint32_t intent,
23
5.60k
         uint32_t flags, int dstVal) {
24
5.60k
  if (size < 2) {
25
2
    return;
26
2
  }
27
28
5.59k
  cmsHPROFILE srcProfile = cmsOpenProfileFromMem(data, size);
29
5.59k
  if (!srcProfile) return;
30
31
  // Select dstProfile and dstFormat
32
4.95k
  cmsHPROFILE dstProfile;
33
4.95k
  uint32_t dstFormat;
34
4.95k
  if (dstVal == 1) {
35
492
    dstProfile = cmsCreateLab4Profile(NULL);
36
492
    dstFormat = TYPE_Lab_8;
37
492
  }
38
4.46k
  else if (dstVal == 2) {
39
460
    dstProfile = cmsCreateLab2Profile(NULL);
40
460
    dstFormat = TYPE_LabV2_8;
41
460
  }
42
4.00k
  else if (dstVal == 3) {
43
164
    cmsToneCurve* gamma18;
44
164
    gamma18 = cmsBuildGamma(0, 1.8);
45
164
    dstProfile = cmsCreateGrayProfile(NULL, gamma18);
46
164
    cmsFreeToneCurve(gamma18);
47
164
    dstFormat = TYPE_GRAY_FLT | EXTRA_SH(1);
48
164
  }
49
3.84k
  else if (dstVal == 4) {
50
459
    dstProfile = cmsCreateXYZProfile();
51
459
    dstFormat = TYPE_XYZ_16;
52
459
  }
53
3.38k
  else if (dstVal == 5) {
54
296
    dstProfile = cmsCreateXYZProfile();
55
296
    dstFormat = TYPE_XYZ_DBL;
56
296
  }
57
3.08k
  else if (dstVal == 6) {
58
550
    dstProfile = cmsCreateLab4Profile(NULL);
59
550
    dstFormat = TYPE_Lab_DBL;
60
550
  }
61
2.53k
  else if (dstVal == 7) {
62
333
    dstProfile = cmsCreateLab4Profile(NULL);
63
333
    dstFormat = TYPE_Lab_DBL;
64
333
  }
65
2.20k
  else if (dstVal == 8){
66
242
    dstProfile = cmsCreate_OkLabProfile(NULL);
67
242
    dstFormat = (FLOAT_SH(1)|COLORSPACE_SH(PT_MCH3)|CHANNELS_SH(3)|BYTES_SH(0));
68
242
  }
69
1.96k
  else if (dstVal == 9){
70
249
    dstProfile = cmsCreateNULLProfile();
71
249
    dstFormat = 0;
72
249
  }
73
1.71k
  else if (dstVal == 10){
74
500
    dstProfile = cmsCreateBCHSWabstractProfile(17, 0, 1.2, 0, 3, 5000, 5000);
75
500
    dstFormat = TYPE_Lab_DBL;
76
500
  }
77
1.21k
  else {
78
1.21k
    dstProfile = cmsCreate_sRGBProfile();
79
1.21k
    dstFormat = TYPE_RGB_8;
80
1.21k
  }
81
82
4.95k
  if (!dstProfile) {
83
0
    cmsCloseProfile(srcProfile);
84
0
    return;
85
0
  }
86
87
  // Extract srcFormat from the random src profile
88
4.95k
  cmsColorSpaceSignature srcCS = cmsGetColorSpace(srcProfile);
89
4.95k
  cmsUInt32Number nSrcComponents = cmsChannelsOf(srcCS);
90
4.95k
  cmsUInt32Number srcFormat;
91
4.95k
  if (srcCS == cmsSigLabData) {
92
244
    if (dstVal != 7) {
93
236
        srcFormat =
94
236
            COLORSPACE_SH(PT_Lab) | CHANNELS_SH(nSrcComponents) | BYTES_SH(0);
95
236
    }
96
8
    else {
97
8
        srcFormat =
98
8
            COLORSPACE_SH(PT_Lab) | CHANNELS_SH(nSrcComponents) | BYTES_SH(0) | FLOAT_SH(1);
99
8
    }
100
4.71k
  } else {
101
4.71k
    srcFormat =
102
4.71k
        COLORSPACE_SH(PT_ANY) | CHANNELS_SH(nSrcComponents) | BYTES_SH(1);
103
4.71k
  }
104
105
  // Create the transform
106
4.95k
  cmsContext ctx = cmsCreateContext(NULL, NULL);
107
4.95k
  cmsHTRANSFORM hTransform = cmsCreateTransformTHR(
108
4.95k
    ctx,
109
4.95k
    srcProfile,
110
4.95k
    srcFormat,
111
4.95k
    dstProfile,
112
4.95k
    dstFormat,
113
4.95k
    intent,
114
4.95k
    flags);
115
116
4.95k
  cmsCloseProfile(srcProfile);
117
4.95k
  cmsCloseProfile(dstProfile);
118
4.95k
  if (!hTransform) return;
119
120
121
  // Do transformation.
122
  // The output buffer type depends on the dstFormat
123
  // The input buffer type depends on the srcFormat.
124
1.06k
  if (T_BYTES(srcFormat) == 0) {  // 0 means double
125
    // Ensure output is large enough
126
4
    long long output[nSrcComponents*4];
127
4
    double input[nSrcComponents];
128
16
    for (uint32_t i = 0; i < nSrcComponents; i++) input[i] = 0.5f;
129
4
    cmsDoTransform(hTransform, input, output, 1);
130
4
  } 
131
1.05k
  else {
132
1.05k
    uint8_t input[nSrcComponents];
133
4.84k
    for (uint32_t i = 0; i < nSrcComponents; i++) input[i] = 128;
134
135
1.05k
    if (dstFormat == TYPE_XYZ_16) {
136
92
      cmsCIEXYZ output_XYZ = { 0, 0, 0 };
137
92
      cmsDoTransform(hTransform, input, &output_XYZ, 1);
138
92
    }
139
964
    else if (dstFormat == TYPE_XYZ_DBL) {
140
28
      cmsCIEXYZTRIPLE out[4];
141
28
      cmsDoTransform(hTransform, input, out, 1);
142
28
    }
143
936
    else if (dstFormat == TYPE_Lab_DBL || dstFormat == (FLOAT_SH(1)|COLORSPACE_SH(PT_MCH3)|CHANNELS_SH(3)|BYTES_SH(0))) {
144
280
      cmsCIELab Lab1;
145
280
      cmsDoTransform(hTransform, input, &Lab1, 1);
146
280
    }
147
656
    else {
148
656
      uint8_t output[4];
149
656
      cmsDoTransform(hTransform, input, output, 1);
150
656
    }
151
1.05k
  }
152
1.06k
  cmsDeleteTransform(hTransform);
153
1.06k
}
154
155
156
12.3k
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
157
12.3k
  if (size < 12) {
158
12
    return 0;
159
12
  }
160
161
12.3k
  uint32_t flags         = *((const uint32_t *)data+0);
162
12.3k
  uint32_t intent        = *((const uint32_t *)data+1) % 16;
163
12.3k
  int decider = *((int*)data+2) % 11;
164
12.3k
  data += 12;
165
12.3k
  size -= 12;
166
167
  // Transform using various output formats.
168
12.3k
  run_test(data, size, intent, flags, decider);
169
170
12.3k
  return 0;
171
12.3k
}