/src/libjpeg-turbo.main/fuzz/decompress_yuv.cc
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C)2021-2023 D. R. Commander. All Rights Reserved. |
3 | | * |
4 | | * Redistribution and use in source and binary forms, with or without |
5 | | * modification, are permitted provided that the following conditions are met: |
6 | | * |
7 | | * - Redistributions of source code must retain the above copyright notice, |
8 | | * this list of conditions and the following disclaimer. |
9 | | * - Redistributions in binary form must reproduce the above copyright notice, |
10 | | * this list of conditions and the following disclaimer in the documentation |
11 | | * and/or other materials provided with the distribution. |
12 | | * - Neither the name of the libjpeg-turbo Project nor the names of its |
13 | | * contributors may be used to endorse or promote products derived from this |
14 | | * software without specific prior written permission. |
15 | | * |
16 | | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS", |
17 | | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
18 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
19 | | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE |
20 | | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
21 | | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
22 | | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
23 | | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
24 | | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
25 | | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
26 | | * POSSIBILITY OF SUCH DAMAGE. |
27 | | */ |
28 | | |
29 | | #include <turbojpeg.h> |
30 | | #include <stdlib.h> |
31 | | #include <stdint.h> |
32 | | |
33 | | |
34 | 4.85k | #define NUMPF 3 |
35 | | |
36 | | |
37 | | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) |
38 | 5.67k | { |
39 | 5.67k | tjhandle handle = NULL; |
40 | 5.67k | unsigned char *dstBuf = NULL, *yuvBuf = NULL; |
41 | 5.67k | int width = 0, height = 0, jpegSubsamp, pfi; |
42 | | /* TJPF_RGB-TJPF_BGR share the same code paths, as do TJPF_RGBX-TJPF_XRGB and |
43 | | TJPF_RGBA-TJPF_ARGB. Thus, the pixel formats below should be the minimum |
44 | | necessary to achieve full coverage. */ |
45 | 5.67k | enum TJPF pixelFormats[NUMPF] = |
46 | 5.67k | { TJPF_BGR, TJPF_XRGB, TJPF_GRAY }; |
47 | | #if defined(__has_feature) && __has_feature(memory_sanitizer) |
48 | | char env[18] = "JSIMD_FORCENONE=1"; |
49 | | |
50 | | /* The libjpeg-turbo SIMD extensions produce false positives with |
51 | | MemorySanitizer. */ |
52 | | putenv(env); |
53 | | #endif |
54 | | |
55 | 5.67k | if ((handle = tj3Init(TJINIT_DECOMPRESS)) == NULL) |
56 | 0 | goto bailout; |
57 | | |
58 | 5.67k | if (tj3DecompressHeader(handle, data, size) < 0) |
59 | 848 | goto bailout; |
60 | 4.82k | width = tj3Get(handle, TJPARAM_JPEGWIDTH); |
61 | 4.82k | height = tj3Get(handle, TJPARAM_JPEGHEIGHT); |
62 | 4.82k | jpegSubsamp = tj3Get(handle, TJPARAM_SUBSAMP); |
63 | | |
64 | | /* Ignore 0-pixel images and images larger than 1 Megapixel. Casting width |
65 | | to (uint64_t) prevents integer overflow if width * height > INT_MAX. */ |
66 | 4.82k | if (width < 1 || height < 1 || (uint64_t)width * height > 1048576) |
67 | 720 | goto bailout; |
68 | | |
69 | 4.10k | tj3Set(handle, TJPARAM_SCANLIMIT, 500); |
70 | | |
71 | 4.85k | for (pfi = 0; pfi < NUMPF; pfi++) { |
72 | 4.60k | int w = width, h = height; |
73 | 4.60k | int pf = pixelFormats[pfi], i, sum = 0; |
74 | | |
75 | | /* Test non-default decompression options on the first iteration. */ |
76 | 4.60k | if (!tj3Get(handle, TJPARAM_LOSSLESS)) { |
77 | 3.46k | tj3Set(handle, TJPARAM_BOTTOMUP, pfi == 0); |
78 | 3.46k | tj3Set(handle, TJPARAM_FASTUPSAMPLE, pfi == 0); |
79 | 3.46k | tj3Set(handle, TJPARAM_FASTDCT, pfi == 0); |
80 | | |
81 | | /* Test IDCT scaling on the second iteration. */ |
82 | 3.46k | if (pfi == 1) { |
83 | 258 | tjscalingfactor sf = { 3, 4 }; |
84 | 258 | tj3SetScalingFactor(handle, sf); |
85 | 258 | w = TJSCALED(width, sf); |
86 | 258 | h = TJSCALED(height, sf); |
87 | 258 | } else |
88 | 3.20k | tj3SetScalingFactor(handle, TJUNSCALED); |
89 | 3.46k | } |
90 | | |
91 | 4.60k | if ((dstBuf = (unsigned char *)malloc(w * h * tjPixelSize[pf])) == NULL) |
92 | 0 | goto bailout; |
93 | 4.60k | if ((yuvBuf = |
94 | 4.60k | (unsigned char *)malloc(tj3YUVBufSize(w, 1, h, jpegSubsamp))) == NULL) |
95 | 0 | goto bailout; |
96 | | |
97 | 4.60k | if (tj3DecompressToYUV8(handle, data, size, yuvBuf, 1) == 0 && |
98 | 4.60k | tj3DecodeYUV8(handle, yuvBuf, 1, dstBuf, w, 0, h, pf) == 0) { |
99 | | /* Touch all of the output pixels in order to catch uninitialized reads |
100 | | when using MemorySanitizer. */ |
101 | 453M | for (i = 0; i < w * h * tjPixelSize[pf]; i++) |
102 | 453M | sum += dstBuf[i]; |
103 | 750 | } else |
104 | 3.85k | goto bailout; |
105 | | |
106 | 750 | free(dstBuf); |
107 | 750 | dstBuf = NULL; |
108 | 750 | free(yuvBuf); |
109 | 750 | yuvBuf = NULL; |
110 | | |
111 | | /* Prevent the code above from being optimized out. This test should never |
112 | | be true, but the compiler doesn't know that. */ |
113 | 750 | if (sum > 255 * 1048576 * tjPixelSize[pf]) |
114 | 0 | goto bailout; |
115 | 750 | } |
116 | | |
117 | 5.67k | bailout: |
118 | 5.67k | free(dstBuf); |
119 | 5.67k | free(yuvBuf); |
120 | 5.67k | tj3Destroy(handle); |
121 | 5.67k | return 0; |
122 | 4.10k | } |