/src/libjpeg-turbo.main/fuzz/decompress.cc

Source (jump to first uncovered line)
/*
 * Copyright (C)2021-2023 D. R. Commander.  All Rights Reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 * - Redistributions of source code must retain the above copyright notice,
 *   this list of conditions and the following disclaimer.
 * - Redistributions in binary form must reproduce the above copyright notice,
 *   this list of conditions and the following disclaimer in the documentation
 *   and/or other materials provided with the distribution.
 * - Neither the name of the libjpeg-turbo Project nor the names of its
 *   contributors may be used to endorse or promote products derived from this
 *   software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS",
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

#include <turbojpeg.h>
#include <stdlib.h>
#include <stdint.h>


#define NUMPF  4


extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
  tjhandle handle = NULL;
  void *dstBuf = NULL;
  int width = 0, height = 0, precision, sampleSize, pfi;
  /* TJPF_RGB-TJPF_BGR share the same code paths, as do TJPF_RGBX-TJPF_XRGB and
     TJPF_RGBA-TJPF_ARGB.  Thus, the pixel formats below should be the minimum
     necessary to achieve full coverage. */
  enum TJPF pixelFormats[NUMPF] =
    { TJPF_RGB, TJPF_BGRX, TJPF_GRAY, TJPF_CMYK };
#if defined(__has_feature) && __has_feature(memory_sanitizer)
  char env[18] = "JSIMD_FORCENONE=1";

  /* The libjpeg-turbo SIMD extensions produce false positives with
     MemorySanitizer. */
  putenv(env);
#endif

  if ((handle = tj3Init(TJINIT_DECOMPRESS)) == NULL)
    goto bailout;

  if (tj3DecompressHeader(handle, data, size) < 0)
    goto bailout;
  width = tj3Get(handle, TJPARAM_JPEGWIDTH);
  height = tj3Get(handle, TJPARAM_JPEGHEIGHT);
  precision = tj3Get(handle, TJPARAM_PRECISION);
  sampleSize = (precision > 8 ? 2 : 1);

  /* Ignore 0-pixel images and images larger than 1 Megapixel, as Google's
     OSS-Fuzz target for libjpeg-turbo did.  Casting width to (uint64_t)
     prevents integer overflow if width * height > INT_MAX. */
  if (width < 1 || height < 1 || (uint64_t)width * height > 1048576)
    goto bailout;

  tj3Set(handle, TJPARAM_SCANLIMIT, 500);

  for (pfi = 0; pfi < NUMPF; pfi++) {
    int w = width, h = height;
    int pf = pixelFormats[pfi], i;
    int64_t sum = 0;

    /* Test non-default decompression options on the first iteration. */
    tj3Set(handle, TJPARAM_BOTTOMUP, pfi == 0);
    tj3Set(handle, TJPARAM_FASTUPSAMPLE, pfi == 0);

    if (!tj3Get(handle, TJPARAM_LOSSLESS)) {
      tj3Set(handle, TJPARAM_FASTDCT, pfi == 0);

      /* Test IDCT scaling on the second iteration. */
      if (pfi == 1) {
        tjscalingfactor sf = { 1, 2 };
        tj3SetScalingFactor(handle, sf);
        w = TJSCALED(width, sf);
        h = TJSCALED(height, sf);
      } else
        tj3SetScalingFactor(handle, TJUNSCALED);

      /* Test partial image decompression on the fourth iteration, if the image
         is large enough. */
      if (pfi == 3 && w >= 97 && h >= 75) {
        tjregion cr = { 32, 16, 65, 59 };
        tj3SetCroppingRegion(handle, cr);
      } else
        tj3SetCroppingRegion(handle, TJUNCROPPED);
    }

    if ((dstBuf = malloc(w * h * tjPixelSize[pf] * sampleSize)) == NULL)
      goto bailout;

    if (precision == 8) {
      if (tj3Decompress8(handle, data, size, (unsigned char *)dstBuf, 0,
                         pf) == 0) {
        /* Touch all of the output pixels in order to catch uninitialized reads
           when using MemorySanitizer. */
        for (i = 0; i < w * h * tjPixelSize[pf]; i++)
          sum += ((unsigned char *)dstBuf)[i];
      } else
        goto bailout;
    } else if (precision == 12) {
      if (tj3Decompress12(handle, data, size, (short *)dstBuf, 0, pf) == 0) {
        /* Touch all of the output pixels in order to catch uninitialized reads
           when using MemorySanitizer. */
        for (i = 0; i < w * h * tjPixelSize[pf]; i++)
          sum += ((short *)dstBuf)[i];
      } else
        goto bailout;
    } else {
      if (tj3Decompress16(handle, data, size, (unsigned short *)dstBuf, 0,
                          pf) == 0) {
        /* Touch all of the output pixels in order to catch uninitialized reads
           when using MemorySanitizer. */
        for (i = 0; i < w * h * tjPixelSize[pf]; i++)
          sum += ((unsigned short *)dstBuf)[i];
      } else
        goto bailout;
    }

    free(dstBuf);
    dstBuf = NULL;

    /* Prevent the code above from being optimized out.  This test should never
       be true, but the compiler doesn't know that. */
    if (sum > ((1LL << precision) - 1LL) * 1048576LL * tjPixelSize[pf])
      goto bailout;
  }

bailout:
  free(dstBuf);
  tj3Destroy(handle);
  return 0;
}

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright (C)2021-2023 D. R. Commander. All Rights Reserved.
3		*
4		* Redistribution and use in source and binary forms, with or without
5		* modification, are permitted provided that the following conditions are met:
6		*
7		* - Redistributions of source code must retain the above copyright notice,
8		* this list of conditions and the following disclaimer.
9		* - Redistributions in binary form must reproduce the above copyright notice,
10		* this list of conditions and the following disclaimer in the documentation
11		* and/or other materials provided with the distribution.
12		* - Neither the name of the libjpeg-turbo Project nor the names of its
13		* contributors may be used to endorse or promote products derived from this
14		* software without specific prior written permission.
15		*
16		* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS",
17		* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18		* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19		* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
20		* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21		* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22		* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23		* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24		* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25		* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26		* POSSIBILITY OF SUCH DAMAGE.
27		*/
28
29		#include <turbojpeg.h>
30		#include <stdlib.h>
31		#include <stdint.h>
32
33
34	7.81k	#define NUMPF 4
35
36
37		extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
38	6.81k	{
39	6.81k	tjhandle handle = NULL;
40	6.81k	void *dstBuf = NULL;
41	6.81k	int width = 0, height = 0, precision, sampleSize, pfi;
42		/* TJPF_RGB-TJPF_BGR share the same code paths, as do TJPF_RGBX-TJPF_XRGB and
43		TJPF_RGBA-TJPF_ARGB. Thus, the pixel formats below should be the minimum
44		necessary to achieve full coverage. */
45	6.81k	enum TJPF pixelFormats[NUMPF] =
46	6.81k	{ TJPF_RGB, TJPF_BGRX, TJPF_GRAY, TJPF_CMYK };
47		#if defined(__has_feature) && __has_feature(memory_sanitizer)
48		char env[18] = "JSIMD_FORCENONE=1";
49
50		/* The libjpeg-turbo SIMD extensions produce false positives with
51		MemorySanitizer. */
52		putenv(env);
53		#endif
54
55	6.81k	if ((handle = tj3Init(TJINIT_DECOMPRESS)) == NULL)
56	0	goto bailout;
57
58	6.81k	if (tj3DecompressHeader(handle, data, size) < 0)
59	794	goto bailout;
60	6.02k	width = tj3Get(handle, TJPARAM_JPEGWIDTH);
61	6.02k	height = tj3Get(handle, TJPARAM_JPEGHEIGHT);
62	6.02k	precision = tj3Get(handle, TJPARAM_PRECISION);
63	6.02k	sampleSize = (precision > 8 ? 2 : 1);
64
65		/* Ignore 0-pixel images and images larger than 1 Megapixel, as Google's
66		OSS-Fuzz target for libjpeg-turbo did. Casting width to (uint64_t)
67		prevents integer overflow if width * height > INT_MAX. */
68	6.02k	if (width < 1 \|\| height < 1 \|\| (uint64_t)width * height > 1048576)
69	817	goto bailout;
70
71	5.20k	tj3Set(handle, TJPARAM_SCANLIMIT, 500);
72
73	7.81k	for (pfi = 0; pfi < NUMPF; pfi++) {
74	7.81k	int w = width, h = height;
75	7.81k	int pf = pixelFormats[pfi], i;
76	7.81k	int64_t sum = 0;
77
78		/* Test non-default decompression options on the first iteration. */
79	7.81k	tj3Set(handle, TJPARAM_BOTTOMUP, pfi == 0);
80	7.81k	tj3Set(handle, TJPARAM_FASTUPSAMPLE, pfi == 0);
81
82	7.81k	if (!tj3Get(handle, TJPARAM_LOSSLESS)) {
83	6.34k	tj3Set(handle, TJPARAM_FASTDCT, pfi == 0);
84
85		/* Test IDCT scaling on the second iteration. */
86	6.34k	if (pfi == 1) {
87	837	tjscalingfactor sf = { 1, 2 };
88	837	tj3SetScalingFactor(handle, sf);
89	837	w = TJSCALED(width, sf);
90	837	h = TJSCALED(height, sf);
91	837	} else
92	5.50k	tj3SetScalingFactor(handle, TJUNSCALED);
93
94		/* Test partial image decompression on the fourth iteration, if the image
95		is large enough. */
96	6.34k	if (pfi == 3 && w >= 97 && h >= 75) {
97	117	tjregion cr = { 32, 16, 65, 59 };
98	117	tj3SetCroppingRegion(handle, cr);
99	117	} else
100	6.22k	tj3SetCroppingRegion(handle, TJUNCROPPED);
101	6.34k	}
102
103	7.81k	if ((dstBuf = malloc(w * h * tjPixelSize[pf] * sampleSize)) == NULL)
104	0	goto bailout;
105
106	7.81k	if (precision == 8) {
107	3.18k	if (tj3Decompress8(handle, data, size, (unsigned char *)dstBuf, 0,
108	3.18k	pf) == 0) {
109		/* Touch all of the output pixels in order to catch uninitialized reads
110		when using MemorySanitizer. */
111	246M	for (i = 0; i < w * h * tjPixelSize[pf]; i++)
112	246M	sum += ((unsigned char *)dstBuf)[i];
113	579	} else
114	2.60k	goto bailout;
115	4.62k	} else if (precision == 12) {
116	4.02k	if (tj3Decompress12(handle, data, size, (short *)dstBuf, 0, pf) == 0) {
117		/* Touch all of the output pixels in order to catch uninitialized reads
118		when using MemorySanitizer. */
119	836M	for (i = 0; i < w * h * tjPixelSize[pf]; i++)
120	836M	sum += ((short *)dstBuf)[i];
121	1.96k	} else
122	2.06k	goto bailout;
123	4.02k	} else {
124	595	if (tj3Decompress16(handle, data, size, (unsigned short *)dstBuf, 0,
125	595	pf) == 0) {
126		/* Touch all of the output pixels in order to catch uninitialized reads
127		when using MemorySanitizer. */
128	135k	for (i = 0; i < w * h * tjPixelSize[pf]; i++)
129	135k	sum += ((unsigned short *)dstBuf)[i];
130	64	} else
131	531	goto bailout;
132	595	}
133
134	2.60k	free(dstBuf);
135	2.60k	dstBuf = NULL;
136
137		/* Prevent the code above from being optimized out. This test should never
138		be true, but the compiler doesn't know that. */
139	2.60k	if (sum > ((1LL << precision) - 1LL) * 1048576LL * tjPixelSize[pf])
140	0	goto bailout;
141	2.60k	}
142
143	6.81k	bailout:
144	6.81k	free(dstBuf);
145	6.81k	tj3Destroy(handle);
146	6.81k	return 0;
147	5.20k	}

Coverage Report

Created: 2023-06-07 06:03