/src/libjpeg-turbo.dev/fuzz/compress12.cc

Source
/*
 * Copyright (C)2021, 2023-2026 D. R. Commander.  All Rights Reserved.
 * Copyright (C)2025 Leslie P. Polzer.  All Rights Reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 * - Redistributions of source code must retain the above copyright notice,
 *   this list of conditions and the following disclaimer.
 * - Redistributions in binary form must reproduce the above copyright notice,
 *   this list of conditions and the following disclaimer in the documentation
 *   and/or other materials provided with the distribution.
 * - Neither the name of the libjpeg-turbo Project nor the names of its
 *   contributors may be used to endorse or promote products derived from this
 *   software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS",
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

#include "../src/turbojpeg.h"
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <unistd.h>

extern "C" short *
_tj3LoadImageFromFileHandle12(tjhandle handle, FILE *file, int *width,
                              int align, int *height, int *pixelFormat);


#define NUMTESTS  7


struct test {
  int bottomUp;
  enum TJPF pf;
  int colorspace;
  enum TJSAMP subsamp;
  int fastDCT, quality, progressive, arithmetic, noRealloc, restartRows;
};


extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
  tjhandle handle = NULL;
  short *imgBuf = NULL, *srcBuf;
  unsigned char *dstBuf = NULL;
  int width = 0, height = 0, ti;
  FILE *file = NULL;
  struct test tests[NUMTESTS] = {
    /*
      BU Pixel      JPEG        Subsampling  Fst Qual Prg Ari No    Rst
         Format     Colorspace  Level        DCT              Realc Rows */
    { 0, TJPF_RGB,  TJCS_YCbCr, TJSAMP_444,  1,  100, 0,  0,  1,    0    },
    { 0, TJPF_BGR,  TJCS_YCbCr, TJSAMP_422,  0,  90,  0,  0,  0,    0    },
    { 0, TJPF_RGBX, TJCS_RGB,   TJSAMP_420,  0,  75,  0,  1,  0,    1    },
    { 0, TJPF_BGRA, TJCS_YCbCr, TJSAMP_411,  0,  50,  0,  0,  0,    0    },
    { 0, TJPF_XRGB, TJCS_GRAY,  TJSAMP_GRAY, 0,  25,  0,  0,  0,    0    },
    { 0, TJPF_GRAY, TJCS_GRAY,  TJSAMP_GRAY, 0,  10,  1,  0,  0,    0    },
    { 1, TJPF_CMYK, TJCS_YCCK,  TJSAMP_440,  0,  1,   1,  1,  0,    1    }
  };

  if ((file = fmemopen((void *)data, size, "r")) == NULL)
    goto bailout;

  if ((handle = tj3Init(TJINIT_COMPRESS)) == NULL)
    goto bailout;

  for (ti = 0; ti < NUMTESTS; ti++) {
    int pf = tests[ti].pf;
    size_t dstSize = 0, maxBufSize, i, sum = 0;

    /* Test non-default compression options on specific iterations. */
    tj3Set(handle, TJPARAM_BOTTOMUP, tests[ti].bottomUp);
    tj3Set(handle, TJPARAM_COLORSPACE, tests[ti].colorspace);
    tj3Set(handle, TJPARAM_FASTDCT, tests[ti].fastDCT);
    tj3Set(handle, TJPARAM_PROGRESSIVE, tests[ti].progressive);
    tj3Set(handle, TJPARAM_ARITHMETIC, tests[ti].arithmetic);
    tj3Set(handle, TJPARAM_NOREALLOC, tests[ti].noRealloc);
    tj3Set(handle, TJPARAM_RESTARTROWS, tests[ti].restartRows);

    tj3Set(handle, TJPARAM_MAXPIXELS, 1048576);
    /* tj3LoadImage12() will refuse to load images larger than 1 Megapixel, so
       we don't need to check the width and height here. */
    fseek(file, 0, SEEK_SET);
    if ((imgBuf = _tj3LoadImageFromFileHandle12(handle, file, &width, 1,
                                                &height, &pf)) == NULL) {
      if (size < 2)
        continue;

      /* Derive image dimensions from input data.  Use first 2 bytes to
         influence width/height. */
      width = (data[0] % 64) + 8;   /* 8-71 */
      height = (data[1] % 64) + 8;  /* 8-71 */

      size_t required_size = 2 + (size_t)width * height *
                             tjPixelSize[tests[ti].pf] * 2;
      if (size < required_size) {
        /* Not enough data - try smaller dimensions */
        width = 8;
        height = 8;
        required_size = 2 + (size_t)width * height *
                        tjPixelSize[tests[ti].pf] * 2;
        if (size < required_size)
          continue;
      }

      /* Skip header bytes. */
      srcBuf = (short *)(data + 2);
    } else
      srcBuf = imgBuf;

    dstSize = maxBufSize = tj3JPEGBufSize(width, height, tests[ti].subsamp);
    if (tj3Get(handle, TJPARAM_NOREALLOC)) {
      if ((dstBuf = (unsigned char *)tj3Alloc(dstSize)) == NULL)
        goto bailout;
    } else
      dstBuf = NULL;

    if (size >= 34)
      tj3SetICCProfile(handle, (unsigned char *)&data[2], 32);

    tj3Set(handle, TJPARAM_SUBSAMP, tests[ti].subsamp);
    tj3Set(handle, TJPARAM_QUALITY, tests[ti].quality);
    if (tj3Compress12(handle, srcBuf, width, 0, height, pf, &dstBuf,
                      &dstSize) == 0) {
      /* Touch all of the output data in order to catch uninitialized reads
         when using MemorySanitizer. */
      for (i = 0; i < dstSize; i++)
        sum += dstBuf[i];
    }

    tj3Free(dstBuf);
    dstBuf = NULL;
    tj3Free(imgBuf);
    imgBuf = NULL;

    /* Prevent the sum above from being optimized out.  This test should never
       be true, but the compiler doesn't know that. */
    if (sum > 255 * maxBufSize)
      goto bailout;
  }

bailout:
  tj3Free(dstBuf);
  tj3Free(imgBuf);
  if (file) fclose(file);
  tj3Destroy(handle);
  return 0;
}

Line	Count	Source
1		/*
2		* Copyright (C)2021, 2023-2026 D. R. Commander. All Rights Reserved.
3		* Copyright (C)2025 Leslie P. Polzer. All Rights Reserved.
4		*
5		* Redistribution and use in source and binary forms, with or without
6		* modification, are permitted provided that the following conditions are met:
7		*
8		* - Redistributions of source code must retain the above copyright notice,
9		* this list of conditions and the following disclaimer.
10		* - Redistributions in binary form must reproduce the above copyright notice,
11		* this list of conditions and the following disclaimer in the documentation
12		* and/or other materials provided with the distribution.
13		* - Neither the name of the libjpeg-turbo Project nor the names of its
14		* contributors may be used to endorse or promote products derived from this
15		* software without specific prior written permission.
16		*
17		* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS",
18		* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19		* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20		* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
21		* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22		* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
23		* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
24		* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
25		* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
26		* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27		* POSSIBILITY OF SUCH DAMAGE.
28		*/
29
30		#include "../src/turbojpeg.h"
31		#include <stdio.h>
32		#include <stdlib.h>
33		#include <stdint.h>
34		#include <string.h>
35		#include <unistd.h>
36
37		extern "C" short *
38		_tj3LoadImageFromFileHandle12(tjhandle handle, FILE file, int width,
39		int align, int height, int pixelFormat);
40
41
42	22.1k	#define NUMTESTS 7
43
44
45		struct test {
46		int bottomUp;
47		enum TJPF pf;
48		int colorspace;
49		enum TJSAMP subsamp;
50		int fastDCT, quality, progressive, arithmetic, noRealloc, restartRows;
51		};
52
53
54		extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
55	2.76k	{
56	2.76k	tjhandle handle = NULL;
57	2.76k	short imgBuf = NULL, srcBuf;
58	2.76k	unsigned char *dstBuf = NULL;
59	2.76k	int width = 0, height = 0, ti;
60	2.76k	FILE *file = NULL;
61	2.76k	struct test tests[NUMTESTS] = {
62		/*
63		BU Pixel JPEG Subsampling Fst Qual Prg Ari No Rst
64		Format Colorspace Level DCT Realc Rows */
65	2.76k	{ 0, TJPF_RGB, TJCS_YCbCr, TJSAMP_444, 1, 100, 0, 0, 1, 0 },
66	2.76k	{ 0, TJPF_BGR, TJCS_YCbCr, TJSAMP_422, 0, 90, 0, 0, 0, 0 },
67	2.76k	{ 0, TJPF_RGBX, TJCS_RGB, TJSAMP_420, 0, 75, 0, 1, 0, 1 },
68	2.76k	{ 0, TJPF_BGRA, TJCS_YCbCr, TJSAMP_411, 0, 50, 0, 0, 0, 0 },
69	2.76k	{ 0, TJPF_XRGB, TJCS_GRAY, TJSAMP_GRAY, 0, 25, 0, 0, 0, 0 },
70	2.76k	{ 0, TJPF_GRAY, TJCS_GRAY, TJSAMP_GRAY, 0, 10, 1, 0, 0, 0 },
71	2.76k	{ 1, TJPF_CMYK, TJCS_YCCK, TJSAMP_440, 0, 1, 1, 1, 0, 1 }
72	2.76k	};
73
74	2.76k	if ((file = fmemopen((void *)data, size, "r")) == NULL)
75	0	goto bailout;
76
77	2.76k	if ((handle = tj3Init(TJINIT_COMPRESS)) == NULL)
78	0	goto bailout;
79
80	22.1k	for (ti = 0; ti < NUMTESTS; ti++) {
81	19.3k	int pf = tests[ti].pf;
82	19.3k	size_t dstSize = 0, maxBufSize, i, sum = 0;
83
84		/* Test non-default compression options on specific iterations. */
85	19.3k	tj3Set(handle, TJPARAM_BOTTOMUP, tests[ti].bottomUp);
86	19.3k	tj3Set(handle, TJPARAM_COLORSPACE, tests[ti].colorspace);
87	19.3k	tj3Set(handle, TJPARAM_FASTDCT, tests[ti].fastDCT);
88	19.3k	tj3Set(handle, TJPARAM_PROGRESSIVE, tests[ti].progressive);
89	19.3k	tj3Set(handle, TJPARAM_ARITHMETIC, tests[ti].arithmetic);
90	19.3k	tj3Set(handle, TJPARAM_NOREALLOC, tests[ti].noRealloc);
91	19.3k	tj3Set(handle, TJPARAM_RESTARTROWS, tests[ti].restartRows);
92
93	19.3k	tj3Set(handle, TJPARAM_MAXPIXELS, 1048576);
94		/* tj3LoadImage12() will refuse to load images larger than 1 Megapixel, so
95		we don't need to check the width and height here. */
96	19.3k	fseek(file, 0, SEEK_SET);
97	19.3k	if ((imgBuf = _tj3LoadImageFromFileHandle12(handle, file, &width, 1,
98	19.3k	&height, &pf)) == NULL) {
99	9.11k	if (size < 2)
100	112	continue;
101
102		/* Derive image dimensions from input data. Use first 2 bytes to
103		influence width/height. */
104	9.00k	width = (data[0] % 64) + 8; /* 8-71 */
105	9.00k	height = (data[1] % 64) + 8; /* 8-71 */
106
107	9.00k	size_t required_size = 2 + (size_t)width * height *
108	9.00k	tjPixelSize[tests[ti].pf] * 2;
109	9.00k	if (size < required_size) {
110		/* Not enough data - try smaller dimensions */
111	8.29k	width = 8;
112	8.29k	height = 8;
113	8.29k	required_size = 2 + (size_t)width * height *
114	8.29k	tjPixelSize[tests[ti].pf] * 2;
115	8.29k	if (size < required_size)
116	7.43k	continue;
117	8.29k	}
118
119		/* Skip header bytes. */
120	1.56k	srcBuf = (short *)(data + 2);
121	1.56k	} else
122	10.2k	srcBuf = imgBuf;
123
124	11.8k	dstSize = maxBufSize = tj3JPEGBufSize(width, height, tests[ti].subsamp);
125	11.8k	if (tj3Get(handle, TJPARAM_NOREALLOC)) {
126	1.70k	if ((dstBuf = (unsigned char *)tj3Alloc(dstSize)) == NULL)
127	0	goto bailout;
128	1.70k	} else
129	10.1k	dstBuf = NULL;
130
131	11.8k	if (size >= 34)
132	9.51k	tj3SetICCProfile(handle, (unsigned char *)&data[2], 32);
133
134	11.8k	tj3Set(handle, TJPARAM_SUBSAMP, tests[ti].subsamp);
135	11.8k	tj3Set(handle, TJPARAM_QUALITY, tests[ti].quality);
136	11.8k	if (tj3Compress12(handle, srcBuf, width, 0, height, pf, &dstBuf,
137	11.8k	&dstSize) == 0) {
138		/* Touch all of the output data in order to catch uninitialized reads
139		when using MemorySanitizer. */
140	259M	for (i = 0; i < dstSize; i++)
141	259M	sum += dstBuf[i];
142	11.7k	}
143
144	11.8k	tj3Free(dstBuf);
145	11.8k	dstBuf = NULL;
146	11.8k	tj3Free(imgBuf);
147	11.8k	imgBuf = NULL;
148
149		/* Prevent the sum above from being optimized out. This test should never
150		be true, but the compiler doesn't know that. */
151	11.8k	if (sum > 255 * maxBufSize)
152	0	goto bailout;
153	11.8k	}
154
155	2.76k	bailout:
156	2.76k	tj3Free(dstBuf);
157	2.76k	tj3Free(imgBuf);
158	2.76k	if (file) fclose(file);
159	2.76k	tj3Destroy(handle);
160	2.76k	return 0;
161	2.76k	}

Coverage Report

Created: 2026-01-25 06:04