/src/libjpeg-turbo.main/fuzz/compress.cc
Line | Count | Source |
1 | | /* |
2 | | * Copyright (C)2021, 2023-2026 D. R. Commander. All Rights Reserved. |
3 | | * Copyright (C)2025 Leslie P. Polzer. All Rights Reserved. |
4 | | * |
5 | | * Redistribution and use in source and binary forms, with or without |
6 | | * modification, are permitted provided that the following conditions are met: |
7 | | * |
8 | | * - Redistributions of source code must retain the above copyright notice, |
9 | | * this list of conditions and the following disclaimer. |
10 | | * - Redistributions in binary form must reproduce the above copyright notice, |
11 | | * this list of conditions and the following disclaimer in the documentation |
12 | | * and/or other materials provided with the distribution. |
13 | | * - Neither the name of the libjpeg-turbo Project nor the names of its |
14 | | * contributors may be used to endorse or promote products derived from this |
15 | | * software without specific prior written permission. |
16 | | * |
17 | | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS", |
18 | | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
19 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
20 | | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE |
21 | | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
22 | | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
23 | | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
24 | | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
25 | | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
26 | | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
27 | | * POSSIBILITY OF SUCH DAMAGE. |
28 | | */ |
29 | | |
30 | | #include "../src/turbojpeg.h" |
31 | | #include <stdio.h> |
32 | | #include <stdlib.h> |
33 | | #include <stdint.h> |
34 | | #include <string.h> |
35 | | #include <unistd.h> |
36 | | |
37 | | extern "C" unsigned char * |
38 | | _tj3LoadImageFromFileHandle8(tjhandle handle, FILE *file, int *width, |
39 | | int align, int *height, int *pixelFormat); |
40 | | |
41 | | |
42 | 27.1k | #define NUMTESTS 7 |
43 | | |
44 | | |
45 | | struct test { |
46 | | int bottomUp; |
47 | | enum TJPF pf; |
48 | | int colorspace; |
49 | | enum TJSAMP subsamp; |
50 | | int fastDCT, quality, optimize, progressive, arithmetic, noRealloc, |
51 | | restartRows; |
52 | | }; |
53 | | |
54 | | |
55 | | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) |
56 | 3.38k | { |
57 | 3.38k | tjhandle handle = NULL; |
58 | 3.38k | unsigned char *imgBuf = NULL, *srcBuf, *dstBuf = NULL; |
59 | 3.38k | int width = 0, height = 0, ti; |
60 | 3.38k | FILE *file = NULL; |
61 | 3.38k | struct test tests[NUMTESTS] = { |
62 | | /* |
63 | | BU Pixel JPEG Subsampling Fst Qual Opt Prg Ari No Rst |
64 | | Format Colorspace Level DCT Realc Rows */ |
65 | 3.38k | { 1, TJPF_RGB, TJCS_RGB, TJSAMP_444, 0, 100, 0, 0, 0, 0, 2 }, |
66 | 3.38k | { 0, TJPF_BGR, TJCS_YCbCr, TJSAMP_422, 0, 90, 0, 1, 0, 0, 0 }, |
67 | 3.38k | { 0, TJPF_RGBX, TJCS_YCbCr, TJSAMP_420, 1, 75, 0, 0, 1, 1, 0 }, |
68 | 3.38k | { 0, TJPF_BGRA, TJCS_YCbCr, TJSAMP_411, 0, 50, 0, 1, 1, 0, 0 }, |
69 | 3.38k | { 0, TJPF_XRGB, TJCS_GRAY, TJSAMP_GRAY, 0, 25, 0, 0, 0, 0, 0 }, |
70 | 3.38k | { 0, TJPF_GRAY, TJCS_GRAY, TJSAMP_GRAY, 0, 10, 0, 0, 0, 0, 0 }, |
71 | 3.38k | { 0, TJPF_CMYK, TJCS_YCCK, TJSAMP_440, 0, 1, 1, 0, 0, 0, 2 } |
72 | 3.38k | }; |
73 | | |
74 | 3.38k | if ((file = fmemopen((void *)data, size, "r")) == NULL) |
75 | 0 | goto bailout; |
76 | | |
77 | 3.38k | if ((handle = tj3Init(TJINIT_COMPRESS)) == NULL) |
78 | 0 | goto bailout; |
79 | | |
80 | 27.1k | for (ti = 0; ti < NUMTESTS; ti++) { |
81 | 23.7k | int pf = tests[ti].pf; |
82 | 23.7k | size_t dstSize = 0, maxBufSize, i, sum = 0; |
83 | | |
84 | | /* Test non-default compression options on specific iterations. */ |
85 | 23.7k | tj3Set(handle, TJPARAM_BOTTOMUP, tests[ti].bottomUp); |
86 | 23.7k | tj3Set(handle, TJPARAM_COLORSPACE, tests[ti].colorspace); |
87 | 23.7k | tj3Set(handle, TJPARAM_FASTDCT, tests[ti].fastDCT); |
88 | 23.7k | tj3Set(handle, TJPARAM_OPTIMIZE, tests[ti].optimize); |
89 | 23.7k | tj3Set(handle, TJPARAM_PROGRESSIVE, tests[ti].progressive); |
90 | 23.7k | tj3Set(handle, TJPARAM_ARITHMETIC, tests[ti].arithmetic); |
91 | 23.7k | tj3Set(handle, TJPARAM_NOREALLOC, tests[ti].noRealloc); |
92 | 23.7k | tj3Set(handle, TJPARAM_RESTARTROWS, tests[ti].restartRows); |
93 | | |
94 | 23.7k | tj3Set(handle, TJPARAM_MAXPIXELS, 1048576); |
95 | | /* tj3LoadImage8() will refuse to load images larger than 1 Megapixel, so |
96 | | we don't need to check the width and height here. */ |
97 | 23.7k | fseek(file, 0, SEEK_SET); |
98 | 23.7k | if ((imgBuf = _tj3LoadImageFromFileHandle8(handle, file, &width, 1, |
99 | 23.7k | &height, &pf)) == NULL) { |
100 | 13.5k | if (size < 2) |
101 | 126 | continue; |
102 | | |
103 | | /* Derive image dimensions from input data. Use first 2 bytes to |
104 | | influence width/height. */ |
105 | 13.4k | width = (data[0] % 64) + 8; /* 8-71 */ |
106 | 13.4k | height = (data[1] % 64) + 8; /* 8-71 */ |
107 | | |
108 | 13.4k | size_t required_size = 2 + (size_t)width * height * |
109 | 13.4k | tjPixelSize[tests[ti].pf]; |
110 | 13.4k | if (size < required_size) { |
111 | | /* Not enough data - try smaller dimensions */ |
112 | 12.5k | width = 8; |
113 | 12.5k | height = 8; |
114 | 12.5k | required_size = 2 + (size_t)width * height * |
115 | 12.5k | tjPixelSize[tests[ti].pf]; |
116 | 12.5k | if (size < required_size) |
117 | 11.1k | continue; |
118 | 12.5k | } |
119 | | |
120 | | /* Skip header bytes. */ |
121 | 2.30k | srcBuf = (unsigned char *)data + 2; |
122 | 2.30k | } else |
123 | 10.1k | srcBuf = imgBuf; |
124 | | |
125 | 12.4k | dstSize = maxBufSize = tj3JPEGBufSize(width, height, tests[ti].subsamp); |
126 | 12.4k | if (tj3Get(handle, TJPARAM_NOREALLOC)) { |
127 | 1.74k | if ((dstBuf = (unsigned char *)tj3Alloc(dstSize)) == NULL) |
128 | 0 | goto bailout; |
129 | 1.74k | } else |
130 | 10.6k | dstBuf = NULL; |
131 | | |
132 | 12.4k | if (size >= 34) |
133 | 10.0k | tj3SetICCProfile(handle, (unsigned char *)&data[2], 32); |
134 | | |
135 | 12.4k | tj3Set(handle, TJPARAM_SUBSAMP, tests[ti].subsamp); |
136 | 12.4k | tj3Set(handle, TJPARAM_QUALITY, tests[ti].quality); |
137 | 12.4k | if (tj3Compress8(handle, srcBuf, width, 0, height, pf, &dstBuf, |
138 | 12.4k | &dstSize) == 0) { |
139 | | /* Touch all of the output data in order to catch uninitialized reads |
140 | | when using MemorySanitizer. */ |
141 | 364M | for (i = 0; i < dstSize; i++) |
142 | 364M | sum += dstBuf[i]; |
143 | 12.3k | } |
144 | | |
145 | 12.4k | tj3Free(dstBuf); |
146 | 12.4k | dstBuf = NULL; |
147 | 12.4k | tj3Free(imgBuf); |
148 | 12.4k | imgBuf = NULL; |
149 | | |
150 | | /* Prevent the sum above from being optimized out. This test should never |
151 | | be true, but the compiler doesn't know that. */ |
152 | 12.4k | if (sum > 255 * maxBufSize) |
153 | 0 | goto bailout; |
154 | 12.4k | } |
155 | | |
156 | 3.38k | bailout: |
157 | 3.38k | tj3Free(dstBuf); |
158 | 3.38k | tj3Free(imgBuf); |
159 | 3.38k | if (file) fclose(file); |
160 | 3.38k | tj3Destroy(handle); |
161 | 3.38k | return 0; |
162 | 3.38k | } |