/src/libjpeg-turbo.2.1.x/fuzz/compress.cc
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C)2021 D. R. Commander. All Rights Reserved. |
3 | | * |
4 | | * Redistribution and use in source and binary forms, with or without |
5 | | * modification, are permitted provided that the following conditions are met: |
6 | | * |
7 | | * - Redistributions of source code must retain the above copyright notice, |
8 | | * this list of conditions and the following disclaimer. |
9 | | * - Redistributions in binary form must reproduce the above copyright notice, |
10 | | * this list of conditions and the following disclaimer in the documentation |
11 | | * and/or other materials provided with the distribution. |
12 | | * - Neither the name of the libjpeg-turbo Project nor the names of its |
13 | | * contributors may be used to endorse or promote products derived from this |
14 | | * software without specific prior written permission. |
15 | | * |
16 | | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS", |
17 | | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
18 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
19 | | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE |
20 | | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
21 | | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
22 | | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
23 | | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
24 | | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
25 | | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
26 | | * POSSIBILITY OF SUCH DAMAGE. |
27 | | */ |
28 | | |
29 | | #include <turbojpeg.h> |
30 | | #include <stdio.h> |
31 | | #include <stdlib.h> |
32 | | #include <stdint.h> |
33 | | #include <string.h> |
34 | | #include <unistd.h> |
35 | | |
36 | | |
37 | 44.9k | #define NUMTESTS 7 |
38 | | /* Private flag that triggers different TurboJPEG API behavior when fuzzing */ |
39 | 39.3k | #define TJFLAG_FUZZING (1 << 30) |
40 | | |
41 | | |
42 | | struct test { |
43 | | enum TJPF pf; |
44 | | enum TJSAMP subsamp; |
45 | | int quality; |
46 | | }; |
47 | | |
48 | | |
49 | | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) |
50 | 5.62k | { |
51 | 5.62k | tjhandle handle = NULL; |
52 | 5.62k | unsigned char *srcBuf = NULL, *dstBuf = NULL; |
53 | 5.62k | int width = 0, height = 0, fd = -1, i, ti; |
54 | 5.62k | char filename[FILENAME_MAX] = { 0 }; |
55 | 5.62k | struct test tests[NUMTESTS] = { |
56 | 5.62k | { TJPF_RGB, TJSAMP_444, 100 }, |
57 | 5.62k | { TJPF_BGR, TJSAMP_422, 90 }, |
58 | 5.62k | { TJPF_RGBX, TJSAMP_420, 80 }, |
59 | 5.62k | { TJPF_BGRA, TJSAMP_411, 70 }, |
60 | 5.62k | { TJPF_XRGB, TJSAMP_GRAY, 60 }, |
61 | 5.62k | { TJPF_GRAY, TJSAMP_GRAY, 50 }, |
62 | 5.62k | { TJPF_CMYK, TJSAMP_440, 40 } |
63 | 5.62k | }; |
64 | | #if defined(__has_feature) && __has_feature(memory_sanitizer) |
65 | | char env[18] = "JSIMD_FORCENONE=1"; |
66 | | |
67 | | /* The libjpeg-turbo SIMD extensions produce false positives with |
68 | | MemorySanitizer. */ |
69 | | putenv(env); |
70 | | #endif |
71 | | |
72 | 5.62k | snprintf(filename, FILENAME_MAX, "/tmp/libjpeg-turbo_compress_fuzz.XXXXXX"); |
73 | 5.62k | if ((fd = mkstemp(filename)) < 0 || write(fd, data, size) < 0) |
74 | 0 | goto bailout; |
75 | | |
76 | 5.62k | if ((handle = tjInitCompress()) == NULL) |
77 | 0 | goto bailout; |
78 | | |
79 | 44.9k | for (ti = 0; ti < NUMTESTS; ti++) { |
80 | 39.3k | int flags = TJFLAG_FUZZING, sum = 0, pf = tests[ti].pf; |
81 | 39.3k | unsigned long dstSize = 0, maxBufSize; |
82 | | |
83 | | /* Test non-default compression options on specific iterations. */ |
84 | 39.3k | if (ti == 0) |
85 | 5.62k | flags |= TJFLAG_BOTTOMUP | TJFLAG_ACCURATEDCT; |
86 | 33.7k | else if (ti == 1) |
87 | 5.62k | flags |= TJFLAG_PROGRESSIVE; |
88 | 39.3k | if (ti != 2) |
89 | 33.7k | flags |= TJFLAG_NOREALLOC; |
90 | | |
91 | | /* tjLoadImage() refuses to load images larger than 1 Megapixel when |
92 | | FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION is defined (yes, that's a dirty |
93 | | hack), so we don't need to check the width and height here. */ |
94 | 39.3k | if ((srcBuf = tjLoadImage(filename, &width, 1, &height, &pf, |
95 | 39.3k | flags)) == NULL) |
96 | 25.6k | continue; |
97 | | |
98 | 13.6k | maxBufSize = tjBufSize(width, height, tests[ti].subsamp); |
99 | 13.6k | if (flags & TJFLAG_NOREALLOC) { |
100 | 11.6k | if ((dstBuf = (unsigned char *)malloc(maxBufSize)) == NULL) |
101 | 0 | goto bailout; |
102 | 11.6k | } else |
103 | 2.00k | dstBuf = NULL; |
104 | | |
105 | 13.6k | if (tjCompress2(handle, srcBuf, width, 0, height, pf, &dstBuf, &dstSize, |
106 | 13.6k | tests[ti].subsamp, tests[ti].quality, flags) == 0) { |
107 | | /* Touch all of the output pixels in order to catch uninitialized reads |
108 | | when using MemorySanitizer. */ |
109 | 120M | for (i = 0; i < dstSize; i++) |
110 | 120M | sum += dstBuf[i]; |
111 | 13.5k | } |
112 | | |
113 | 13.6k | free(dstBuf); |
114 | 13.6k | dstBuf = NULL; |
115 | 13.6k | tjFree(srcBuf); |
116 | 13.6k | srcBuf = NULL; |
117 | | |
118 | | /* Prevent the code above from being optimized out. This test should never |
119 | | be true, but the compiler doesn't know that. */ |
120 | 13.6k | if (sum > 255 * maxBufSize) |
121 | 0 | goto bailout; |
122 | 13.6k | } |
123 | | |
124 | 5.62k | bailout: |
125 | 5.62k | free(dstBuf); |
126 | 5.62k | tjFree(srcBuf); |
127 | 5.62k | if (fd >= 0) { |
128 | 5.62k | close(fd); |
129 | 5.62k | if (strlen(filename) > 0) unlink(filename); |
130 | 5.62k | } |
131 | 5.62k | if (handle) tjDestroy(handle); |
132 | 5.62k | return 0; |
133 | 5.62k | } |