/src/libjpeg-turbo.2.1.x/fuzz/decompress_yuv.cc
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C)2021, 2023 D. R. Commander. All Rights Reserved. |
3 | | * |
4 | | * Redistribution and use in source and binary forms, with or without |
5 | | * modification, are permitted provided that the following conditions are met: |
6 | | * |
7 | | * - Redistributions of source code must retain the above copyright notice, |
8 | | * this list of conditions and the following disclaimer. |
9 | | * - Redistributions in binary form must reproduce the above copyright notice, |
10 | | * this list of conditions and the following disclaimer in the documentation |
11 | | * and/or other materials provided with the distribution. |
12 | | * - Neither the name of the libjpeg-turbo Project nor the names of its |
13 | | * contributors may be used to endorse or promote products derived from this |
14 | | * software without specific prior written permission. |
15 | | * |
16 | | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS", |
17 | | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
18 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
19 | | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE |
20 | | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
21 | | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
22 | | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
23 | | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
24 | | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
25 | | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
26 | | * POSSIBILITY OF SUCH DAMAGE. |
27 | | */ |
28 | | |
29 | | #include <turbojpeg.h> |
30 | | #include <stdlib.h> |
31 | | #include <stdint.h> |
32 | | |
33 | | |
34 | 7.81k | #define NUMPF 3 |
35 | | |
36 | | |
37 | | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) |
38 | 9.63k | { |
39 | 9.63k | tjhandle handle = NULL; |
40 | 9.63k | unsigned char *dstBuf = NULL, *yuvBuf = NULL; |
41 | 9.63k | int width = 0, height = 0, jpegSubsamp, jpegColorspace, pfi; |
42 | | /* TJPF_RGB-TJPF_BGR share the same code paths, as do TJPF_RGBX-TJPF_XRGB and |
43 | | TJPF_RGBA-TJPF_ARGB. Thus, the pixel formats below should be the minimum |
44 | | necessary to achieve full coverage. */ |
45 | 9.63k | enum TJPF pixelFormats[NUMPF] = |
46 | 9.63k | { TJPF_BGR, TJPF_XRGB, TJPF_GRAY }; |
47 | | #if defined(__has_feature) && __has_feature(memory_sanitizer) |
48 | | char env[18] = "JSIMD_FORCENONE=1"; |
49 | | |
50 | | /* The libjpeg-turbo SIMD extensions produce false positives with |
51 | | MemorySanitizer. */ |
52 | | putenv(env); |
53 | | #endif |
54 | | |
55 | 9.63k | if ((handle = tjInitDecompress()) == NULL) |
56 | 0 | goto bailout; |
57 | | |
58 | 9.63k | if (tjDecompressHeader3(handle, data, size, &width, &height, &jpegSubsamp, |
59 | 9.63k | &jpegColorspace) < 0) |
60 | 2.61k | goto bailout; |
61 | | |
62 | | /* Ignore 0-pixel images and images larger than 1 Megapixel. Casting width |
63 | | to (uint64_t) prevents integer overflow if width * height > INT_MAX. */ |
64 | 7.01k | if (width < 1 || height < 1 || (uint64_t)width * height > 1048576) |
65 | 840 | goto bailout; |
66 | | |
67 | 7.81k | for (pfi = 0; pfi < NUMPF; pfi++) { |
68 | 7.27k | int pf = pixelFormats[pfi], flags = TJFLAG_LIMITSCANS, i, sum = 0; |
69 | 7.27k | int w = width, h = height; |
70 | | |
71 | | /* Test non-default decompression options on the first iteration. */ |
72 | 7.27k | if (pfi == 0) |
73 | 6.17k | flags |= TJFLAG_BOTTOMUP | TJFLAG_FASTUPSAMPLE | TJFLAG_FASTDCT; |
74 | | /* Test IDCT scaling on the second iteration. */ |
75 | 1.09k | else if (pfi == 1) { |
76 | 548 | w = (width + 3) / 4; |
77 | 548 | h = (height + 3) / 4; |
78 | 548 | } |
79 | | |
80 | 7.27k | if ((dstBuf = (unsigned char *)malloc(w * h * tjPixelSize[pf])) == NULL) |
81 | 0 | goto bailout; |
82 | 7.27k | if ((yuvBuf = |
83 | 7.27k | (unsigned char *)malloc(tjBufSizeYUV2(w, 1, h, jpegSubsamp))) == NULL) |
84 | 0 | goto bailout; |
85 | | |
86 | 7.27k | if (tjDecompressToYUV2(handle, data, size, yuvBuf, w, 1, h, flags) == 0 && |
87 | 7.27k | tjDecodeYUV(handle, yuvBuf, 1, jpegSubsamp, dstBuf, w, 0, h, pf, |
88 | 1.66k | flags) == 0) { |
89 | | /* Touch all of the output pixels in order to catch uninitialized reads |
90 | | when using MemorySanitizer. */ |
91 | 512M | for (i = 0; i < w * h * tjPixelSize[pf]; i++) |
92 | 512M | sum += dstBuf[i]; |
93 | 1.63k | } else |
94 | 5.63k | goto bailout; |
95 | | |
96 | 1.63k | free(dstBuf); |
97 | 1.63k | dstBuf = NULL; |
98 | 1.63k | free(yuvBuf); |
99 | 1.63k | yuvBuf = NULL; |
100 | | |
101 | | /* Prevent the code above from being optimized out. This test should never |
102 | | be true, but the compiler doesn't know that. */ |
103 | 1.63k | if (sum > 255 * 1048576 * tjPixelSize[pf]) |
104 | 0 | goto bailout; |
105 | 1.63k | } |
106 | | |
107 | 9.63k | bailout: |
108 | 9.63k | free(dstBuf); |
109 | 9.63k | free(yuvBuf); |
110 | 9.63k | if (handle) tjDestroy(handle); |
111 | 9.63k | return 0; |
112 | 6.17k | } |