/src/libpng/contrib/oss-fuzz/libpng_read_fuzzer.cc

Source
// libpng_read_fuzzer.cc
// Copyright 2017-2018 Glenn Randers-Pehrson
// Copyright 2015 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that may
// be found in the LICENSE file https://cs.chromium.org/chromium/src/LICENSE

// The modifications in 2017 by Glenn Randers-Pehrson include
// 1. addition of a PNG_CLEANUP macro,
// 2. setting the option to ignore ADLER32 checksums,
// 3. adding "#include <string.h>" which is needed on some platforms
//    to provide memcpy().
// 4. adding read_end_info() and creating an end_info structure.
// 5. adding calls to png_set_*() transforms commonly used by browsers.

#include <stddef.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>

#include <vector>

#define PNG_INTERNAL
#include "png.h"
#include "nalloc.h"

#define PNG_CLEANUP \
  nalloc_end(); \
  if(png_handler.png_ptr) \
  { \
    if (png_handler.row_ptr) \
      png_free(png_handler.png_ptr, png_handler.row_ptr); \
    if (png_handler.end_info_ptr) \
      png_destroy_read_struct(&png_handler.png_ptr, &png_handler.info_ptr,\
        &png_handler.end_info_ptr); \
    else if (png_handler.info_ptr) \
      png_destroy_read_struct(&png_handler.png_ptr, &png_handler.info_ptr,\
        nullptr); \
    else \
      png_destroy_read_struct(&png_handler.png_ptr, nullptr, nullptr); \
    png_handler.png_ptr = nullptr; \
    png_handler.row_ptr = nullptr; \
    png_handler.info_ptr = nullptr; \
    png_handler.end_info_ptr = nullptr; \
  }

struct BufState {
  const uint8_t* data;
  size_t bytes_left;
};

struct PngObjectHandler {
  png_infop info_ptr = nullptr;
  png_structp png_ptr = nullptr;
  png_infop end_info_ptr = nullptr;
  png_voidp row_ptr = nullptr;
  BufState* buf_state = nullptr;

  ~PngObjectHandler() {
    if (row_ptr)
      png_free(png_ptr, row_ptr);
    if (end_info_ptr)
      png_destroy_read_struct(&png_ptr, &info_ptr, &end_info_ptr);
    else if (info_ptr)
      png_destroy_read_struct(&png_ptr, &info_ptr, nullptr);
    else
      png_destroy_read_struct(&png_ptr, nullptr, nullptr);
    delete buf_state;
  }
};

void user_read_data(png_structp png_ptr, png_bytep data, size_t length) {
  BufState* buf_state = static_cast<BufState*>(png_get_io_ptr(png_ptr));
  if (length > buf_state->bytes_left) {
    png_error(png_ptr, "read error");
  }
  memcpy(data, buf_state->data, length);
  buf_state->bytes_left -= length;
  buf_state->data += length;
}

void* limited_malloc(png_structp, png_alloc_size_t size) {
  // libpng may allocate large amounts of memory that the fuzzer reports as
  // an error. In order to silence these errors, make libpng fail when trying
  // to allocate a large amount. This allocator used to be in the Chromium
  // version of this fuzzer.
  // This number is chosen to match the default png_user_chunk_malloc_max.
  if (size > 8000000)
    return nullptr;

  return malloc(size);
}

void default_free(png_structp, png_voidp ptr) {
  return free(ptr);
}

static const int kPngHeaderSize = 8;

// Entry point for LibFuzzer.
// Roughly follows the libpng book example:
// http://www.libpng.org/pub/png/book/chapter13.html
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
  if (size < kPngHeaderSize) {
    return 0;
  }
  nalloc_init(nullptr);

  std::vector<unsigned char> v(data, data + size);
  if (png_sig_cmp(v.data(), 0, kPngHeaderSize)) {
    // not a PNG.
    return 0;
  }

  PngObjectHandler png_handler;
  png_handler.png_ptr = nullptr;
  png_handler.row_ptr = nullptr;
  png_handler.info_ptr = nullptr;
  png_handler.end_info_ptr = nullptr;

  png_handler.png_ptr = png_create_read_struct
    (PNG_LIBPNG_VER_STRING, nullptr, nullptr, nullptr);
  if (!png_handler.png_ptr) {
    return 0;
  }

  nalloc_start(data, size);
  png_handler.info_ptr = png_create_info_struct(png_handler.png_ptr);
  if (!png_handler.info_ptr) {
    PNG_CLEANUP
    return 0;
  }

  png_handler.end_info_ptr = png_create_info_struct(png_handler.png_ptr);
  if (!png_handler.end_info_ptr) {
    PNG_CLEANUP
    return 0;
  }

  // Use a custom allocator that fails for large allocations to avoid OOM.
  png_set_mem_fn(png_handler.png_ptr, nullptr, limited_malloc, default_free);

  png_set_crc_action(png_handler.png_ptr, PNG_CRC_QUIET_USE, PNG_CRC_QUIET_USE);
#ifdef PNG_IGNORE_ADLER32
  png_set_option(png_handler.png_ptr, PNG_IGNORE_ADLER32, PNG_OPTION_ON);
#endif

  // Setting up reading from buffer.
  png_handler.buf_state = new BufState();
  png_handler.buf_state->data = data + kPngHeaderSize;
  png_handler.buf_state->bytes_left = size - kPngHeaderSize;
  png_set_read_fn(png_handler.png_ptr, png_handler.buf_state, user_read_data);
  png_set_sig_bytes(png_handler.png_ptr, kPngHeaderSize);

  if (setjmp(png_jmpbuf(png_handler.png_ptr))) {
    PNG_CLEANUP
    return 0;
  }

  // Reading.
  png_read_info(png_handler.png_ptr, png_handler.info_ptr);

  // reset error handler to put png_deleter into scope.
  if (setjmp(png_jmpbuf(png_handler.png_ptr))) {
    PNG_CLEANUP
    return 0;
  }

  png_uint_32 width, height;
  int bit_depth, color_type, interlace_type, compression_type;
  int filter_type;

  if (!png_get_IHDR(png_handler.png_ptr, png_handler.info_ptr, &width,
                    &height, &bit_depth, &color_type, &interlace_type,
                    &compression_type, &filter_type)) {
    PNG_CLEANUP
    return 0;
  }

  // This is going to be too slow.
  if (width && height > 100000000 / width) {
    PNG_CLEANUP
    return 0;
  }

  // Set several transforms that browsers typically use:
  png_set_gray_to_rgb(png_handler.png_ptr);
  png_set_expand(png_handler.png_ptr);
  png_set_packing(png_handler.png_ptr);
  png_set_scale_16(png_handler.png_ptr);
  png_set_tRNS_to_alpha(png_handler.png_ptr);

  int passes = png_set_interlace_handling(png_handler.png_ptr);

  png_read_update_info(png_handler.png_ptr, png_handler.info_ptr);

  png_handler.row_ptr = png_malloc(
      png_handler.png_ptr, png_get_rowbytes(png_handler.png_ptr,
                                            png_handler.info_ptr));

  for (int pass = 0; pass < passes; ++pass) {
    for (png_uint_32 y = 0; y < height; ++y) {
      png_read_row(png_handler.png_ptr,
                   static_cast<png_bytep>(png_handler.row_ptr), nullptr);
    }
  }

  png_read_end(png_handler.png_ptr, png_handler.end_info_ptr);

  PNG_CLEANUP

#ifdef PNG_SIMPLIFIED_READ_SUPPORTED
  // Simplified READ API
  png_image image;
  memset(&image, 0, (sizeof image));
  image.version = PNG_IMAGE_VERSION;

  if (!png_image_begin_read_from_memory(&image, data, size)) {
    return 0;
  }

  image.format = PNG_FORMAT_RGBA;
  std::vector<png_byte> buffer(PNG_IMAGE_SIZE(image));
  png_image_finish_read(&image, NULL, buffer.data(), 0, NULL);
#endif

  return 0;
}

Coverage Report

Created: 2026-06-08 06:03

Line	Count	Source
1		// libpng_read_fuzzer.cc
2		// Copyright 2017-2018 Glenn Randers-Pehrson
3		// Copyright 2015 The Chromium Authors. All rights reserved.
4		// Use of this source code is governed by a BSD-style license that may
5		// be found in the LICENSE file https://cs.chromium.org/chromium/src/LICENSE
6
7		// The modifications in 2017 by Glenn Randers-Pehrson include
8		// 1. addition of a PNG_CLEANUP macro,
9		// 2. setting the option to ignore ADLER32 checksums,
10		// 3. adding "#include <string.h>" which is needed on some platforms
11		// to provide memcpy().
12		// 4. adding read_end_info() and creating an end_info structure.
13		// 5. adding calls to png_set_*() transforms commonly used by browsers.
14
15		#include <stddef.h>
16		#include <stdint.h>
17		#include <stdlib.h>
18		#include <string.h>
19
20		#include <vector>
21
22		#define PNG_INTERNAL
23		#include "png.h"
24		#include "nalloc.h"
25
26		#define PNG_CLEANUP \
27	7.37k	nalloc_end(); \
28	7.37k	if(png_handler.png_ptr) \
29	7.37k	{ \
30	7.37k	if (png_handler.row_ptr) \
31	7.37k	png_free(png_handler.png_ptr, png_handler.row_ptr); \
32	7.37k	if (png_handler.end_info_ptr) \
33	7.37k	png_destroy_read_struct(&png_handler.png_ptr, &png_handler.info_ptr,\
34	7.35k	&png_handler.end_info_ptr); \
35	7.37k	else if (png_handler.info_ptr) \
36	12	png_destroy_read_struct(&png_handler.png_ptr, &png_handler.info_ptr,\
37	3	nullptr); \
38	12	else \
39	12	png_destroy_read_struct(&png_handler.png_ptr, nullptr, nullptr); \
40	7.37k	png_handler.png_ptr = nullptr; \
41	7.37k	png_handler.row_ptr = nullptr; \
42	7.37k	png_handler.info_ptr = nullptr; \
43	7.37k	png_handler.end_info_ptr = nullptr; \
44	7.37k	}
45
46		struct BufState {
47		const uint8_t* data;
48		size_t bytes_left;
49		};
50
51		struct PngObjectHandler {
52		png_infop info_ptr = nullptr;
53		png_structp png_ptr = nullptr;
54		png_infop end_info_ptr = nullptr;
55		png_voidp row_ptr = nullptr;
56		BufState* buf_state = nullptr;
57
58	7.37k	~PngObjectHandler() {
59	7.37k	if (row_ptr)
60	0	png_free(png_ptr, row_ptr);
61	7.37k	if (end_info_ptr)
62	0	png_destroy_read_struct(&png_ptr, &info_ptr, &end_info_ptr);
63	7.37k	else if (info_ptr)
64	0	png_destroy_read_struct(&png_ptr, &info_ptr, nullptr);
65	7.37k	else
66	7.37k	png_destroy_read_struct(&png_ptr, nullptr, nullptr);
67	7.37k	delete buf_state;
68	7.37k	}
69		};
70
71	368k	void user_read_data(png_structp png_ptr, png_bytep data, size_t length) {
72	368k	BufState* buf_state = static_cast<BufState*>(png_get_io_ptr(png_ptr));
73	368k	if (length > buf_state->bytes_left) {
74	5.84k	png_error(png_ptr, "read error");
75	5.84k	}
76	362k	memcpy(data, buf_state->data, length);
77	362k	buf_state->bytes_left -= length;
78	362k	buf_state->data += length;
79	362k	}
80
81	109k	void* limited_malloc(png_structp, png_alloc_size_t size) {
82		// libpng may allocate large amounts of memory that the fuzzer reports as
83		// an error. In order to silence these errors, make libpng fail when trying
84		// to allocate a large amount. This allocator used to be in the Chromium
85		// version of this fuzzer.
86		// This number is chosen to match the default png_user_chunk_malloc_max.
87	109k	if (size > 8000000)
88	3	return nullptr;
89
90	109k	return malloc(size);
91	109k	}
92
93	131k	void default_free(png_structp, png_voidp ptr) {
94	131k	return free(ptr);
95	131k	}
96
97		static const int kPngHeaderSize = 8;
98
99		// Entry point for LibFuzzer.
100		// Roughly follows the libpng book example:
101		// http://www.libpng.org/pub/png/book/chapter13.html
102	7.45k	extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
103	7.45k	if (size < kPngHeaderSize) {
104	5	return 0;
105	5	}
106	7.44k	nalloc_init(nullptr);
107
108	7.44k	std::vector<unsigned char> v(data, data + size);
109	7.44k	if (png_sig_cmp(v.data(), 0, kPngHeaderSize)) {
110		// not a PNG.
111	76	return 0;
112	76	}
113
114	7.37k	PngObjectHandler png_handler;
115	7.37k	png_handler.png_ptr = nullptr;
116	7.37k	png_handler.row_ptr = nullptr;
117	7.37k	png_handler.info_ptr = nullptr;
118	7.37k	png_handler.end_info_ptr = nullptr;
119
120	7.37k	png_handler.png_ptr = png_create_read_struct
121	7.37k	(PNG_LIBPNG_VER_STRING, nullptr, nullptr, nullptr);
122	7.37k	if (!png_handler.png_ptr) {
123	0	return 0;
124	0	}
125
126	7.37k	nalloc_start(data, size);
127	7.37k	png_handler.info_ptr = png_create_info_struct(png_handler.png_ptr);
128	7.37k	if (!png_handler.info_ptr) {
129	9	PNG_CLEANUP
130	9	return 0;
131	9	}
132
133	7.36k	png_handler.end_info_ptr = png_create_info_struct(png_handler.png_ptr);
134	7.36k	if (!png_handler.end_info_ptr) {
135	3	PNG_CLEANUP
136	3	return 0;
137	3	}
138
139		// Use a custom allocator that fails for large allocations to avoid OOM.
140	7.35k	png_set_mem_fn(png_handler.png_ptr, nullptr, limited_malloc, default_free);
141
142	7.35k	png_set_crc_action(png_handler.png_ptr, PNG_CRC_QUIET_USE, PNG_CRC_QUIET_USE);
143		#ifdef PNG_IGNORE_ADLER32
144		png_set_option(png_handler.png_ptr, PNG_IGNORE_ADLER32, PNG_OPTION_ON);
145		#endif
146
147		// Setting up reading from buffer.
148	7.35k	png_handler.buf_state = new BufState();
149	7.35k	png_handler.buf_state->data = data + kPngHeaderSize;
150	7.35k	png_handler.buf_state->bytes_left = size - kPngHeaderSize;
151	7.35k	png_set_read_fn(png_handler.png_ptr, png_handler.buf_state, user_read_data);
152	7.35k	png_set_sig_bytes(png_handler.png_ptr, kPngHeaderSize);
153
154	7.35k	if (setjmp(png_jmpbuf(png_handler.png_ptr))) {
155	5.14k	PNG_CLEANUP
156	5.14k	return 0;
157	5.14k	}
158
159		// Reading.
160	2.21k	png_read_info(png_handler.png_ptr, png_handler.info_ptr);
161
162		// reset error handler to put png_deleter into scope.
163	2.21k	if (setjmp(png_jmpbuf(png_handler.png_ptr))) {
164	1.22k	PNG_CLEANUP
165	1.22k	return 0;
166	1.22k	}
167
168	984	png_uint_32 width, height;
169	984	int bit_depth, color_type, interlace_type, compression_type;
170	984	int filter_type;
171
172	984	if (!png_get_IHDR(png_handler.png_ptr, png_handler.info_ptr, &width,
173	984	&height, &bit_depth, &color_type, &interlace_type,
174	984	&compression_type, &filter_type)) {
175	0	PNG_CLEANUP
176	0	return 0;
177	0	}
178
179		// This is going to be too slow.
180	2.21k	if (width && height > 100000000 / width) {
181	21	PNG_CLEANUP
182	21	return 0;
183	21	}
184
185		// Set several transforms that browsers typically use:
186	963	png_set_gray_to_rgb(png_handler.png_ptr);
187	963	png_set_expand(png_handler.png_ptr);
188	963	png_set_packing(png_handler.png_ptr);
189	963	png_set_scale_16(png_handler.png_ptr);
190	963	png_set_tRNS_to_alpha(png_handler.png_ptr);
191
192	963	int passes = png_set_interlace_handling(png_handler.png_ptr);
193
194	963	png_read_update_info(png_handler.png_ptr, png_handler.info_ptr);
195
196	963	png_handler.row_ptr = png_malloc(
197	963	png_handler.png_ptr, png_get_rowbytes(png_handler.png_ptr,
198	963	png_handler.info_ptr));
199
200	5.05k	for (int pass = 0; pass < passes; ++pass) {
201	239k	for (png_uint_32 y = 0; y < height; ++y) {
202	235k	png_read_row(png_handler.png_ptr,
203	235k	static_cast<png_bytep>(png_handler.row_ptr), nullptr);
204	235k	}
205	4.09k	}
206
207	963	png_read_end(png_handler.png_ptr, png_handler.end_info_ptr);
208
209	963	PNG_CLEANUP
210
211	963	#ifdef PNG_SIMPLIFIED_READ_SUPPORTED
212		// Simplified READ API
213	963	png_image image;
214	963	memset(&image, 0, (sizeof image));
215	963	image.version = PNG_IMAGE_VERSION;
216
217	963	if (!png_image_begin_read_from_memory(&image, data, size)) {
218	124	return 0;
219	124	}
220
221	839	image.format = PNG_FORMAT_RGBA;
222	839	std::vector<png_byte> buffer(PNG_IMAGE_SIZE(image));
223	839	png_image_finish_read(&image, NULL, buffer.data(), 0, NULL);
224	839	#endif
225
226	839	return 0;
227	963	}