/src/fuzz_advanced_api.c

Source (jump to first uncovered line)
// Copyright 2018 Google Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
////////////////////////////////////////////////////////////////////////////////

#include "fuzz.h"
#include "webp/decode.h"

int LLVMFuzzerTestOneInput(const uint8_t* const data, size_t size) {
  WebPDecoderConfig config;
  if (!WebPInitDecoderConfig(&config)) return 0;
  if (WebPGetFeatures(data, size, &config.input) != VP8_STATUS_OK) return 0;
  if ((size_t)config.input.width * config.input.height > kFuzzPxLimit) return 0;

  // Using two independent criteria ensures that all combinations of options
  // can reach each path at the decoding stage, with meaningful differences.

  const uint8_t value = FuzzHash(data, size);
  const float factor = value / 255.f;  // 0-1

  config.options.flip = value & 1;
  config.options.bypass_filtering = value & 2;
  config.options.no_fancy_upsampling = value & 4;
  config.options.use_threads = value & 8;
  if (size & 1) {
    config.options.use_cropping = 1;
    config.options.crop_width = (int)(config.input.width * (1 - factor));
    config.options.crop_height = (int)(config.input.height * (1 - factor));
    config.options.crop_left = config.input.width - config.options.crop_width;
    config.options.crop_top = config.input.height - config.options.crop_height;
  }
  if (size & 2) {
    int strength = (int)(factor * 100);
    config.options.dithering_strength = strength;
    config.options.alpha_dithering_strength = 100 - strength;
  }
  if (size & 4) {
    config.options.use_scaling = 1;
    config.options.scaled_width = (int)(config.input.width * factor * 2);
    config.options.scaled_height = (int)(config.input.height * factor * 2);
  }

  config.output.colorspace = (WEBP_CSP_MODE)(value % MODE_LAST);

  if (size % 3) {
    // Decodes incrementally in chunks of increasing size.
    WebPIDecoder* idec = WebPIDecode(NULL, 0, &config);
    if (!idec) return 0;
    VP8StatusCode status;
    if (size & 8) {
      size_t available_size = value + 1;
      while (1) {
        if (available_size > size) available_size = size;
        status = WebPIUpdate(idec, data, available_size);
        if (status != VP8_STATUS_SUSPENDED || available_size == size) break;
        available_size *= 2;
      }
    } else {
      // WebPIAppend expects new data and its size with each call.
      // Implemented here by simply advancing the pointer into data.
      const uint8_t* new_data = data;
      size_t new_size = value + 1;
      while (1) {
        if (new_data + new_size > data + size) {
          new_size = data + size - new_data;
        }
        status = WebPIAppend(idec, new_data, new_size);
        if (status != VP8_STATUS_SUSPENDED || new_size == 0) break;
        new_data += new_size;
        new_size *= 2;
      }
    }
    WebPIDelete(idec);
  } else {
    WebPDecode(data, size, &config);
  }

  WebPFreeDecBuffer(&config.output);
  return 0;
}

Line	Count	Source (jump to first uncovered line)
1		// Copyright 2018 Google Inc.
2		//
3		// Licensed under the Apache License, Version 2.0 (the "License");
4		// you may not use this file except in compliance with the License.
5		// You may obtain a copy of the License at
6		//
7		// http://www.apache.org/licenses/LICENSE-2.0
8		//
9		// Unless required by applicable law or agreed to in writing, software
10		// distributed under the License is distributed on an "AS IS" BASIS,
11		// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12		// See the License for the specific language governing permissions and
13		// limitations under the License.
14		//
15		////////////////////////////////////////////////////////////////////////////////
16
17		#include "fuzz.h"
18		#include "webp/decode.h"
19
20	5.27k	int LLVMFuzzerTestOneInput(const uint8_t* const data, size_t size) {
21	5.27k	WebPDecoderConfig config;
22	5.27k	if (!WebPInitDecoderConfig(&config)) return 0;
23	5.27k	if (WebPGetFeatures(data, size, &config.input) != VP8_STATUS_OK) return 0;
24	4.85k	if ((size_t)config.input.width * config.input.height > kFuzzPxLimit) return 0;
25	4.81k
26	4.81k	// Using two independent criteria ensures that all combinations of options
27	4.81k	// can reach each path at the decoding stage, with meaningful differences.
28	4.81k
29	4.81k	const uint8_t value = FuzzHash(data, size);
30	4.81k	const float factor = value / 255.f; // 0-1
31	4.81k
32	4.81k	config.options.flip = value & 1;
33	4.81k	config.options.bypass_filtering = value & 2;
34	4.81k	config.options.no_fancy_upsampling = value & 4;
35	4.81k	config.options.use_threads = value & 8;
36	4.81k	if (size & 1) {
37	1.61k	config.options.use_cropping = 1;
38	1.61k	config.options.crop_width = (int)(config.input.width * (1 - factor));
39	1.61k	config.options.crop_height = (int)(config.input.height * (1 - factor));
40	1.61k	config.options.crop_left = config.input.width - config.options.crop_width;
41	1.61k	config.options.crop_top = config.input.height - config.options.crop_height;
42	1.61k	}
43	4.81k	if (size & 2) {
44	2.30k	int strength = (int)(factor * 100);
45	2.30k	config.options.dithering_strength = strength;
46	2.30k	config.options.alpha_dithering_strength = 100 - strength;
47	2.30k	}
48	4.81k	if (size & 4) {
49	2.83k	config.options.use_scaling = 1;
50	2.83k	config.options.scaled_width = (int)(config.input.width * factor * 2);
51	2.83k	config.options.scaled_height = (int)(config.input.height * factor * 2);
52	2.83k	}
53	4.81k
54	4.81k	config.output.colorspace = (WEBP_CSP_MODE)(value % MODE_LAST);
55	4.81k
56	4.81k	if (size % 3) {
57	3.43k	// Decodes incrementally in chunks of increasing size.
58	3.43k	WebPIDecoder* idec = WebPIDecode(NULL, 0, &config);
59	3.43k	if (!idec) return 0;
60	3.43k	VP8StatusCode status;
61	3.43k	if (size & 8) {
62	1.59k	size_t available_size = value + 1;
63	3.30k	while (1) {
64	3.30k	if (available_size > size) available_size = size;
65	3.30k	status = WebPIUpdate(idec, data, available_size);
66	3.30k	if (status != VP8_STATUS_SUSPENDED \|\| available_size == size) break;
67	1.71k	available_size *= 2;
68	1.71k	}
69	1.84k	} else {
70	1.84k	// WebPIAppend expects new data and its size with each call.
71	1.84k	// Implemented here by simply advancing the pointer into data.
72	1.84k	const uint8_t* new_data = data;
73	1.84k	size_t new_size = value + 1;
74	6.20k	while (1) {
75	6.20k	if (new_data + new_size > data + size) {
76	2.57k	new_size = data + size - new_data;
77	2.57k	}
78	6.20k	status = WebPIAppend(idec, new_data, new_size);
79	6.20k	if (status != VP8_STATUS_SUSPENDED \|\| new_size == 0) break;
80	4.36k	new_data += new_size;
81	4.36k	new_size *= 2;
82	4.36k	}
83	1.84k	}
84	3.43k	WebPIDelete(idec);
85	3.43k	} else {
86	1.38k	WebPDecode(data, size, &config);
87	1.38k	}
88	4.81k
89	4.81k	WebPFreeDecBuffer(&config.output);
90	4.81k	return 0;
91	4.81k	}

Coverage Report

Created: 2018-12-03 14:26