/src/libwebp/tests/fuzzer/advanced_api_fuzzer.cc

Source
// Copyright 2018 Google Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
////////////////////////////////////////////////////////////////////////////////

#include <algorithm>
#include <cstddef>
#include <cstdint>
#include <cstring>
#include <string>
#include <string_view>

#include "./fuzz_utils.h"
#include "gtest/gtest.h"
#include "src/dec/webpi_dec.h"
#include "src/utils/rescaler_utils.h"
#include "webp/decode.h"

namespace {

void AdvancedApiTest(std::string_view blob, uint8_t factor_u8, int colorspace,
                     bool incremental,
                     const fuzz_utils::WebPDecoderOptionsCpp& decoder_options) {
  WebPDecoderConfig config;
  if (!WebPInitDecoderConfig(&config)) return;
  const uint8_t* const data = reinterpret_cast<const uint8_t*>(blob.data());
  const size_t size = blob.size();
  if (WebPGetFeatures(data, size, &config.input) != VP8_STATUS_OK) return;
  if ((size_t)config.input.width * config.input.height >
      fuzz_utils::kFuzzPxLimit) {
    return;
  }

  // Using two independent criteria ensures that all combinations of options
  // can reach each path at the decoding stage, with meaningful differences.

  const uint8_t value = fuzz_utils::FuzzHash(data, size);
  const float factor = factor_u8 / 255.f;  // 0-1

  std::memcpy(&config.options, &decoder_options, sizeof(decoder_options));
  if (config.options.use_cropping) {
    config.options.crop_width = (int)(config.input.width * (1 - factor));
    config.options.crop_height = (int)(config.input.height * (1 - factor));
    config.options.crop_left = config.input.width - config.options.crop_width;
    config.options.crop_top = config.input.height - config.options.crop_height;
  }
  if (config.options.use_scaling) {
    config.options.scaled_width = (int)(config.input.width * factor * 2);
    config.options.scaled_height = (int)(config.input.height * factor * 2);
  }
  config.output.colorspace = static_cast<WEBP_CSP_MODE>(colorspace);

  for (int i = 0; i < 2; ++i) {
    if (i == 1) {
      // Use the bitstream data to generate extreme ranges for the options. An
      // alternative approach would be to use a custom corpus containing webp
      // files prepended with sizeof(config.options) zeroes to allow the fuzzer
      // to modify these independently.
      const int data_offset = 50;
      if (data_offset + sizeof(config.options) >= size) break;
      memcpy(&config.options, data + data_offset, sizeof(config.options));

      // Skip easily avoidable out-of-memory fuzzing errors.
      if (config.options.use_scaling) {
        int input_width = config.input.width;
        int input_height = config.input.height;
        if (config.options.use_cropping) {
          const int cw = config.options.crop_width;
          const int ch = config.options.crop_height;
          const int x = config.options.crop_left & ~1;
          const int y = config.options.crop_top & ~1;
          if (WebPCheckCropDimensions(input_width, input_height, x, y, cw,
                                      ch)) {
            input_width = cw;
            input_height = ch;
          }
        }

        int scaled_width = config.options.scaled_width;
        int scaled_height = config.options.scaled_height;
        if (WebPRescalerGetScaledDimensions(input_width, input_height,
                                            &scaled_width, &scaled_height)) {
          size_t fuzz_px_limit = fuzz_utils::kFuzzPxLimit;
          if (scaled_width != config.input.width ||
              scaled_height != config.input.height) {
            // Using the WebPRescalerImport internally can significantly slow
            // down the execution. Avoid timeouts due to that.
            fuzz_px_limit /= 2;
          }
          // A big output canvas can lead to out-of-memory and timeout issues,
          // but a big internal working buffer can too. Also, rescaling from a
          // very wide input image to a very tall canvas can be as slow as
          // decoding a huge number of pixels. Avoid timeouts due to these.
          const uint64_t max_num_operations =
              (uint64_t)std::max(scaled_width, config.input.width) *
              std::max(scaled_height, config.input.height);
          if (max_num_operations > fuzz_px_limit) {
            break;
          }
        }
      }
    }
    if (incremental) {
      // Decodes incrementally in chunks of increasing size.
      WebPIDecoder* idec = WebPIDecode(NULL, 0, &config);
      if (!idec) return;
      VP8StatusCode status;
      if (size & 8) {
        size_t available_size = value + 1;
        while (1) {
          if (available_size > size) available_size = size;
          status = WebPIUpdate(idec, data, available_size);
          if (status != VP8_STATUS_SUSPENDED || available_size == size) break;
          available_size *= 2;
        }
      } else {
        // WebPIAppend expects new data and its size with each call.
        // Implemented here by simply advancing the pointer into data.
        const uint8_t* new_data = data;
        size_t new_size = value + 1;
        while (1) {
          if (new_data + new_size > data + size) {
            new_size = data + size - new_data;
          }
          status = WebPIAppend(idec, new_data, new_size);
          if (status != VP8_STATUS_SUSPENDED || new_size == 0) break;
          new_data += new_size;
          new_size *= 2;
        }
      }
      WebPIDelete(idec);
    } else {
      (void)WebPDecode(data, size, &config);
    }

    WebPFreeDecBuffer(&config.output);
  }
}

}  // namespace

FUZZ_TEST(AdvancedApi, AdvancedApiTest)
    .WithDomains(fuzztest::String().WithMaxSize(fuzz_utils::kMaxWebPFileSize +
                                                1),
                 /*factor_u8=*/fuzztest::Arbitrary<uint8_t>(),
#if defined(WEBP_REDUCE_CSP)
                 fuzztest::ElementOf<int>({static_cast<int>(MODE_RGBA),
                                           static_cast<int>(MODE_BGRA),
                                           static_cast<int>(MODE_rgbA),
                                           static_cast<int>(MODE_bgrA)}),
#else
                 fuzztest::InRange<int>(0, static_cast<int>(MODE_LAST) - 1),
#endif
                 /*incremental=*/fuzztest::Arbitrary<bool>(),
                 fuzz_utils::ArbitraryValidWebPDecoderOptions());

TEST(AdvancedApi, Buganizer498966235) {
  AdvancedApiTest(
      std::string(
          "RIFF\014|"
          "\000\000WEBPVP8X\n\000\000\000\020\000\000D\002\000\000\017\000\000A"
          "LPH5\000\000\000\004\327\000\000\000\000\000\000c8\345S\000\243\000"
          "\253c\311\000\027\000\000\000\200\000\000\000\000\240\"AE\001\000"
          "\000\0008<"
          "ALP\010\000s\002\000\000\000\000\000\000\000\000\000ALPH\000\000\000"
          "\000VP8 "
          "(\000\000\000\224\001\000\235\001*\003\000\020\000\003,\000~"
          "\342\000\000se\002ionR\265Vq\302M}\"webp\"r\010\003\000\020#"
          "\366\356\002\323\220\000 "
          "\212N@\000\026\327A\367\266\201\201\"IFF@\"RIFF\"&\226!"
          "VP\n8Rg\000\0001\"\335\"I\"XEBP\"\002\002\"\367\\x0\203\203\203\341"
          "\341l,\203\\sectiqncJUN=\"sectistre\\x9D\\x01\\x2A\"JUKQ\"",
          257),
      68, 3, true,
      fuzz_utils::WebPDecoderOptionsCpp{
          0, 0, 1, 5, 10, 5, 9, 0, 1, 3, 0, 72, 0, 83, {0, 0, 0, 0, 0}});
}

Line	Count	Source
1		// Copyright 2018 Google Inc.
2		//
3		// Licensed under the Apache License, Version 2.0 (the "License");
4		// you may not use this file except in compliance with the License.
5		// You may obtain a copy of the License at
6		//
7		// http://www.apache.org/licenses/LICENSE-2.0
8		//
9		// Unless required by applicable law or agreed to in writing, software
10		// distributed under the License is distributed on an "AS IS" BASIS,
11		// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12		// See the License for the specific language governing permissions and
13		// limitations under the License.
14		//
15		////////////////////////////////////////////////////////////////////////////////
16
17		#include <algorithm>
18		#include <cstddef>
19		#include <cstdint>
20		#include <cstring>
21		#include <string>
22		#include <string_view>
23
24		#include "./fuzz_utils.h"
25		#include "gtest/gtest.h"
26		#include "src/dec/webpi_dec.h"
27		#include "src/utils/rescaler_utils.h"
28		#include "webp/decode.h"
29
30		namespace {
31
32		void AdvancedApiTest(std::string_view blob, uint8_t factor_u8, int colorspace,
33		bool incremental,
34	8.89k	const fuzz_utils::WebPDecoderOptionsCpp& decoder_options) {
35	8.89k	WebPDecoderConfig config;
36	8.89k	if (!WebPInitDecoderConfig(&config)) return;
37	8.89k	const uint8_t* const data = reinterpret_cast<const uint8_t*>(blob.data());
38	8.89k	const size_t size = blob.size();
39	8.89k	if (WebPGetFeatures(data, size, &config.input) != VP8_STATUS_OK) return;
40	8.82k	if ((size_t)config.input.width * config.input.height >
41	8.82k	fuzz_utils::kFuzzPxLimit) {
42	7	return;
43	7	}
44
45		// Using two independent criteria ensures that all combinations of options
46		// can reach each path at the decoding stage, with meaningful differences.
47
48	8.81k	const uint8_t value = fuzz_utils::FuzzHash(data, size);
49	8.81k	const float factor = factor_u8 / 255.f; // 0-1
50
51	8.81k	std::memcpy(&config.options, &decoder_options, sizeof(decoder_options));
52	8.81k	if (config.options.use_cropping) {
53	4.66k	config.options.crop_width = (int)(config.input.width * (1 - factor));
54	4.66k	config.options.crop_height = (int)(config.input.height * (1 - factor));
55	4.66k	config.options.crop_left = config.input.width - config.options.crop_width;
56	4.66k	config.options.crop_top = config.input.height - config.options.crop_height;
57	4.66k	}
58	8.81k	if (config.options.use_scaling) {
59	4.12k	config.options.scaled_width = (int)(config.input.width * factor * 2);
60	4.12k	config.options.scaled_height = (int)(config.input.height * factor * 2);
61	4.12k	}
62	8.81k	config.output.colorspace = static_cast<WEBP_CSP_MODE>(colorspace);
63
64	18.9k	for (int i = 0; i < 2; ++i) {
65	17.6k	if (i == 1) {
66		// Use the bitstream data to generate extreme ranges for the options. An
67		// alternative approach would be to use a custom corpus containing webp
68		// files prepended with sizeof(config.options) zeroes to allow the fuzzer
69		// to modify these independently.
70	8.81k	const int data_offset = 50;
71	8.81k	if (data_offset + sizeof(config.options) >= size) break;
72	1.55k	memcpy(&config.options, data + data_offset, sizeof(config.options));
73
74		// Skip easily avoidable out-of-memory fuzzing errors.
75	1.55k	if (config.options.use_scaling) {
76	919	int input_width = config.input.width;
77	919	int input_height = config.input.height;
78	919	if (config.options.use_cropping) {
79	746	const int cw = config.options.crop_width;
80	746	const int ch = config.options.crop_height;
81	746	const int x = config.options.crop_left & ~1;
82	746	const int y = config.options.crop_top & ~1;
83	746	if (WebPCheckCropDimensions(input_width, input_height, x, y, cw,
84	746	ch)) {
85	8	input_width = cw;
86	8	input_height = ch;
87	8	}
88	746	}
89
90	919	int scaled_width = config.options.scaled_width;
91	919	int scaled_height = config.options.scaled_height;
92	919	if (WebPRescalerGetScaledDimensions(input_width, input_height,
93	919	&scaled_width, &scaled_height)) {
94	323	size_t fuzz_px_limit = fuzz_utils::kFuzzPxLimit;
95	323	if (scaled_width != config.input.width \|\|
96	321	scaled_height != config.input.height) {
97		// Using the WebPRescalerImport internally can significantly slow
98		// down the execution. Avoid timeouts due to that.
99	321	fuzz_px_limit /= 2;
100	321	}
101		// A big output canvas can lead to out-of-memory and timeout issues,
102		// but a big internal working buffer can too. Also, rescaling from a
103		// very wide input image to a very tall canvas can be as slow as
104		// decoding a huge number of pixels. Avoid timeouts due to these.
105	323	const uint64_t max_num_operations =
106	323	(uint64_t)std::max(scaled_width, config.input.width) *
107	323	std::max(scaled_height, config.input.height);
108	323	if (max_num_operations > fuzz_px_limit) {
109	195	break;
110	195	}
111	323	}
112	919	}
113	1.55k	}
114	10.1k	if (incremental) {
115		// Decodes incrementally in chunks of increasing size.
116	4.81k	WebPIDecoder* idec = WebPIDecode(NULL, 0, &config);
117	4.81k	if (!idec) return;
118	4.81k	VP8StatusCode status;
119	4.81k	if (size & 8) {
120	2.77k	size_t available_size = value + 1;
121	4.54k	while (1) {
122	4.54k	if (available_size > size) available_size = size;
123	4.54k	status = WebPIUpdate(idec, data, available_size);
124	4.54k	if (status != VP8_STATUS_SUSPENDED \|\| available_size == size) break;
125	1.77k	available_size *= 2;
126	1.77k	}
127	2.77k	} else {
128		// WebPIAppend expects new data and its size with each call.
129		// Implemented here by simply advancing the pointer into data.
130	2.04k	const uint8_t* new_data = data;
131	2.04k	size_t new_size = value + 1;
132	6.13k	while (1) {
133	6.13k	if (new_data + new_size > data + size) {
134	2.93k	new_size = data + size - new_data;
135	2.93k	}
136	6.13k	status = WebPIAppend(idec, new_data, new_size);
137	6.13k	if (status != VP8_STATUS_SUSPENDED \|\| new_size == 0) break;
138	4.09k	new_data += new_size;
139	4.09k	new_size *= 2;
140	4.09k	}
141	2.04k	}
142	4.81k	WebPIDelete(idec);
143	5.36k	} else {
144	5.36k	(void)WebPDecode(data, size, &config);
145	5.36k	}
146
147	10.1k	WebPFreeDecBuffer(&config.output);
148	10.1k	}
149	8.81k	}
150
151		} // namespace
152
153		FUZZ_TEST(AdvancedApi, AdvancedApiTest)
154		.WithDomains(fuzztest::String().WithMaxSize(fuzz_utils::kMaxWebPFileSize +
155		1),
156		/factor_u8=/fuzztest::Arbitrary<uint8_t>(),
157		#if defined(WEBP_REDUCE_CSP)
158		fuzztest::ElementOf<int>({static_cast<int>(MODE_RGBA),
159		static_cast<int>(MODE_BGRA),
160		static_cast<int>(MODE_rgbA),
161		static_cast<int>(MODE_bgrA)}),
162		#else
163		fuzztest::InRange<int>(0, static_cast<int>(MODE_LAST) - 1),
164		#endif
165		/incremental=/fuzztest::Arbitrary<bool>(),
166		fuzz_utils::ArbitraryValidWebPDecoderOptions());
167
168	0	TEST(AdvancedApi, Buganizer498966235) {
169	0	AdvancedApiTest(
170	0	std::string(
171	0	"RIFF\014\|"
172	0	"\000\000WEBPVP8X\n\000\000\000\020\000\000D\002\000\000\017\000\000A"
173	0	"LPH5\000\000\000\004\327\000\000\000\000\000\000c8\345S\000\243\000"
174	0	"\253c\311\000\027\000\000\000\200\000\000\000\000\240\"AE\001\000"
175	0	"\000\0008<"
176	0	"ALP\010\000s\002\000\000\000\000\000\000\000\000\000ALPH\000\000\000"
177	0	"\000VP8 "
178	0	"(\000\000\000\224\001\000\235\001*\003\000\020\000\003,\000~"
179	0	"\342\000\000se\002ionR\265Vq\302M}\"webp\"r\010\003\000\020#"
180	0	"\366\356\002\323\220\000 "
181	0	"\212N@\000\026\327A\367\266\201\201\"IFF@\"RIFF\"&\226!"
182	0	"VP\n8Rg\000\0001\"\335\"I\"XEBP\"\002\002\"\367\\x0\203\203\203\341"
183	0	"\341l,\203\\sectiqncJUN=\"sectistre\\x9D\\x01\\x2A\"JUKQ\"",
184	0	257),
185	0	68, 3, true,
186	0	fuzz_utils::WebPDecoderOptionsCpp{
187	0	0, 0, 1, 5, 10, 5, 9, 0, 1, 3, 0, 72, 0, 83, {0, 0, 0, 0, 0}});
188	0	}

Coverage Report

Created: 2026-05-23 06:56