/src/libwebp/tests/fuzzer/animation_api_fuzzer.cc

Source
// Copyright 2018 Google Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
////////////////////////////////////////////////////////////////////////////////

#include <cstddef>
#include <cstdint>
#include <string>
#include <string_view>

#include "./fuzz_utils.h"
#include "gtest/gtest.h"
#include "webp/decode.h"
#include "webp/demux.h"
#include "webp/mux_types.h"

namespace {

void AnimationApiTest(std::string_view blob, bool use_threads,
                      WEBP_CSP_MODE color_mode) {
  const size_t size = blob.size();
  WebPData webp_data;
  WebPDataInit(&webp_data);
  webp_data.size = size;
  webp_data.bytes = reinterpret_cast<const uint8_t*>(blob.data());

  // WebPAnimDecoderNew uses WebPDemux internally to calloc canvas size.
  WebPDemuxer* const demux = WebPDemux(&webp_data);
  if (!demux) return;
  const uint32_t cw = WebPDemuxGetI(demux, WEBP_FF_CANVAS_WIDTH);
  const uint32_t ch = WebPDemuxGetI(demux, WEBP_FF_CANVAS_HEIGHT);
  if ((size_t)cw * ch > fuzz_utils::kFuzzPxLimit) {
    WebPDemuxDelete(demux);
    return;
  }

  // In addition to canvas size, check each frame separately.
  WebPIterator iter;
  for (int i = 0; i < fuzz_utils::kFuzzFrameLimit; i++) {
    if (!WebPDemuxGetFrame(demux, i + 1, &iter)) break;
    int w, h;
    if (WebPGetInfo(iter.fragment.bytes, iter.fragment.size, &w, &h)) {
      if ((size_t)w * h >
          fuzz_utils::kFuzzPxLimit) {  // image size of the frame payload
        WebPDemuxReleaseIterator(&iter);
        WebPDemuxDelete(demux);
        return;
      }
    }
  }

  WebPDemuxReleaseIterator(&iter);
  WebPDemuxDelete(demux);

  WebPAnimDecoderOptions dec_options;
  if (!WebPAnimDecoderOptionsInit(&dec_options)) return;

  dec_options.use_threads = use_threads;
  dec_options.color_mode = color_mode;

  WebPAnimDecoder* dec = WebPAnimDecoderNew(&webp_data, &dec_options);
  if (!dec) return;

  for (int i = 0; i < fuzz_utils::kFuzzFrameLimit; i++) {
    uint8_t* buf;
    int timestamp;
    if (!WebPAnimDecoderGetNext(dec, &buf, &timestamp)) break;
  }

  WebPAnimDecoderDelete(dec);
}

}  // namespace

FUZZ_TEST(AnimationApi, AnimationApiTest)
    .WithDomains(fuzztest::String().WithMaxSize(fuzz_utils::kMaxWebPFileSize +
                                                1),
                 /*use_threads=*/fuzztest::Arbitrary<bool>(),
                 // Animations only support 4 (out of 12) modes.
                 fuzztest::ElementOf<WEBP_CSP_MODE>({MODE_RGBA, MODE_BGRA,
                                                     MODE_rgbA, MODE_bgrA}));

TEST(AnimationApi, Buganizer498965803) {
  AnimationApiTest(
      std::string("ALPH\000\000\000\000\000\000\000\000\021\000\000\000\t\305"
                  "\006d\301\013\177\000\000webp\034\205\000#@VP8 "
                  "!\000\000\000v\003\000\235\001*\007\200\"\000\0020("
                  "\000\377\377\377\003\000\000\000\311\311\311\311\311\311\311"
                  "\311\311\311\311\311\311\311\311\311\311\311\311\311\311\211"
                  "\311\311\311\311\311\030\030\030\030\030\030\311\311",
                  98),
      false, static_cast<WEBP_CSP_MODE>(1));
}

Line	Count	Source
1		// Copyright 2018 Google Inc.
2		//
3		// Licensed under the Apache License, Version 2.0 (the "License");
4		// you may not use this file except in compliance with the License.
5		// You may obtain a copy of the License at
6		//
7		// http://www.apache.org/licenses/LICENSE-2.0
8		//
9		// Unless required by applicable law or agreed to in writing, software
10		// distributed under the License is distributed on an "AS IS" BASIS,
11		// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12		// See the License for the specific language governing permissions and
13		// limitations under the License.
14		//
15		////////////////////////////////////////////////////////////////////////////////
16
17		#include <cstddef>
18		#include <cstdint>
19		#include <string>
20		#include <string_view>
21
22		#include "./fuzz_utils.h"
23		#include "gtest/gtest.h"
24		#include "webp/decode.h"
25		#include "webp/demux.h"
26		#include "webp/mux_types.h"
27
28		namespace {
29
30		void AnimationApiTest(std::string_view blob, bool use_threads,
31	4.02k	WEBP_CSP_MODE color_mode) {
32	4.02k	const size_t size = blob.size();
33	4.02k	WebPData webp_data;
34	4.02k	WebPDataInit(&webp_data);
35	4.02k	webp_data.size = size;
36	4.02k	webp_data.bytes = reinterpret_cast<const uint8_t*>(blob.data());
37
38		// WebPAnimDecoderNew uses WebPDemux internally to calloc canvas size.
39	4.02k	WebPDemuxer* const demux = WebPDemux(&webp_data);
40	4.02k	if (!demux) return;
41	3.82k	const uint32_t cw = WebPDemuxGetI(demux, WEBP_FF_CANVAS_WIDTH);
42	3.82k	const uint32_t ch = WebPDemuxGetI(demux, WEBP_FF_CANVAS_HEIGHT);
43	3.82k	if ((size_t)cw * ch > fuzz_utils::kFuzzPxLimit) {
44	12	WebPDemuxDelete(demux);
45	12	return;
46	12	}
47
48		// In addition to canvas size, check each frame separately.
49	3.81k	WebPIterator iter;
50	7.62k	for (int i = 0; i < fuzz_utils::kFuzzFrameLimit; i++) {
51	7.62k	if (!WebPDemuxGetFrame(demux, i + 1, &iter)) break;
52	3.81k	int w, h;
53	3.81k	if (WebPGetInfo(iter.fragment.bytes, iter.fragment.size, &w, &h)) {
54	3.81k	if ((size_t)w * h >
55	3.81k	fuzz_utils::kFuzzPxLimit) { // image size of the frame payload
56	0	WebPDemuxReleaseIterator(&iter);
57	0	WebPDemuxDelete(demux);
58	0	return;
59	0	}
60	3.81k	}
61	3.81k	}
62
63	3.81k	WebPDemuxReleaseIterator(&iter);
64	3.81k	WebPDemuxDelete(demux);
65
66	3.81k	WebPAnimDecoderOptions dec_options;
67	3.81k	if (!WebPAnimDecoderOptionsInit(&dec_options)) return;
68
69	3.81k	dec_options.use_threads = use_threads;
70	3.81k	dec_options.color_mode = color_mode;
71
72	3.81k	WebPAnimDecoder* dec = WebPAnimDecoderNew(&webp_data, &dec_options);
73	3.81k	if (!dec) return;
74
75	4.58k	for (int i = 0; i < fuzz_utils::kFuzzFrameLimit; i++) {
76	4.58k	uint8_t* buf;
77	4.58k	int timestamp;
78	4.58k	if (!WebPAnimDecoderGetNext(dec, &buf, &timestamp)) break;
79	4.58k	}
80
81	3.81k	WebPAnimDecoderDelete(dec);
82	3.81k	}
83
84		} // namespace
85
86		FUZZ_TEST(AnimationApi, AnimationApiTest)
87		.WithDomains(fuzztest::String().WithMaxSize(fuzz_utils::kMaxWebPFileSize +
88		1),
89		/use_threads=/fuzztest::Arbitrary<bool>(),
90		// Animations only support 4 (out of 12) modes.
91		fuzztest::ElementOf<WEBP_CSP_MODE>({MODE_RGBA, MODE_BGRA,
92		MODE_rgbA, MODE_bgrA}));
93
94	0	TEST(AnimationApi, Buganizer498965803) {
95	0	AnimationApiTest(
96	0	std::string("ALPH\000\000\000\000\000\000\000\000\021\000\000\000\t\305"
97	0	"\006d\301\013\177\000\000webp\034\205\000#@VP8 "
98	0	"!\000\000\000v\003\000\235\001*\007\200\"\000\0020("
99	0	"\000\377\377\377\003\000\000\000\311\311\311\311\311\311\311"
100	0	"\311\311\311\311\311\311\311\311\311\311\311\311\311\311\211"
101	0	"\311\311\311\311\311\030\030\030\030\030\030\311\311",
102	0	98),
103	0	false, static_cast<WEBP_CSP_MODE>(1));
104	0	}

Coverage Report

Created: 2026-06-10 06:43