Fuzz introspector: spng_write_fuzzer
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
968 968 5 :

['read_non_idat_chunks', 'is_critical_chunk', 'read_ihdr', 'decode_err', 'discard_chunk_bytes']

968 968 read_chunks call site: 00011 /src/libspng/spng/spng.c:3108
471 471 2 :

['compressBound', 'compress2']

520 2548 write_chunks_before_idat call site: 00311 /src/libspng/spng/spng.c:4069
37 681 8 :

['finish_chunk', 'spng__free', 'write_header', 'spng__deflate_init', 'deflateBound', 'spng__malloc', 'deflate', 'strlen']

45 932 write_chunks_before_idat call site: 00448 /src/libspng/spng/spng.c:4333
14 14 2 :

['byte_swap', 'crc_word_big']

14 14 crc32_z call site: 00018 /src/zlib/crc32.c:788
8 8 1 :

['write_s32']

8 251 write_chunks_before_idat call site: 00467 /src/libspng/spng/spng.c:4454
7 14 2 :

['_tr_stored_block', '_tr_align']

7 38 deflate call site: 00394 /src/zlib/deflate.c:1075
4 454 3 :

['write_header', 'encode_err', 'deflate']

4 583 finish_idat call site: 00517 /src/libspng/spng/spng.c:4536
2 2 1 :

['encode_err']

2 2 write_data call site: 00280 /src/libspng/spng/spng.c:863
0 79 1 :

['write_chunk']

0 164 write_chunks_before_idat call site: 00471 /src/libspng/spng/spng.c:4464
0 21 1 :

['crc32']

557 629 deflate call site: 00350 /src/zlib/deflate.c:1024
0 21 1 :

['deflateEnd']

0 21 deflateInit2_ call site: 00318 /src/zlib/deflate.c:365
0 21 1 :

['crc32']

0 21 read_buf call site: 00358 /src/zlib/deflate.c:1228

Fuzzer calltree

0 LLVMFuzzerTestOneInput [function] [call site] 00000
1 spng_ctx_new [function] [call site] 00001
2 spng_ctx_new2 [function] [call site] 00002
1 spng_set_image_limits [function] [call site] 00003
1 spng_set_chunk_limits [function] [call site] 00004
1 spng_set_option [function] [call site] 00005
1 spng_set_png_stream [function] [call site] 00006
2 spng__malloc [function] [call site] 00007
1 stream_write_fn(spng_ctx*, void*, void*, unsigned long) [function] [call site] 00008
1 spng_set_option [function] [call site] 00009
1 spng_set_ihdr [function] [call site] 00010
2 read_chunks [function] [call site] 00011
3 read_ihdr [function] [call site] 00012
4 read_data [function] [call site] 00013
4 memcmp [call site] 00014
4 memcmp [call site] 00016
4 check_ihdr [function] [call site] 00034
4 num_channels [function] [call site] 00035
4 calculate_subimages [function] [call site] 00036
5 calculate_scanline_width [function] [call site] 00037
6 num_channels [function] [call site] 00038
3 decode_err [function] [call site] 00039
3 read_non_idat_chunks [function] [call site] 00040
4 read_header [function] [call site] 00041
5 read_and_check_crc [function] [call site] 00042
6 read_data [function] [call site] 00043
6 is_critical_chunk [function] [call site] 00045
5 read_data [function] [call site] 00046
5 is_critical_chunk [function] [call site] 00048
4 memcmp [call site] 00051
4 discard_chunk_bytes [function] [call site] 00052
5 read_chunk_bytes [function] [call site] 00053
5 read_chunk_bytes [function] [call site] 00056
4 is_small_chunk [function] [call site] 00057
5 memcmp [call site] 00058
5 memcmp [call site] 00059
5 memcmp [call site] 00060
5 memcmp [call site] 00061
5 memcmp [call site] 00062
5 memcmp [call site] 00063
5 memcmp [call site] 00064
5 memcmp [call site] 00065
5 memcmp [call site] 00066
5 memcmp [call site] 00067
5 memcmp [call site] 00068
4 read_chunk_bytes [function] [call site] 00069
4 is_critical_chunk [function] [call site] 00070
4 memcmp [call site] 00071
4 check_plte [function] [call site] 00072
4 memcmp [call site] 00073
4 read_and_check_crc [function] [call site] 00074
4 memcmp [call site] 00075
4 memcmp [call site] 00076
4 check_chrm_int [function] [call site] 00085
4 memcmp [call site] 00086
4 memcmp [call site] 00088
4 check_sbit [function] [call site] 00089
4 memcmp [call site] 00090
4 memcmp [call site] 00091
4 memcmp [call site] 00096
4 memcmp [call site] 00101
4 memcmp [call site] 00103
4 check_phys [function] [call site] 00106
4 memcmp [call site] 00107
4 check_time [function] [call site] 00109
4 memcmp [call site] 00110
4 check_offs [function] [call site] 00114
4 memcmp [call site] 00115
4 increase_cache_usage [function] [call site] 00116
4 spng__malloc [function] [call site] 00117
4 read_chunk_bytes2 [function] [call site] 00118
4 spng__free [function] [call site] 00120
4 check_exif [function] [call site] 00121
5 memcmp [call site] 00122
4 spng__free [function] [call site] 00123
4 memcmp [call site] 00124
4 read_chunk_bytes [function] [call site] 00125
4 memchr [call site] 00126
4 check_png_keyword [function] [call site] 00127
5 strlen [call site] 00128
5 strstr [call site] 00129
4 spng__inflate_stream [function] [call site] 00130
5 spng__inflate_init [function] [call site] 00131
6 inflateEnd [function] [call site] 00132
7 inflateStateCheck [function] [call site] 00133
6 spng__zalloc [function] [call site] 00134
7 spng__malloc [function] [call site] 00135
6 spng__zfree [function] [call site] 00136
7 spng__free [function] [call site] 00137
6 inflateInit2_ [function] [call site] 00138
7 inflateReset2 [function] [call site] 00141
8 inflateStateCheck [function] [call site] 00142
8 inflateReset [function] [call site] 00143
9 inflateStateCheck [function] [call site] 00144
9 inflateResetKeep [function] [call site] 00145
10 inflateStateCheck [function] [call site] 00146
6 is_critical_chunk [function] [call site] 00147
6 inflateValidate [function] [call site] 00148
7 inflateStateCheck [function] [call site] 00149
5 spng__malloc [function] [call site] 00150
5 spng__realloc [function] [call site] 00176
5 read_chunk_bytes [function] [call site] 00177
5 spng__realloc [function] [call site] 00178
5 increase_cache_usage [function] [call site] 00179
5 spng__free [function] [call site] 00180
4 memcmp [call site] 00181
4 memcmp [call site] 00182
4 memcmp [call site] 00183
4 increase_cache_usage [function] [call site] 00184
4 spng__realloc [function] [call site] 00185
4 text_undo [function] [call site] 00186
5 spng__free [function] [call site] 00187
5 spng__free [function] [call site] 00188
5 decrease_cache_usage [function] [call site] 00189
5 decrease_cache_usage [function] [call site] 00190
4 read_chunk_bytes [function] [call site] 00191
4 memchr [call site] 00192
4 memcmp [call site] 00193
4 memcmp [call site] 00194
4 memcmp [call site] 00195
4 memchr [call site] 00196
4 memchr [call site] 00197
4 increase_cache_usage [function] [call site] 00198
4 spng__calloc [function] [call site] 00199
4 spng__inflate_stream [function] [call site] 00200
4 increase_cache_usage [function] [call site] 00201
4 spng__malloc [function] [call site] 00202
4 read_chunk_bytes2 [function] [call site] 00203
4 check_png_keyword [function] [call site] 00204
4 strlen [call site] 00205
4 check_png_text [function] [call site] 00206
4 memcmp [call site] 00207
4 increase_cache_usage [function] [call site] 00208
4 spng__realloc [function] [call site] 00209
4 splt_undo [function] [call site] 00210
5 spng__free [function] [call site] 00211
5 decrease_cache_usage [function] [call site] 00212
5 decrease_cache_usage [function] [call site] 00213
4 spng__malloc [function] [call site] 00214
4 read_chunk_bytes2 [function] [call site] 00215
4 memchr [call site] 00216
4 check_png_keyword [function] [call site] 00217
4 strcmp [call site] 00218
4 increase_cache_usage [function] [call site] 00219
4 spng__malloc [function] [call site] 00220
4 spng__free [function] [call site] 00221
4 spng__free [function] [call site] 00228
4 decrease_cache_usage [function] [call site] 00229
4 increase_cache_usage [function] [call site] 00230
4 spng__realloc [function] [call site] 00231
4 chunk_undo [function] [call site] 00232
5 spng__free [function] [call site] 00233
5 decrease_cache_usage [function] [call site] 00234
5 decrease_cache_usage [function] [call site] 00235
4 spng__malloc [function] [call site] 00236
4 read_chunk_bytes2 [function] [call site] 00237
4 spng__free [function] [call site] 00238
4 discard_chunk_bytes [function] [call site] 00239
3 is_critical_chunk [function] [call site] 00240
3 discard_chunk_bytes [function] [call site] 00241
3 decode_err [function] [call site] 00242
3 decode_err [function] [call site] 00243
3 decode_err [function] [call site] 00244
2 check_ihdr [function] [call site] 00245
1 spng_set_plte [function] [call site] 00246
2 read_chunks [function] [call site] 00247
2 check_plte [function] [call site] 00248
1 spng_set_trns [function] [call site] 00249
2 read_chunks [function] [call site] 00250
1 spng_set_chrm [function] [call site] 00251
2 read_chunks [function] [call site] 00252
2 check_chrm_int [function] [call site] 00253
1 spng_set_chrm_int [function] [call site] 00254
2 read_chunks [function] [call site] 00255
2 check_chrm_int [function] [call site] 00256
1 spng_set_gama [function] [call site] 00257
2 read_chunks [function] [call site] 00258
1 spng_set_sbit [function] [call site] 00259
2 read_chunks [function] [call site] 00260
2 check_sbit [function] [call site] 00261
1 spng_set_srgb [function] [call site] 00262
2 read_chunks [function] [call site] 00263
1 spng_set_bkgd [function] [call site] 00264
2 read_chunks [function] [call site] 00265
1 spng_set_hist [function] [call site] 00266
2 read_chunks [function] [call site] 00267
1 spng_set_phys [function] [call site] 00268
2 read_chunks [function] [call site] 00269
2 check_phys [function] [call site] 00270
1 spng_set_time [function] [call site] 00271
2 read_chunks [function] [call site] 00272
2 check_time [function] [call site] 00273
1 spng_encode_image [function] [call site] 00274
2 calculate_image_width [function] [call site] 00275
3 calculate_scanline_width [function] [call site] 00276
2 encode_err [function] [call site] 00277
2 spng_encode_chunks [function] [call site] 00278
3 write_chunks_before_idat [function] [call site] 00279
4 write_data [function] [call site] 00280
5 encode_err [function] [call site] 00281
5 require_bytes [function] [call site] 00282
6 spng__realloc [function] [call site] 00283
6 encode_err [function] [call site] 00284
6 encode_err [function] [call site] 00285
6 spng__realloc [function] [call site] 00286
6 encode_err [function] [call site] 00287
5 encode_err [function] [call site] 00288
4 write_u32 [function] [call site] 00289
4 write_u32 [function] [call site] 00290
4 write_u32 [function] [call site] 00301
4 write_u32 [function] [call site] 00302
4 write_u32 [function] [call site] 00303
4 write_u32 [function] [call site] 00304
4 write_u32 [function] [call site] 00305
4 write_u32 [function] [call site] 00306
4 write_u32 [function] [call site] 00307
4 write_u32 [function] [call site] 00308
4 write_chunk [function] [call site] 00309
4 write_u32 [function] [call site] 00310
4 write_chunk [function] [call site] 00311
4 compressBound [function] [call site] 00312
4 spng__malloc [function] [call site] 00313
4 compress2 [function] [call site] 00314
5 deflateInit_ [function] [call site] 00315
6 deflateInit2_ [function] [call site] 00316
7 deflateEnd [function] [call site] 00319
8 deflateStateCheck [function] [call site] 00320
7 deflateReset [function] [call site] 00321
8 deflateResetKeep [function] [call site] 00322
9 deflateStateCheck [function] [call site] 00323
9 _tr_init [function] [call site] 00326
10 tr_static_init [function] [call site] 00327
10 init_block [function] [call site] 00328
5 deflate [function] [call site] 00330
6 deflateStateCheck [function] [call site] 00331
6 flush_pending [function] [call site] 00332
7 _tr_flush_bits [function] [call site] 00333
6 putShortMSB [function] [call site] 00335
6 putShortMSB [function] [call site] 00336
6 putShortMSB [function] [call site] 00337
6 flush_pending [function] [call site] 00339
6 flush_pending [function] [call site] 00341
6 flush_pending [function] [call site] 00344
6 flush_pending [function] [call site] 00347
6 flush_pending [function] [call site] 00350
6 flush_pending [function] [call site] 00351
6 flush_pending [function] [call site] 00353
6 deflate_stored [function] [call site] 00354
7 _tr_stored_block [function] [call site] 00355
8 bi_windup [function] [call site] 00356
7 flush_pending [function] [call site] 00357
7 _tr_stored_block [function] [call site] 00361
7 flush_pending [function] [call site] 00362
6 deflate_huff [function] [call site] 00363
7 fill_window [function] [call site] 00364
7 _tr_flush_block [function] [call site] 00367
8 detect_data_type [function] [call site] 00368
8 build_tree [function] [call site] 00369
9 pqdownheap [function] [call site] 00370
9 pqdownheap [function] [call site] 00371
9 pqdownheap [function] [call site] 00372
9 gen_bitlen [function] [call site] 00373
9 gen_codes [function] [call site] 00374
10 bi_reverse [function] [call site] 00375
8 build_tree [function] [call site] 00376
8 build_bl_tree [function] [call site] 00377
9 scan_tree [function] [call site] 00378
9 scan_tree [function] [call site] 00379
9 build_tree [function] [call site] 00380
8 _tr_stored_block [function] [call site] 00381
8 compress_block [function] [call site] 00382
8 send_all_trees [function] [call site] 00383
8 compress_block [function] [call site] 00386
8 init_block [function] [call site] 00387
8 bi_windup [function] [call site] 00388
7 flush_pending [function] [call site] 00389
7 _tr_flush_block [function] [call site] 00390
7 flush_pending [function] [call site] 00391
7 _tr_flush_block [function] [call site] 00392
7 flush_pending [function] [call site] 00393
6 deflate_rle [function] [call site] 00394
7 fill_window [function] [call site] 00395
7 _tr_flush_block [function] [call site] 00396
7 flush_pending [function] [call site] 00397
7 _tr_flush_block [function] [call site] 00398
7 flush_pending [function] [call site] 00399
7 _tr_flush_block [function] [call site] 00400
7 flush_pending [function] [call site] 00401
6 _tr_stored_block [function] [call site] 00404
6 flush_pending [function] [call site] 00405
6 putShortMSB [function] [call site] 00406
6 putShortMSB [function] [call site] 00407
6 flush_pending [function] [call site] 00408
5 deflateEnd [function] [call site] 00409
4 spng__free [function] [call site] 00410
4 strlen [call site] 00411
4 write_header [function] [call site] 00412
4 spng__free [function] [call site] 00413
4 spng__free [function] [call site] 00414
4 finish_chunk [function] [call site] 00415
4 write_chunk [function] [call site] 00416
4 write_chunk [function] [call site] 00417
4 write_unknown_chunks [function] [call site] 00418
5 write_chunk [function] [call site] 00419
4 write_chunk [function] [call site] 00420
4 write_u16 [function] [call site] 00421
4 write_u16 [function] [call site] 00422
4 write_u16 [function] [call site] 00423
4 write_u16 [function] [call site] 00424
4 write_chunk [function] [call site] 00425
4 write_u16 [function] [call site] 00426
4 write_chunk [function] [call site] 00427
4 write_u16 [function] [call site] 00428
4 write_chunk [function] [call site] 00429
4 write_u16 [function] [call site] 00430
4 write_u16 [function] [call site] 00431
4 write_u16 [function] [call site] 00432
4 write_chunk [function] [call site] 00433
4 write_chunk [function] [call site] 00434
4 write_u32 [function] [call site] 00435
4 write_u32 [function] [call site] 00436
4 write_chunk [function] [call site] 00437
4 strlen [call site] 00438
4 write_header [function] [call site] 00439
4 write_u16 [function] [call site] 00440
4 write_u16 [function] [call site] 00441
4 write_u16 [function] [call site] 00442
4 write_u16 [function] [call site] 00443
4 write_u16 [function] [call site] 00444
4 write_u16 [function] [call site] 00445
4 finish_chunk [function] [call site] 00446
4 write_u16 [function] [call site] 00447
4 write_chunk [function] [call site] 00448
4 strlen [call site] 00449
4 strlen [call site] 00450
4 strlen [call site] 00451
4 strlen [call site] 00452
4 spng__deflate_init [function] [call site] 00453
5 deflateEnd [function] [call site] 00454
5 spng__zalloc [function] [call site] 00455
5 spng__zfree [function] [call site] 00456
5 deflateInit2_ [function] [call site] 00457
4 deflateBound [function] [call site] 00458
5 deflateStateCheck [function] [call site] 00459
4 spng__malloc [function] [call site] 00460
4 spng__free [function] [call site] 00462
4 strlen [call site] 00463
4 write_header [function] [call site] 00464
4 spng__free [function] [call site] 00465
4 spng__free [function] [call site] 00466
4 finish_chunk [function] [call site] 00467
4 write_s32 [function] [call site] 00470
4 write_chunk [function] [call site] 00471
4 write_chunk [function] [call site] 00472
4 write_unknown_chunks [function] [call site] 00473
3 encode_err [function] [call site] 00474
3 write_chunks_after_idat [function] [call site] 00475
4 write_unknown_chunks [function] [call site] 00476
4 write_iend [function] [call site] 00477
5 write_data [function] [call site] 00478
3 encode_err [function] [call site] 00479
2 encode_err [function] [call site] 00480
2 calculate_subimages [function] [call site] 00481
2 encode_err [function] [call site] 00482
2 num_channels [function] [call site] 00483
2 spng__deflate_init [function] [call site] 00484
2 encode_err [function] [call site] 00485
2 spng__malloc [function] [call site] 00486
2 spng__malloc [function] [call site] 00487
2 encode_err [function] [call site] 00488
2 spng__malloc [function] [call site] 00489
2 encode_err [function] [call site] 00490
2 write_header [function] [call site] 00491
2 encode_err [function] [call site] 00492
2 encode_row [function] [call site] 00493
3 encode_scanline [function] [call site] 00494
4 u16_row_to_bigendian [function] [call site] 00495
5 write_u16 [function] [call site] 00496
4 get_best_filter [function] [call site] 00497
5 filter_sum [function] [call site] 00498
6 paeth [function] [call site] 00499
7 abs [call site] 00500
7 abs [call site] 00501
7 abs [call site] 00502
6 abs [call site] 00503
5 abs [call site] 00504
4 filter_scanline [function] [call site] 00505
4 encode_err [function] [call site] 00507
4 write_idat_bytes [function] [call site] 00508
5 finish_chunk [function] [call site] 00510
5 encode_err [function] [call site] 00511
5 write_header [function] [call site] 00512
5 encode_err [function] [call site] 00513
4 encode_err [function] [call site] 00514
4 update_row_info [function] [call site] 00515
4 finish_idat [function] [call site] 00516
5 finish_chunk [function] [call site] 00518
5 encode_err [function] [call site] 00519
5 write_header [function] [call site] 00520
5 encode_err [function] [call site] 00521
5 trim_chunk [function] [call site] 00522
5 finish_chunk [function] [call site] 00523
4 encode_err [function] [call site] 00524
4 spng_encode_chunks [function] [call site] 00525
4 encode_err [function] [call site] 00526
3 encode_scanline [function] [call site] 00527
3 encode_scanline [function] [call site] 00528
2 encode_err [function] [call site] 00529
1 spng_get_row_info [function] [call site] 00530
1 spng_encode_row [function] [call site] 00531
2 encode_row [function] [call site] 00532
1 spng_encode_image [function] [call site] 00533
1 spng_get_png_buffer [function] [call site] 00534
1 spng_ctx_free [function] [call site] 00535
2 spng__free [function] [call site] 00536
2 spng__free [function] [call site] 00537
2 spng__free [function] [call site] 00538
2 spng__free [function] [call site] 00539
2 spng__free [function] [call site] 00540
2 spng__free [function] [call site] 00541
2 spng__free [function] [call site] 00542
2 spng__free [function] [call site] 00543
2 spng__free [function] [call site] 00544
2 spng__free [function] [call site] 00545
2 deflateEnd [function] [call site] 00546
2 inflateEnd [function] [call site] 00547
2 spng__free [function] [call site] 00548
2 spng__free [function] [call site] 00549
2 spng__free [function] [call site] 00550
2 spng__free [function] [call site] 00551
2 spng__free [function] [call site] 00552
2 spng__free [function] [call site] 00553