Fuzz introspector: dct_fuzzer
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
768 768 1 :

['Pl_DCT::compress(void*, Buffer*)']

797 802 Pl_DCT::finish() call site: 00000 /src/qpdf/libqpdf/Pl_DCT.cc:155
60 60 1 :

['do_sarray_io']

60 62 access_virt_sarray call site: 00000 /src/libjpeg-turbo/jmemmgr.c:940
28 28 1 :

['do_barray_io']

28 30 access_virt_barray call site: 00000 /src/libjpeg-turbo/jmemmgr.c:1024
8 8 4 :

['__cxa_allocate_exception', 'std::runtime_error::runtime_error(char const*)', '__cxa_free_exception', '__cxa_throw']

8 8 skip_buffer_input_data(jpeg_decompress_struct*,long) call site: 00000 /src/qpdf/libqpdf/Pl_DCT.cc:250
5 5 1 :

['jpeg_destroy_compress']

17 22 Pl_DCT::finish() call site: 00000 /src/qpdf/libqpdf/Pl_DCT.cc:171
2 2 1 :

['out_of_memory']

2 106 alloc_sarray call site: 00000 /src/libjpeg-turbo/jmemmgr.c:461
2 2 1 :

['__isoc99_sscanf']

2 2 jinit_memory_mgr call site: 00044 /src/libjpeg-turbo/jmemmgr.c:1273
2 2 1 :

['out_of_memory']

2 2 alloc_large call site: 00000 /src/libjpeg-turbo/jmemmgr.c:394
0 24 1 :

['Pipeline::getNext(bool)']

2 26 Pl_DCT::finish() call site: 00000 /src/qpdf/libqpdf/Pl_DCT.cc:132
0 2 1 :

['jpeg_mem_term']

8 10 jinit_memory_mgr call site: 00042 /src/libjpeg-turbo/jmemmgr.c:1227
0 0 None 225 686 master_selection call site: 00213 /src/libjpeg-turbo/jdmaster.c:537
0 0 None 225 657 master_selection call site: 00214 /src/libjpeg-turbo/jdmaster.c:548

Fuzzer calltree

0 LLVMFuzzerTestOneInput [function] [call site] 00000
1 setenv [call site] 00001
1 FuzzHelper::FuzzHelper(unsigned char const*, unsigned long) [function] [call site] 00002
1 FuzzHelper::run() [function] [call site] 00003
2 FuzzHelper::doChecks() [function] [call site] 00004
3 Pl_DCT::setMemoryLimit(long) [function] [call site] 00005
3 Pl_DCT::setScanLimit(int) [function] [call site] 00006
3 Pl_DCT::setThrowOnCorruptData(bool) [function] [call site] 00007
3 Pl_Discard::Pl_Discard() [function] [call site] 00008
4 Pipeline::Pipeline(char const*, Pipeline*) [function] [call site] 00009
3 Pl_DCT::Pl_DCT(char const*, Pipeline*) [function] [call site] 00010
4 Pipeline::Pipeline(char const*, Pipeline*) [function] [call site] 00011
4 Pl_DCT::Members::Members() [function] [call site] 00012
5 Pl_Buffer::Pl_Buffer(char const*, Pipeline*) [function] [call site] 00013
6 Pipeline::Pipeline(char const*, Pipeline*) [function] [call site] 00014
6 Pl_Buffer::Members::Members() [function] [call site] 00015
6 Pipeline::~Pipeline() [function] [call site] 00016
4 Pipeline::~Pipeline() [function] [call site] 00017
3 Pl_DCT::write(unsigned char const*, unsigned long) [function] [call site] 00018
4 Pl_Buffer::write(unsigned char const*, unsigned long) [function] [call site] 00019
5 Pipeline::getNext(bool) [function] [call site] 00020
6 __cxa_allocate_exception [call site] 00021
5 Pipeline::getNext(bool) [function] [call site] 00022
3 Pl_DCT::finish() [function] [call site] 00023
4 Pl_Buffer::finish() [function] [call site] 00024
5 Pipeline::getNext(bool) [function] [call site] 00025
5 Pipeline::getNext(bool) [function] [call site] 00026
4 Pl_Buffer::getBuffer() [function] [call site] 00027
5 __cxa_allocate_exception [call site] 00028
5 Buffer::Buffer(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&&) [function] [call site] 00029
6 Buffer::Members::Members(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&&) [function] [call site] 00030
4 Buffer::getSize() const [function] [call site] 00031
4 Buffer::~Buffer() [function] [call site] 00032
4 Pipeline::getNext(bool) [function] [call site] 00033
4 (anonymous namespace)::qpdf_jpeg_error_mgr::qpdf_jpeg_error_mgr() [function] [call site] 00034
4 jpeg_std_error [function] [call site] 00035
4 jpeg_std_error [function] [call site] 00036
4 _setjmp [call site] 00037
4 Pl_DCT::compress(void*, Buffer*) [function] [call site] 00038
5 jpeg_CreateCompress [function] [call site] 00039
6 jinit_memory_mgr [function] [call site] 00040
7 jpeg_mem_init [function] [call site] 00041
7 jpeg_get_small [function] [call site] 00042
7 jpeg_mem_term [function] [call site] 00043
7 getenv [call site] 00044
7 __isoc99_sscanf [call site] 00045
5 Pipeline::getNext(bool) [function] [call site] 00046
5 jpeg_pipeline_dest(jpeg_compress_struct*, unsigned char*, unsigned long, Pipeline*) [function] [call site] 00047
5 jpeg_set_defaults [function] [call site] 00048
6 jpeg_set_quality [function] [call site] 00049
7 jpeg_quality_scaling [function] [call site] 00050
7 jpeg_set_linear_quality [function] [call site] 00051
8 jpeg_add_quant_table [function] [call site] 00052
9 jpeg_alloc_quant_table [function] [call site] 00053
8 jpeg_add_quant_table [function] [call site] 00054
6 std_huff_tables [function] [call site] 00055
7 add_huff_table [function] [call site] 00056
8 jpeg_alloc_huff_table [function] [call site] 00057
7 add_huff_table [function] [call site] 00058
7 add_huff_table [function] [call site] 00059
7 add_huff_table [function] [call site] 00060
6 jpeg_default_colorspace [function] [call site] 00061
7 jpeg_set_colorspace [function] [call site] 00062
7 jpeg_set_colorspace [function] [call site] 00063
7 jpeg_set_colorspace [function] [call site] 00064
7 jpeg_set_colorspace [function] [call site] 00065
7 jpeg_set_colorspace [function] [call site] 00066
7 jpeg_set_colorspace [function] [call site] 00067
5 jpeg_start_compress [function] [call site] 00068
6 jpeg_suppress_tables [function] [call site] 00069
6 jinit_compress_master [function] [call site] 00070
7 jinit_c_master_control [function] [call site] 00071
8 validate_script [function] [call site] 00072
8 jpeg_default_colorspace [function] [call site] 00073
8 initial_setup [function] [call site] 00074
9 jdiv_round_up [function] [call site] 00075
9 jdiv_round_up [function] [call site] 00076
9 jdiv_round_up [function] [call site] 00077
9 jdiv_round_up [function] [call site] 00078
9 jdiv_round_up [function] [call site] 00079
8 using_std_huff_tables [function] [call site] 00080
9 memcmp [call site] 00081
9 memcmp [call site] 00082
9 memcmp [call site] 00083
9 memcmp [call site] 00084
9 memcmp [call site] 00085
9 memcmp [call site] 00086
9 memcmp [call site] 00087
9 memcmp [call site] 00088
7 j16init_color_converter [function] [call site] 00089
7 j16init_downsampler [function] [call site] 00090
7 j16init_c_prep_controller [function] [call site] 00091
8 create_context_buffer [function] [call site] 00092
7 j12init_color_converter [function] [call site] 00093
7 j12init_downsampler [function] [call site] 00094
7 j12init_c_prep_controller [function] [call site] 00095
7 jinit_color_converter [function] [call site] 00096
8 jsimd_can_rgb_gray [function] [call site] 00097
9 init_simd [function] [call site] 00098
10 jpeg_simd_cpu_support [call site] 00099
10 getenv [call site] 00100
10 getenv [call site] 00101
10 getenv [call site] 00102
10 getenv [call site] 00103
8 jsimd_can_rgb_ycc [function] [call site] 00104
9 init_simd [function] [call site] 00105
7 jinit_downsampler [function] [call site] 00106
8 jsimd_can_h2v1_downsample [function] [call site] 00107
9 init_simd [function] [call site] 00108
8 jsimd_can_h2v2_downsample [function] [call site] 00109
9 init_simd [function] [call site] 00110
7 jinit_c_prep_controller [function] [call site] 00111
7 j16init_lossless_compressor [function] [call site] 00112
7 j12init_lossless_compressor [function] [call site] 00113
7 jinit_lossless_compressor [function] [call site] 00114
7 jinit_lhuff_encoder [function] [call site] 00115
7 j16init_c_diff_controller [function] [call site] 00116
8 jround_up [function] [call site] 00117
8 jround_up [function] [call site] 00118
8 jround_up [function] [call site] 00119
8 jround_up [function] [call site] 00120
8 jround_up [function] [call site] 00121
8 jround_up [function] [call site] 00122
7 j12init_c_diff_controller [function] [call site] 00123
7 jinit_c_diff_controller [function] [call site] 00124
7 j12init_forward_dct [function] [call site] 00125
7 jinit_forward_dct [function] [call site] 00126
8 jsimd_can_fdct_islow [function] [call site] 00127
9 init_simd [function] [call site] 00128
8 jsimd_can_fdct_float [function] [call site] 00129
9 init_simd [function] [call site] 00130
8 jsimd_can_convsamp [function] [call site] 00131
9 init_simd [function] [call site] 00132
8 jsimd_can_quantize [function] [call site] 00133
9 init_simd [function] [call site] 00134
8 jsimd_can_convsamp_float [function] [call site] 00135
9 init_simd [function] [call site] 00136
8 jsimd_can_quantize_float [function] [call site] 00137
9 init_simd [function] [call site] 00138
7 jinit_arith_encoder [function] [call site] 00139
7 jinit_phuff_encoder [function] [call site] 00140
7 jinit_huff_encoder [function] [call site] 00141
7 j12init_c_coef_controller [function] [call site] 00142
8 jround_up [function] [call site] 00143
8 jround_up [function] [call site] 00144
7 jinit_c_coef_controller [function] [call site] 00145
7 j16init_c_main_controller [function] [call site] 00146
7 j12init_c_main_controller [function] [call site] 00147
7 jinit_c_main_controller [function] [call site] 00148
7 jinit_marker_writer [function] [call site] 00149
5 unsigned int QIntC::to_uint<int>(int const&) [function] [call site] 00150
6 QIntC::IntConverter<int, unsigned int, true, false>::convert(int const&) [function] [call site] 00151
7 QIntC::IntConverter<int, unsigned int, true, false>::error(int) [function] [call site] 00152
8 __cxa_allocate_exception [call site] 00153
8 std::range_error::range_error[abi:v180000](std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) [function] [call site] 00154
9 std::runtime_error::runtime_error(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) [call site] 00155
5 unsigned long QIntC::to_size<unsigned int>(unsigned int const&) [function] [call site] 00156
6 QIntC::IntConverter<unsigned int, unsigned long, false, false>::convert(unsigned int const&) [function] [call site] 00157
7 QIntC::IntConverter<unsigned int, unsigned long, false, false>::error(unsigned int) [function] [call site] 00158
8 __cxa_allocate_exception [call site] 00159
8 std::range_error::range_error[abi:v180000](std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) [function] [call site] 00160
5 unsigned long QIntC::to_size<unsigned int>(unsigned int const&) [function] [call site] 00161
5 Buffer::getSize() const [function] [call site] 00162
5 __cxa_allocate_exception [call site] 00163
5 Buffer::getSize() const [function] [call site] 00164
5 Buffer::getBuffer() [function] [call site] 00165
5 jpeg_write_scanlines [function] [call site] 00166
5 jpeg_finish_compress [function] [call site] 00167
6 jpeg_abort [function] [call site] 00168
5 Pipeline::getNext(bool) [function] [call site] 00169
4 __cxa_begin_catch [call site] 00170
4 longjmp [call site] 00171
4 Pl_DCT::decompress(void*, Buffer*) [function] [call site] 00172
5 jpeg_CreateDecompress [function] [call site] 00173
6 jinit_memory_mgr [function] [call site] 00174
6 jinit_marker_reader [function] [call site] 00175
7 reset_marker_reader [function] [call site] 00176
6 jinit_input_controller [function] [call site] 00177
5 jpeg_buffer_src(jpeg_decompress_struct*, Buffer*) [function] [call site] 00178
6 Buffer::getSize() const [function] [call site] 00179
6 Buffer::getBuffer() [function] [call site] 00180
5 jpeg_read_header [function] [call site] 00181
6 jpeg_consume_input [function] [call site] 00182
7 default_decompress_parms [function] [call site] 00183
6 jpeg_abort [function] [call site] 00184
5 jpeg_calc_output_dimensions [function] [call site] 00185
6 jpeg_core_output_dimensions [function] [call site] 00186
7 jdiv_round_up [function] [call site] 00187
7 jdiv_round_up [function] [call site] 00188
7 jdiv_round_up [function] [call site] 00189
7 jdiv_round_up [function] [call site] 00190
7 jdiv_round_up [function] [call site] 00191
7 jdiv_round_up [function] [call site] 00192
7 jdiv_round_up [function] [call site] 00193
7 jdiv_round_up [function] [call site] 00194
7 jdiv_round_up [function] [call site] 00195
7 jdiv_round_up [function] [call site] 00196
7 jdiv_round_up [function] [call site] 00197
7 jdiv_round_up [function] [call site] 00198
7 jdiv_round_up [function] [call site] 00199
7 jdiv_round_up [function] [call site] 00200
7 jdiv_round_up [function] [call site] 00201
7 jdiv_round_up [function] [call site] 00202
7 jdiv_round_up [function] [call site] 00203
6 jdiv_round_up [function] [call site] 00204
6 jdiv_round_up [function] [call site] 00205
6 use_merged_upsample [function] [call site] 00206
5 unsigned int QIntC::to_uint<int>(int const&) [function] [call site] 00207
5 __cxa_allocate_exception [call site] 00208
5 jpeg_start_decompress [function] [call site] 00209
6 jinit_master_decompress [function] [call site] 00210
7 master_selection [function] [call site] 00211
8 jpeg_calc_output_dimensions [function] [call site] 00212
8 prepare_range_limit_table [function] [call site] 00213
8 use_merged_upsample [function] [call site] 00214
8 j12init_1pass_quantizer [function] [call site] 00215
9 create_colormap [function] [call site] 00216
10 select_ncolors [function] [call site] 00217
10 output_value [function] [call site] 00218
9 create_colorindex [function] [call site] 00219
10 largest_input_value [function] [call site] 00220
10 largest_input_value [function] [call site] 00221
9 alloc_fs_workspace [function] [call site] 00222
8 jinit_1pass_quantizer [function] [call site] 00223
8 j12init_2pass_quantizer [function] [call site] 00224
9 init_error_limit [function] [call site] 00225
8 jinit_2pass_quantizer [function] [call site] 00226
8 j12init_merged_upsampler [function] [call site] 00227
9 build_ycc_rgb_table [function] [call site] 00228
8 jinit_merged_upsampler [function] [call site] 00229
9 jsimd_can_h2v2_merged_upsample [function] [call site] 00230
10 init_simd [function] [call site] 00231
9 jsimd_can_h2v1_merged_upsample [function] [call site] 00232
10 init_simd [function] [call site] 00233
8 j16init_color_deconverter [function] [call site] 00234
9 build_rgb_y_table [function] [call site] 00235
9 build_ycc_rgb_table [function] [call site] 00236
9 build_ycc_rgb_table [function] [call site] 00237
9 build_ycc_rgb_table [function] [call site] 00238
9 build_ycc_rgb_table [function] [call site] 00239
8 j16init_upsampler [function] [call site] 00240
9 jround_up [function] [call site] 00241
8 j12init_color_deconverter [function] [call site] 00242
8 j12init_upsampler [function] [call site] 00243
8 jinit_color_deconverter [function] [call site] 00244
9 jsimd_can_ycc_rgb [function] [call site] 00245
10 init_simd [function] [call site] 00246
9 jsimd_can_ycc_rgb565 [function] [call site] 00247
8 jinit_upsampler [function] [call site] 00248
9 jsimd_can_h2v1_fancy_upsample [function] [call site] 00249
10 init_simd [function] [call site] 00250
9 jsimd_can_h2v1_upsample [function] [call site] 00251
10 init_simd [function] [call site] 00252
9 jsimd_can_h2v2_upsample [function] [call site] 00253
10 init_simd [function] [call site] 00254
8 j16init_d_post_controller [function] [call site] 00255
8 j12init_d_post_controller [function] [call site] 00256
9 jround_up [function] [call site] 00257
8 jinit_d_post_controller [function] [call site] 00258
8 j16init_lossless_decompressor [function] [call site] 00259
8 j12init_lossless_decompressor [function] [call site] 00260
8 jinit_lossless_decompressor [function] [call site] 00261
8 jinit_lhuff_decoder [function] [call site] 00262
8 j16init_d_diff_controller [function] [call site] 00263
9 jround_up [function] [call site] 00264
9 jround_up [function] [call site] 00265
9 jround_up [function] [call site] 00266
8 j12init_d_diff_controller [function] [call site] 00267
8 jinit_d_diff_controller [function] [call site] 00268
8 j12init_inverse_dct [function] [call site] 00269
8 jinit_inverse_dct [function] [call site] 00270
8 jinit_arith_decoder [function] [call site] 00271
8 jinit_phuff_decoder [function] [call site] 00272
8 jinit_huff_decoder [function] [call site] 00273
9 std_huff_tables [function] [call site] 00274
8 j12init_d_coef_controller [function] [call site] 00275
9 jround_up [function] [call site] 00276
9 jround_up [function] [call site] 00277
8 jinit_d_coef_controller [function] [call site] 00278
8 j16init_d_main_controller [function] [call site] 00279
9 alloc_funny_pointers [function] [call site] 00280
8 j12init_d_main_controller [function] [call site] 00281
8 jinit_d_main_controller [function] [call site] 00282
6 output_pass_setup [function] [call site] 00283
5 jpeg_read_scanlines [function] [call site] 00284
5 Pipeline::getNext(bool) [function] [call site] 00285
5 jpeg_finish_decompress [function] [call site] 00286
6 jpeg_abort [function] [call site] 00287
5 Pipeline::getNext(bool) [function] [call site] 00288
4 __cxa_end_catch [call site] 00289
4 Buffer::~Buffer() [function] [call site] 00290
4 jpeg_destroy_compress [function] [call site] 00291
5 jpeg_destroy [function] [call site] 00292
4 jpeg_destroy_decompress [function] [call site] 00293
5 jpeg_destroy [function] [call site] 00294
4 (anonymous namespace)::qpdf_jpeg_error_mgr::~qpdf_jpeg_error_mgr() [function] [call site] 00295
3 Pl_DCT::~Pl_DCT() [function] [call site] 00296
4 Pipeline::~Pipeline() [function] [call site] 00297
3 Pl_Discard::~Pl_Discard() [function] [call site] 00298
4 Pipeline::~Pipeline() [function] [call site] 00299
2 __cxa_begin_catch [call site] 00300
2 __cxa_end_catch [call site] 00301