Fuzz introspector: future_dct_fuzzer
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
60 60 1 :

['do_sarray_io']

60 62 access_virt_sarray call site: 00000 /src/libjpeg-turbo/src/jmemmgr.c:941
28 28 1 :

['do_barray_io']

28 30 access_virt_barray call site: 00000 /src/libjpeg-turbo/src/jmemmgr.c:1025
8 8 4 :

['__cxa_throw', '__cxa_allocate_exception', 'std::runtime_error::runtime_error(char const*)', '__cxa_free_exception']

8 8 skip_buffer_input_data(jpeg_decompress_struct*,long) call site: 00000 /src/qpdf/libqpdf/Pl_DCT.cc:295
5 5 1 :

['jpeg_destroy_compress']

17 22 Pl_DCT::finish() call site: 00000 /src/qpdf/libqpdf/Pl_DCT.cc:216
2 2 1 :

['out_of_memory']

2 106 alloc_sarray call site: 00000 /src/libjpeg-turbo/src/jmemmgr.c:462
2 2 1 :

['__isoc99_sscanf']

2 2 jinit_memory_mgr call site: 00048 /src/libjpeg-turbo/src/jmemmgr.c:1274
2 2 1 :

['out_of_memory']

2 2 alloc_large call site: 00000 /src/libjpeg-turbo/src/jmemmgr.c:395
0 838 1 :

['Pl_DCT::compress(void*, Buffer*)']

25 870 Pl_DCT::finish() call site: 00000 /src/qpdf/libqpdf/Pl_DCT.cc:200
0 2 1 :

['jpeg_mem_term']

8 10 jinit_memory_mgr call site: 00044 /src/libjpeg-turbo/src/jmemmgr.c:1228
0 2 1 :

['Pipeline::next() const']

0 4 Pl_DCT::finish() call site: 00000 /src/qpdf/libqpdf/Pl_DCT.cc:177
0 0 None 221 728 master_selection call site: 00249 /src/libjpeg-turbo/src/jdmaster.c:539
0 0 None 221 699 master_selection call site: 00250 /src/libjpeg-turbo/src/jdmaster.c:550

Fuzzer calltree

0 LLVMFuzzerTestOneInput [function] [call site] 00000
1 setenv [call site] 00001
1 FuzzHelper::FuzzHelper(unsigned char const*, unsigned long) [function] [call site] 00002
1 FuzzHelper::run() [function] [call site] 00003
2 FuzzHelper::doChecks() [function] [call site] 00004
3 Pl_DCT::setMemoryLimit(long) [function] [call site] 00005
3 Pl_DCT::setScanLimit(int) [function] [call site] 00006
3 Pl_DCT::setThrowOnCorruptData(bool) [function] [call site] 00007
3 Pl_Discard::Pl_Discard() [function] [call site] 00008
4 Pipeline::Pipeline(char const*, Pipeline*) [function] [call site] 00009
3 Pl_DCT::Pl_DCT(char const*, Pipeline*) [function] [call site] 00010
4 Pipeline::Pipeline(char const*, Pipeline*) [function] [call site] 00011
4 __cxa_allocate_exception [call site] 00012
4 std::logic_error::logic_error(char const*) [call site] 00013
4 __cxa_throw [call site] 00014
4 __cxa_free_exception [call site] 00015
4 Pipeline::~Pipeline() [function] [call site] 00016
3 Pl_DCT::write(unsigned char const*, unsigned long) [function] [call site] 00017
4 Pl_Buffer::write(unsigned char const*, unsigned long) [function] [call site] 00018
5 Pipeline::next() const [function] [call site] 00019
5 Pipeline::next() const [function] [call site] 00020
3 Pl_DCT::finish() [function] [call site] 00021
4 Pl_Buffer::finish() [function] [call site] 00022
5 Pipeline::next() const [function] [call site] 00023
5 Pipeline::next() const [function] [call site] 00024
4 Pl_Buffer::getBuffer() [function] [call site] 00025
5 __cxa_allocate_exception [call site] 00026
5 std::logic_error::logic_error(char const*) [call site] 00027
5 __cxa_throw [call site] 00028
5 std::logic_error::~logic_error() [call site] 00029
5 __cxa_free_exception [call site] 00030
5 Buffer::Buffer(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&&) [function] [call site] 00031
6 Buffer::Members::Members(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&&) [function] [call site] 00032
4 Buffer::getSize() const [function] [call site] 00033
4 Buffer::~Buffer() [function] [call site] 00034
4 Pipeline::next() const [function] [call site] 00035
4 (anonymous namespace)::qpdf_jpeg_error_mgr::qpdf_jpeg_error_mgr() [function] [call site] 00036
4 jpeg_std_error [function] [call site] 00037
4 jpeg_std_error [function] [call site] 00038
4 _setjmp [call site] 00039
4 Pl_DCT::compress(void*, Buffer*) [function] [call site] 00040
5 jpeg_CreateCompress [function] [call site] 00041
6 jinit_memory_mgr [function] [call site] 00042
7 jpeg_mem_init [function] [call site] 00043
7 jpeg_get_small [function] [call site] 00044
7 jpeg_mem_term [function] [call site] 00045
7 getenv [call site] 00046
7 strlen [call site] 00047
7 strncpy [call site] 00048
7 __isoc99_sscanf [call site] 00049
5 Pipeline::next() const [function] [call site] 00050
5 jpeg_pipeline_dest(jpeg_compress_struct*, unsigned char*, unsigned long, Pipeline*) [function] [call site] 00051
5 jpeg_set_defaults [function] [call site] 00052
6 jpeg_set_quality [function] [call site] 00053
7 jpeg_quality_scaling [function] [call site] 00054
7 jpeg_set_linear_quality [function] [call site] 00055
8 jpeg_add_quant_table [function] [call site] 00056
9 jpeg_alloc_quant_table [function] [call site] 00057
8 jpeg_add_quant_table [function] [call site] 00058
6 std_huff_tables [function] [call site] 00059
7 add_huff_table [function] [call site] 00060
8 jpeg_alloc_huff_table [function] [call site] 00061
7 add_huff_table [function] [call site] 00062
7 add_huff_table [function] [call site] 00063
7 add_huff_table [function] [call site] 00064
6 jpeg_default_colorspace [function] [call site] 00065
7 jpeg_set_colorspace [function] [call site] 00066
7 jpeg_set_colorspace [function] [call site] 00067
7 jpeg_set_colorspace [function] [call site] 00068
7 jpeg_set_colorspace [function] [call site] 00069
7 jpeg_set_colorspace [function] [call site] 00070
7 jpeg_set_colorspace [function] [call site] 00071
7 jpeg_set_colorspace [function] [call site] 00072
5 jpeg_start_compress [function] [call site] 00073
6 jpeg_suppress_tables [function] [call site] 00074
6 jinit_compress_master [function] [call site] 00075
7 jinit_c_master_control [function] [call site] 00076
8 validate_script [function] [call site] 00077
8 jpeg_default_colorspace [function] [call site] 00078
8 initial_setup [function] [call site] 00079
9 jdiv_round_up [function] [call site] 00080
9 jdiv_round_up [function] [call site] 00081
9 jdiv_round_up [function] [call site] 00082
9 jdiv_round_up [function] [call site] 00083
9 jdiv_round_up [function] [call site] 00084
8 using_std_huff_tables [function] [call site] 00085
9 memcmp [call site] 00086
9 memcmp [call site] 00087
9 memcmp [call site] 00088
9 memcmp [call site] 00089
9 memcmp [call site] 00090
9 memcmp [call site] 00091
9 memcmp [call site] 00092
9 memcmp [call site] 00093
7 jinit_color_converter [function] [call site] 00094
8 jsimd_can_rgb_gray [function] [call site] 00095
9 init_simd [function] [call site] 00096
10 jpeg_simd_cpu_support [call site] 00097
10 getenv [call site] 00098
10 strlen [call site] 00099
10 strncpy [call site] 00100
10 strcmp [call site] 00101
10 getenv [call site] 00102
10 strlen [call site] 00103
10 strncpy [call site] 00104
10 strcmp [call site] 00105
10 getenv [call site] 00106
10 strlen [call site] 00107
10 strncpy [call site] 00108
10 strcmp [call site] 00109
10 getenv [call site] 00110
10 strlen [call site] 00111
10 strncpy [call site] 00112
10 strcmp [call site] 00113
8 jsimd_can_rgb_ycc [function] [call site] 00114
9 init_simd [function] [call site] 00115
7 jinit_downsampler [function] [call site] 00116
8 jsimd_can_h2v1_downsample [function] [call site] 00117
9 init_simd [function] [call site] 00118
8 jsimd_can_h2v2_downsample [function] [call site] 00119
9 init_simd [function] [call site] 00120
7 jinit_c_prep_controller [function] [call site] 00121
8 create_context_buffer [function] [call site] 00122
7 j12init_color_converter [function] [call site] 00123
7 j12init_downsampler [function] [call site] 00124
7 j12init_c_prep_controller [function] [call site] 00125
7 j16init_color_converter [function] [call site] 00126
7 j16init_downsampler [function] [call site] 00127
7 j16init_c_prep_controller [function] [call site] 00128
7 jinit_lossless_compressor [function] [call site] 00129
7 j12init_lossless_compressor [function] [call site] 00130
7 j16init_lossless_compressor [function] [call site] 00131
7 jinit_lhuff_encoder [function] [call site] 00132
7 jinit_c_diff_controller [function] [call site] 00133
8 jround_up [function] [call site] 00134
8 jround_up [function] [call site] 00135
8 jround_up [function] [call site] 00136
8 jround_up [function] [call site] 00137
8 jround_up [function] [call site] 00138
8 jround_up [function] [call site] 00139
7 j12init_c_diff_controller [function] [call site] 00140
7 j16init_c_diff_controller [function] [call site] 00141
7 jinit_forward_dct [function] [call site] 00142
8 jsimd_can_fdct_islow [function] [call site] 00143
9 init_simd [function] [call site] 00144
8 jsimd_can_fdct_ifast [function] [call site] 00145
9 init_simd [function] [call site] 00146
8 jsimd_can_fdct_float [function] [call site] 00147
9 init_simd [function] [call site] 00148
8 jsimd_can_convsamp [function] [call site] 00149
9 init_simd [function] [call site] 00150
8 jsimd_can_quantize [function] [call site] 00151
9 init_simd [function] [call site] 00152
8 jsimd_can_convsamp_float [function] [call site] 00153
9 init_simd [function] [call site] 00154
8 jsimd_can_quantize_float [function] [call site] 00155
9 init_simd [function] [call site] 00156
7 j12init_forward_dct [function] [call site] 00157
7 jinit_arith_encoder [function] [call site] 00158
7 jinit_phuff_encoder [function] [call site] 00159
7 jinit_huff_encoder [function] [call site] 00160
7 j12init_c_coef_controller [function] [call site] 00161
8 jround_up [function] [call site] 00162
8 jround_up [function] [call site] 00163
7 jinit_c_coef_controller [function] [call site] 00164
7 jinit_c_main_controller [function] [call site] 00165
7 j12init_c_main_controller [function] [call site] 00166
7 j16init_c_main_controller [function] [call site] 00167
7 jinit_marker_writer [function] [call site] 00168
5 unsigned int QIntC::to_uint<int>(int const&) [function] [call site] 00169
6 QIntC::IntConverter<int, unsigned int, true, false>::convert(int const&) [function] [call site] 00170
7 QIntC::IntConverter<int, unsigned int, true, false>::error(int) [function] [call site] 00171
8 __cxa_allocate_exception [call site] 00172
8 std::__1::basic_ostringstream<char, std::__1::char_traits<char>, std::__1::allocator<char> >::str[abi:ne180100]() const & [function] [call site] 00173
9 std::__1::basic_stringbuf<char, std::__1::char_traits<char>, std::__1::allocator<char> >::str[abi:ne180100]() const & [function] [call site] 00174
8 std::range_error::range_error[abi:ne180100](std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) [function] [call site] 00175
9 std::runtime_error::runtime_error(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) [call site] 00176
8 __cxa_throw [call site] 00177
8 __cxa_free_exception [call site] 00178
5 unsigned long QIntC::to_size<unsigned int>(unsigned int const&) [function] [call site] 00179
6 QIntC::IntConverter<unsigned int, unsigned long, false, false>::convert(unsigned int const&) [function] [call site] 00180
7 QIntC::IntConverter<unsigned int, unsigned long, false, false>::error(unsigned int) [function] [call site] 00181
8 __cxa_allocate_exception [call site] 00182
8 std::__1::basic_ostringstream<char, std::__1::char_traits<char>, std::__1::allocator<char> >::str[abi:ne180100]() const & [function] [call site] 00183
8 std::range_error::range_error[abi:ne180100](std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) [function] [call site] 00184
8 __cxa_throw [call site] 00185
8 __cxa_free_exception [call site] 00186
5 unsigned long QIntC::to_size<unsigned int>(unsigned int const&) [function] [call site] 00187
5 unsigned long QIntC::to_size<int>(int const&) [function] [call site] 00188
6 QIntC::IntConverter<int, unsigned long, true, false>::convert(int const&) [function] [call site] 00189
7 QIntC::IntConverter<int, unsigned long, true, false>::error(int) [function] [call site] 00190
5 Buffer::getSize() const [function] [call site] 00191
5 __cxa_allocate_exception [call site] 00192
5 Buffer::getSize() const [function] [call site] 00193
5 std::runtime_error::runtime_error(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) [call site] 00194
5 __cxa_throw [call site] 00195
5 __cxa_free_exception [call site] 00196
5 Buffer::getBuffer() [function] [call site] 00197
5 jpeg_write_scanlines [function] [call site] 00198
5 jpeg_finish_compress [function] [call site] 00199
6 jpeg_abort [function] [call site] 00200
5 Pipeline::next() const [function] [call site] 00201
4 __cxa_begin_catch [call site] 00202
4 longjmp [call site] 00203
4 Pl_DCT::decompress(void*, Buffer*) [function] [call site] 00204
5 jpeg_CreateDecompress [function] [call site] 00205
6 jinit_memory_mgr [function] [call site] 00206
6 jinit_marker_reader [function] [call site] 00207
7 reset_marker_reader [function] [call site] 00208
6 jinit_input_controller [function] [call site] 00209
5 jpeg_buffer_src(jpeg_decompress_struct*, Buffer*) [function] [call site] 00210
6 Buffer::getSize() const [function] [call site] 00211
6 Buffer::getBuffer() [function] [call site] 00212
5 jpeg_read_header [function] [call site] 00213
6 jpeg_consume_input [function] [call site] 00214
7 default_decompress_parms [function] [call site] 00215
6 jpeg_abort [function] [call site] 00216
5 jpeg_calc_output_dimensions [function] [call site] 00217
6 jpeg_core_output_dimensions [function] [call site] 00218
7 jdiv_round_up [function] [call site] 00219
7 jdiv_round_up [function] [call site] 00220
7 jdiv_round_up [function] [call site] 00221
7 jdiv_round_up [function] [call site] 00222
7 jdiv_round_up [function] [call site] 00223
7 jdiv_round_up [function] [call site] 00224
7 jdiv_round_up [function] [call site] 00225
7 jdiv_round_up [function] [call site] 00226
7 jdiv_round_up [function] [call site] 00227
7 jdiv_round_up [function] [call site] 00228
7 jdiv_round_up [function] [call site] 00229
7 jdiv_round_up [function] [call site] 00230
7 jdiv_round_up [function] [call site] 00231
7 jdiv_round_up [function] [call site] 00232
7 jdiv_round_up [function] [call site] 00233
7 jdiv_round_up [function] [call site] 00234
7 jdiv_round_up [function] [call site] 00235
6 jdiv_round_up [function] [call site] 00236
6 jdiv_round_up [function] [call site] 00237
6 use_merged_upsample [function] [call site] 00238
5 unsigned int QIntC::to_uint<int>(int const&) [function] [call site] 00239
5 __cxa_allocate_exception [call site] 00240
5 std::runtime_error::runtime_error(char const*) [call site] 00241
5 __cxa_throw [call site] 00242
5 std::runtime_error::~runtime_error() [call site] 00243
5 __cxa_free_exception [call site] 00244
5 jpeg_start_decompress [function] [call site] 00245
6 jinit_master_decompress [function] [call site] 00246
7 master_selection [function] [call site] 00247
8 jpeg_calc_output_dimensions [function] [call site] 00248
8 prepare_range_limit_table [function] [call site] 00249
8 use_merged_upsample [function] [call site] 00250
8 jinit_1pass_quantizer [function] [call site] 00251
9 create_colormap [function] [call site] 00252
10 select_ncolors [function] [call site] 00253
10 output_value [function] [call site] 00254
9 create_colorindex [function] [call site] 00255
10 largest_input_value [function] [call site] 00256
10 largest_input_value [function] [call site] 00257
9 alloc_fs_workspace [function] [call site] 00258
8 j12init_1pass_quantizer [function] [call site] 00259
8 jinit_2pass_quantizer [function] [call site] 00260
9 init_error_limit [function] [call site] 00261
8 j12init_2pass_quantizer [function] [call site] 00262
8 jinit_merged_upsampler [function] [call site] 00263
9 jsimd_can_h2v2_merged_upsample [function] [call site] 00264
10 init_simd [function] [call site] 00265
9 jsimd_can_h2v1_merged_upsample [function] [call site] 00266
10 init_simd [function] [call site] 00267
9 build_ycc_rgb_table [function] [call site] 00268
8 j12init_merged_upsampler [function] [call site] 00269
8 jinit_color_deconverter [function] [call site] 00270
9 build_rgb_y_table [function] [call site] 00271
9 jsimd_can_ycc_rgb [function] [call site] 00272
10 init_simd [function] [call site] 00273
9 build_ycc_rgb_table [function] [call site] 00274
9 jsimd_can_ycc_rgb565 [function] [call site] 00275
9 build_ycc_rgb_table [function] [call site] 00276
9 build_ycc_rgb_table [function] [call site] 00277
9 build_ycc_rgb_table [function] [call site] 00278
8 jinit_upsampler [function] [call site] 00279
9 jsimd_can_h2v1_fancy_upsample [function] [call site] 00280
10 init_simd [function] [call site] 00281
9 jsimd_can_h2v1_upsample [function] [call site] 00282
10 init_simd [function] [call site] 00283
9 jsimd_can_h2v2_fancy_upsample [function] [call site] 00284
10 init_simd [function] [call site] 00285
9 jsimd_can_h2v2_upsample [function] [call site] 00286
10 init_simd [function] [call site] 00287
9 jround_up [function] [call site] 00288
8 j12init_color_deconverter [function] [call site] 00289
8 j12init_upsampler [function] [call site] 00290
8 j16init_color_deconverter [function] [call site] 00291
8 j16init_upsampler [function] [call site] 00292
8 jinit_d_post_controller [function] [call site] 00293
9 jround_up [function] [call site] 00294
8 j12init_d_post_controller [function] [call site] 00295
8 j16init_d_post_controller [function] [call site] 00296
8 jinit_lossless_decompressor [function] [call site] 00297
8 j12init_lossless_decompressor [function] [call site] 00298
8 j16init_lossless_decompressor [function] [call site] 00299
8 jinit_lhuff_decoder [function] [call site] 00300
8 jinit_d_diff_controller [function] [call site] 00301
9 jround_up [function] [call site] 00302
9 jround_up [function] [call site] 00303
9 jround_up [function] [call site] 00304
8 j12init_d_diff_controller [function] [call site] 00305
8 j16init_d_diff_controller [function] [call site] 00306
8 jinit_inverse_dct [function] [call site] 00307
8 j12init_inverse_dct [function] [call site] 00308
8 jinit_arith_decoder [function] [call site] 00309
8 jinit_phuff_decoder [function] [call site] 00310
8 jinit_huff_decoder [function] [call site] 00311
9 std_huff_tables [function] [call site] 00312
8 j12init_d_coef_controller [function] [call site] 00313
9 jround_up [function] [call site] 00314
9 jround_up [function] [call site] 00315
8 jinit_d_coef_controller [function] [call site] 00316
8 jinit_d_main_controller [function] [call site] 00317
9 alloc_funny_pointers [function] [call site] 00318
8 j12init_d_main_controller [function] [call site] 00319
8 j16init_d_main_controller [function] [call site] 00320
6 output_pass_setup [function] [call site] 00321
5 jpeg_read_scanlines [function] [call site] 00322
5 Pipeline::next() const [function] [call site] 00323
5 jpeg_finish_decompress [function] [call site] 00324
6 jpeg_abort [function] [call site] 00325
5 Pipeline::next() const [function] [call site] 00326
4 __cxa_end_catch [call site] 00327
4 Buffer::~Buffer() [function] [call site] 00328
4 jpeg_destroy_compress [function] [call site] 00329
5 jpeg_destroy [function] [call site] 00330
4 jpeg_destroy_decompress [function] [call site] 00331
5 jpeg_destroy [function] [call site] 00332
4 __cxa_allocate_exception [call site] 00333
4 std::runtime_error::runtime_error(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) [call site] 00334
4 __cxa_throw [call site] 00335
4 __cxa_free_exception [call site] 00336
4 (anonymous namespace)::qpdf_jpeg_error_mgr::~qpdf_jpeg_error_mgr() [function] [call site] 00337
4 __clang_call_terminate [call site] 00338
5 __cxa_begin_catch [call site] 00339
3 Pl_DCT::~Pl_DCT() [function] [call site] 00340
4 Pipeline::~Pipeline() [function] [call site] 00341
3 Pl_Discard::~Pl_Discard() [function] [call site] 00342
4 Pipeline::~Pipeline() [function] [call site] 00343
2 __cxa_begin_catch [call site] 00344
2 __cxa_end_catch [call site] 00345
2 __clang_call_terminate [call site] 00346