| // Copyright 2021 The Wuffs Authors. |
| // |
| // Licensed under the Apache License, Version 2.0 (the "License"); |
| // you may not use this file except in compliance with the License. |
| // You may obtain a copy of the License at |
| // |
| // https://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, software |
| // distributed under the License is distributed on an "AS IS" BASIS, |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| // See the License for the specific language governing permissions and |
| // limitations under the License. |
| |
| // ---------------- |
| |
| // Silence the nested slash-star warning for the next comment's command line. |
| #pragma clang diagnostic push |
| #pragma clang diagnostic ignored "-Wcomment" |
| |
| /* |
| This fuzzer (the fuzz function) is typically run indirectly, by a framework |
| such as https://github.com/google/oss-fuzz calling LLVMFuzzerTestOneInput. |
| |
| When working on the fuzz implementation, or as a coherence check, defining |
| WUFFS_CONFIG__FUZZLIB_MAIN will let you manually run fuzz over a set of files: |
| |
| gcc -DWUFFS_CONFIG__FUZZLIB_MAIN pixel_swizzler_fuzzer.c |
| ./a.out ../../../test/data |
| rm -f ./a.out |
| |
| It should print "PASS", amongst other information, and exit(0). |
| */ |
| |
| #pragma clang diagnostic pop |
| |
| // Wuffs ships as a "single file C library" or "header file library" as per |
| // https://github.com/nothings/stb/blob/master/docs/stb_howto.txt |
| // |
| // To use that single file as a "foo.c"-like implementation, instead of a |
| // "foo.h"-like header, #define WUFFS_IMPLEMENTATION before #include'ing or |
| // compiling it. |
| #define WUFFS_IMPLEMENTATION |
| |
| #if defined(WUFFS_CONFIG__FUZZLIB_MAIN) |
| // Defining the WUFFS_CONFIG__STATIC_FUNCTIONS macro is optional, but when |
| // combined with WUFFS_IMPLEMENTATION, it demonstrates making all of Wuffs' |
| // functions have static storage. |
| // |
| // This can help the compiler ignore or discard unused code, which can produce |
| // faster compiles and smaller binaries. Other motivations are discussed in the |
| // "ALLOW STATIC IMPLEMENTATION" section of |
| // https://raw.githubusercontent.com/nothings/stb/master/docs/stb_howto.txt |
| #define WUFFS_CONFIG__STATIC_FUNCTIONS |
| #endif // defined(WUFFS_CONFIG__FUZZLIB_MAIN) |
| |
| // Defining the WUFFS_CONFIG__MODULE* macros are optional, but it lets users of |
| // release/c/etc.c choose which parts of Wuffs to build. That file contains the |
| // entire Wuffs standard library, implementing a variety of codecs and file |
| // formats. Without this macro definition, an optimizing compiler or linker may |
| // very well discard Wuffs code for unused codecs, but listing the Wuffs |
| // modules we use makes that process explicit. Preprocessing means that such |
| // code simply isn't compiled. |
| #define WUFFS_CONFIG__MODULES |
| #define WUFFS_CONFIG__MODULE__BASE |
| |
| #include <sys/mman.h> |
| #include <unistd.h> |
| |
| // If building this program in an environment that doesn't easily accommodate |
| // relative includes, you can use the script/inline-c-relative-includes.go |
| // program to generate a stand-alone C file. |
| #include "../../../release/c/wuffs-unsupported-snapshot.c" |
| #include "../fuzzlib/fuzzlib.c" |
| |
| const uint32_t pixfmts[] = { |
| WUFFS_BASE__PIXEL_FORMAT__Y, |
| WUFFS_BASE__PIXEL_FORMAT__Y_16BE, |
| WUFFS_BASE__PIXEL_FORMAT__INDEXED__BGRA_NONPREMUL, |
| WUFFS_BASE__PIXEL_FORMAT__INDEXED__BGRA_BINARY, |
| WUFFS_BASE__PIXEL_FORMAT__BGR_565, |
| WUFFS_BASE__PIXEL_FORMAT__BGR, |
| WUFFS_BASE__PIXEL_FORMAT__BGRA_NONPREMUL, |
| WUFFS_BASE__PIXEL_FORMAT__BGRA_NONPREMUL_4X16LE, |
| WUFFS_BASE__PIXEL_FORMAT__BGRA_PREMUL, |
| WUFFS_BASE__PIXEL_FORMAT__BGRX, |
| WUFFS_BASE__PIXEL_FORMAT__RGB, |
| WUFFS_BASE__PIXEL_FORMAT__RGBA_NONPREMUL, |
| WUFFS_BASE__PIXEL_FORMAT__RGBA_PREMUL, |
| }; |
| |
| const wuffs_base__pixel_blend blends[] = { |
| WUFFS_BASE__PIXEL_BLEND__SRC, |
| WUFFS_BASE__PIXEL_BLEND__SRC_OVER, |
| }; |
| |
| size_t // |
| round_up_to_pagesize(size_t n) { |
| size_t ps = getpagesize(); |
| if (ps <= 0) { |
| return n; |
| } |
| return ((n + (ps - 1)) / ps) * ps; |
| } |
| |
| // allocate_guarded_pages allocates (2 * len) bytes of memory. The first half |
| // has read|write permissions. The second half has no permissions, so that |
| // attempting to read or write to it will cause a segmentation fault. |
| const char* // |
| allocate_guarded_pages(uint8_t** ptr_out, size_t len) { |
| void* ptr = |
| mmap(NULL, 2 * len, PROT_NONE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); |
| if (ptr == MAP_FAILED) { |
| return "fuzz: internal error: mmap failed"; |
| } |
| if (mprotect(ptr, len, PROT_READ | PROT_WRITE)) { |
| return "fuzz: internal error: mprotect failed"; |
| } |
| *ptr_out = ptr; |
| return NULL; |
| } |
| |
| // fuzz_swizzle_interleaved_from_slice tests that, regardless of the randomized |
| // inputs, calling wuffs_base__pixel_swizzler__swizzle_interleaved_from_slice |
| // will not crash the fuzzer (e.g. due to reads or write past buffer bounds). |
| const char* // |
| fuzz_swizzle_interleaved_from_slice(wuffs_base__io_buffer* src, uint64_t hash) { |
| uint8_t dst_palette_array[1024]; |
| uint8_t src_palette_array[1024]; |
| if ((src->meta.wi - src->meta.ri) < 2048) { |
| return "fuzz: not enough data"; |
| } |
| memcpy(dst_palette_array, src->data.ptr + src->meta.ri, 1024); |
| src->meta.ri += 1024; |
| memcpy(src_palette_array, src->data.ptr + src->meta.ri, 1024); |
| src->meta.ri += 1024; |
| wuffs_base__slice_u8 dst_palette = |
| wuffs_base__make_slice_u8(&dst_palette_array[0], 1024); |
| wuffs_base__slice_u8 src_palette = |
| wuffs_base__make_slice_u8(&src_palette_array[0], 1024); |
| |
| size_t num_pixfmts = sizeof(pixfmts) / sizeof(pixfmts[0]); |
| wuffs_base__pixel_format dst_pixfmt = wuffs_base__make_pixel_format( |
| pixfmts[(0xFF & (hash >> 0)) % num_pixfmts]); |
| wuffs_base__pixel_format src_pixfmt = wuffs_base__make_pixel_format( |
| pixfmts[(0xFF & (hash >> 8)) % num_pixfmts]); |
| |
| size_t num_blends = sizeof(blends) / sizeof(blends[0]); |
| wuffs_base__pixel_blend blend = blends[(0xFF & (hash >> 16)) % num_blends]; |
| |
| size_t dst_len = 0xFF & (hash >> 24); |
| size_t src_len = 0xFF & (hash >> 32); |
| |
| wuffs_base__pixel_swizzler swizzler; |
| wuffs_base__status status = wuffs_base__pixel_swizzler__prepare( |
| &swizzler, dst_pixfmt, dst_palette, src_pixfmt, src_palette, blend); |
| if (status.repr) { |
| return wuffs_base__status__message(&status); |
| } |
| |
| static size_t alloc_size = 0; |
| if (alloc_size == 0) { |
| alloc_size = round_up_to_pagesize(0x100); |
| } |
| |
| static uint8_t* dst_alloc = NULL; |
| if (!dst_alloc) { |
| const char* z = allocate_guarded_pages(&dst_alloc, alloc_size); |
| if (z != NULL) { |
| return z; |
| } |
| } |
| |
| static uint8_t* src_alloc = NULL; |
| if (!src_alloc) { |
| const char* z = allocate_guarded_pages(&src_alloc, alloc_size); |
| if (z != NULL) { |
| return z; |
| } |
| } |
| |
| // Position dst_slice and src_slice so that reading or writing one byte past |
| // their end will cause a segmentation fault. |
| if ((src->meta.wi - src->meta.ri) < (dst_len + src_len)) { |
| return "fuzz: not enough data"; |
| } |
| wuffs_base__slice_u8 dst_slice = |
| wuffs_base__make_slice_u8(dst_alloc + alloc_size - dst_len, dst_len); |
| memcpy(dst_slice.ptr, src->data.ptr + src->meta.ri, dst_len); |
| src->meta.ri += dst_len; |
| wuffs_base__slice_u8 src_slice = |
| wuffs_base__make_slice_u8(src_alloc + alloc_size - src_len, src_len); |
| memcpy(src_slice.ptr, src->data.ptr + src->meta.ri, src_len); |
| src->meta.ri += src_len; |
| |
| // When manually testing this program, enabling this code should lead to a |
| // segmentation fault. |
| #if 0 |
| src_slice.ptr[src_slice.len]++; |
| #endif |
| |
| // Calling etc__swizzle_interleaved_from_slice should not crash, whether for |
| // reading/writing out of bounds or for other reasons. |
| wuffs_base__pixel_swizzler__swizzle_interleaved_from_slice( |
| &swizzler, dst_slice, dst_palette, src_slice); |
| |
| return NULL; |
| } |
| |
| const char* // |
| fuzz_swizzle_ycck(wuffs_base__io_buffer* src, uint64_t hash) { |
| uint8_t dst_palette_array[1024] = {0}; |
| wuffs_base__slice_u8 dst_palette = |
| wuffs_base__make_slice_u8(&dst_palette_array[0], 1024); |
| |
| size_t num_pixfmts = sizeof(pixfmts) / sizeof(pixfmts[0]); |
| wuffs_base__pixel_format dst_pixfmt = wuffs_base__make_pixel_format( |
| pixfmts[(0xFF & (hash >> 0)) % num_pixfmts]); |
| |
| uint32_t width = (63 & (hash >> 8)) + 1; |
| uint32_t height = (63 & (hash >> 14)) + 1; |
| |
| uint32_t width_in_mcus = (3 & (hash >> 20)) + 1; |
| uint32_t height_in_mcus = (3 & (hash >> 22)) + 1; |
| |
| uint32_t allow_hv3 = 1 & (hash >> 23); |
| uint32_t possible_hv_values[2][4] = { |
| {1, 1, 2, 4}, |
| {1, 1, 3, 3}, |
| }; |
| uint32_t h0 = possible_hv_values[allow_hv3][3 & (hash >> 25)]; |
| uint32_t h1 = possible_hv_values[allow_hv3][3 & (hash >> 27)]; |
| uint32_t h2 = possible_hv_values[allow_hv3][3 & (hash >> 29)]; |
| uint32_t v0 = possible_hv_values[allow_hv3][3 & (hash >> 31)]; |
| uint32_t v1 = possible_hv_values[allow_hv3][3 & (hash >> 33)]; |
| uint32_t v2 = possible_hv_values[allow_hv3][3 & (hash >> 35)]; |
| bool triangle_filter_for_2to1 = 1 & (hash >> 37); |
| |
| uint32_t width0 = 8 * width_in_mcus * h0; |
| uint32_t width1 = 8 * width_in_mcus * h1; |
| uint32_t width2 = 8 * width_in_mcus * h2; |
| uint32_t height0 = 8 * height_in_mcus * v0; |
| uint32_t height1 = 8 * height_in_mcus * v1; |
| uint32_t height2 = 8 * height_in_mcus * v2; |
| |
| uint32_t hmax = wuffs_base__u32__max(h0, wuffs_base__u32__max(h1, h2)); |
| uint32_t vmax = wuffs_base__u32__max(v0, wuffs_base__u32__max(v1, v2)); |
| width = wuffs_base__u32__min(width, 8 * width_in_mcus * hmax); |
| height = wuffs_base__u32__min(height, 8 * height_in_mcus * vmax); |
| |
| static size_t dst_alloc_size = 0; |
| if (dst_alloc_size == 0) { |
| dst_alloc_size = round_up_to_pagesize(8 * 64 * 64); |
| } |
| |
| static uint8_t* dst_alloc = NULL; |
| if (!dst_alloc) { |
| const char* z = allocate_guarded_pages(&dst_alloc, dst_alloc_size); |
| if (z != NULL) { |
| return z; |
| } |
| } |
| |
| wuffs_base__pixel_buffer dst_pixbuf; |
| wuffs_base__pixel_config dst_pixcfg; |
| wuffs_base__pixel_config__set(&dst_pixcfg, dst_pixfmt.repr, 0, width, height); |
| uint64_t dst_pixbuf_len = wuffs_base__pixel_config__pixbuf_len(&dst_pixcfg); |
| if (dst_pixbuf_len > dst_alloc_size) { |
| return "fuzz: internal error: dst_alloc_size is too small"; |
| } else { |
| wuffs_base__status status = wuffs_base__pixel_buffer__set_from_slice( |
| &dst_pixbuf, &dst_pixcfg, |
| wuffs_base__make_slice_u8(dst_alloc + dst_alloc_size - dst_pixbuf_len, |
| dst_pixbuf_len)); |
| if (status.repr) { |
| return "fuzz: internal error: wuffs_base__pixel_buffer__set_from_slice " |
| "failed"; |
| } |
| } |
| |
| static size_t src_alloc_size = 0; |
| if (src_alloc_size == 0) { |
| src_alloc_size = round_up_to_pagesize(8 * 4 * 4 * 8 * 4 * 4); |
| } |
| |
| static uint8_t* src_alloc0 = NULL; |
| static uint8_t* src_alloc1 = NULL; |
| static uint8_t* src_alloc2 = NULL; |
| if (!src_alloc0) { |
| const char* z = allocate_guarded_pages(&src_alloc0, src_alloc_size); |
| if (z != NULL) { |
| return z; |
| } |
| } |
| if (!src_alloc1) { |
| const char* z = allocate_guarded_pages(&src_alloc1, src_alloc_size); |
| if (z != NULL) { |
| return z; |
| } |
| } |
| if (!src_alloc2) { |
| const char* z = allocate_guarded_pages(&src_alloc2, src_alloc_size); |
| if (z != NULL) { |
| return z; |
| } |
| } |
| |
| uint32_t src_len0 = width0 * height0; |
| uint32_t src_len1 = width1 * height1; |
| uint32_t src_len2 = width2 * height2; |
| if ((src_len0 > src_alloc_size) || // |
| (src_len1 > src_alloc_size) || // |
| (src_len2 > src_alloc_size)) { |
| return "fuzz: internal error: src_alloc_size is too small"; |
| } |
| |
| uint8_t s0 = 0x90; |
| if (src->meta.ri < src->meta.wi) { |
| s0 = src->data.ptr[src->meta.ri++]; |
| } |
| uint8_t s1 = 0x91; |
| if (src->meta.ri < src->meta.wi) { |
| s1 = src->data.ptr[src->meta.ri++]; |
| } |
| uint8_t s2 = 0x92; |
| if (src->meta.ri < src->meta.wi) { |
| s2 = src->data.ptr[src->meta.ri++]; |
| } |
| |
| wuffs_base__slice_u8 src0 = wuffs_base__make_slice_u8( |
| src_alloc0 + src_alloc_size - src_len0, src_len0); |
| memset(src0.ptr, s0, src0.len); |
| wuffs_base__slice_u8 src1 = wuffs_base__make_slice_u8( |
| src_alloc1 + src_alloc_size - src_len1, src_len1); |
| memset(src1.ptr, s1, src1.len); |
| wuffs_base__slice_u8 src2 = wuffs_base__make_slice_u8( |
| src_alloc2 + src_alloc_size - src_len2, src_len2); |
| memset(src2.ptr, s2, src2.len); |
| wuffs_base__slice_u8 src3 = wuffs_base__empty_slice_u8(); |
| |
| wuffs_base__pixel_swizzler swizzler = {0}; |
| uint8_t scratch_buffer[2048]; |
| wuffs_base__status status = wuffs_base__pixel_swizzler__swizzle_ycck( |
| &swizzler, &dst_pixbuf, dst_palette, // |
| width, height, // |
| src0, src1, src2, src3, // |
| width0, width1, width2, 0, // |
| height0, height1, height2, 0, // |
| width0, width1, width2, 0, // |
| h0, h1, h2, 0, // |
| v0, v1, v2, 0, // |
| triangle_filter_for_2to1, // |
| wuffs_base__make_slice_u8(scratch_buffer, sizeof(scratch_buffer))); |
| if (status.repr) { |
| return wuffs_base__status__message(&status); |
| } |
| return NULL; |
| } |
| |
| const char* // |
| fuzz(wuffs_base__io_buffer* src, uint64_t hash) { |
| const char* s0 = fuzz_swizzle_interleaved_from_slice(src, hash); |
| const char* s1 = fuzz_swizzle_ycck(src, hash); |
| if (s0 && strstr(s0, "internal error:")) { |
| return s0; |
| } |
| if (s1 && strstr(s1, "internal error:")) { |
| return s1; |
| } |
| return s0 ? s0 : s1; |
| } |
