add animdecoder_fuzzer.cc

Bug: webp:409
Change-Id: Iade1e6b1288faad9076f72c21c1bde5a6bbfc7e0

.gitignore

@@ -44,6 +44,7 @@ extras/vwebp_sdl
 extras/webp_quality
 tests/fuzzer/advanced_api_fuzzer
 tests/fuzzer/animation_api_fuzzer
+tests/fuzzer/animdecoder_fuzzer
 tests/fuzzer/animencoder_fuzzer
 tests/fuzzer/demux_api_fuzzer
 tests/fuzzer/enc_dec_fuzzer

tests/fuzzer/animdecoder_fuzzer.cc

@@ -0,0 +1,47 @@
+// Copyright 2020 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+
+#include "examples/anim_util.h"
+#include "imageio/imageio_util.h"
+#include "webp/demux.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  // WebPAnimDecoderGetInfo() is too late to check the canvas size as
+  // WebPAnimDecoderNew() will handle the allocations.
+  WebPBitstreamFeatures features;
+  if (WebPGetFeatures(data, size, &features) == VP8_STATUS_OK) {
+    if (!ImgIoUtilCheckSizeArgumentsOverflow(features.width * 4,
+                                             features.height)) {
+      return 0;
+    }
+  }
+
+  // decode everything as an animation
+  WebPData webp_data = { data, size };
+  WebPAnimDecoder* const dec = WebPAnimDecoderNew(&webp_data, NULL);
+  if (dec == NULL) return 0;
+
+  WebPAnimInfo info;
+  if (!WebPAnimDecoderGetInfo(dec, &info)) return 0;
+
+  while (WebPAnimDecoderHasMoreFrames(dec)) {
+    uint8_t* buf;
+    int timestamp;
+    if (!WebPAnimDecoderGetNext(dec, &buf, &timestamp)) break;
+  }
+  WebPAnimDecoderDelete(dec);
+  return 0;
+}

tests/fuzzer/makefile.unix

@@ -8,10 +8,10 @@ CFLAGS = -fsanitize=fuzzer -I../../src -I../..
 CXXFLAGS = $(CFLAGS)
 LDFLAGS = -fsanitize=fuzzer
 LDLIBS = ../../src/mux/libwebpmux.a ../../src/demux/libwebpdemux.a
-LDLIBS += ../../src/libwebp.a
+LDLIBS += ../../src/libwebp.a ../../imageio/libimageio_util.a
 
 FUZZERS = advanced_api_fuzzer animation_api_fuzzer animencoder_fuzzer
-FUZZERS += demux_api_fuzzer enc_dec_fuzzer simple_api_fuzzer
+FUZZERS += animdecoder_fuzzer demux_api_fuzzer enc_dec_fuzzer simple_api_fuzzer
 
 %.o: %.c %.cc fuzz_utils.h img_alpha.h img_grid.h img_peak.h
 all: $(FUZZERS)