diff --git a/.gitignore b/.gitignore index 5f42b637..995e6ddc 100644 --- a/.gitignore +++ b/.gitignore @@ -44,6 +44,7 @@ extras/vwebp_sdl extras/webp_quality tests/fuzzer/advanced_api_fuzzer tests/fuzzer/animation_api_fuzzer +tests/fuzzer/animdecoder_fuzzer tests/fuzzer/animencoder_fuzzer tests/fuzzer/demux_api_fuzzer tests/fuzzer/enc_dec_fuzzer diff --git a/tests/fuzzer/animdecoder_fuzzer.cc b/tests/fuzzer/animdecoder_fuzzer.cc new file mode 100644 index 00000000..2d9e2d54 --- /dev/null +++ b/tests/fuzzer/animdecoder_fuzzer.cc @@ -0,0 +1,47 @@ +// Copyright 2020 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +#include "examples/anim_util.h" +#include "imageio/imageio_util.h" +#include "webp/demux.h" + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + // WebPAnimDecoderGetInfo() is too late to check the canvas size as + // WebPAnimDecoderNew() will handle the allocations. + WebPBitstreamFeatures features; + if (WebPGetFeatures(data, size, &features) == VP8_STATUS_OK) { + if (!ImgIoUtilCheckSizeArgumentsOverflow(features.width * 4, + features.height)) { + return 0; + } + } + + // decode everything as an animation + WebPData webp_data = { data, size }; + WebPAnimDecoder* const dec = WebPAnimDecoderNew(&webp_data, NULL); + if (dec == NULL) return 0; + + WebPAnimInfo info; + if (!WebPAnimDecoderGetInfo(dec, &info)) return 0; + + while (WebPAnimDecoderHasMoreFrames(dec)) { + uint8_t* buf; + int timestamp; + if (!WebPAnimDecoderGetNext(dec, &buf, ×tamp)) break; + } + WebPAnimDecoderDelete(dec); + return 0; +} diff --git a/tests/fuzzer/makefile.unix b/tests/fuzzer/makefile.unix index b441aef7..8f6f5a38 100644 --- a/tests/fuzzer/makefile.unix +++ b/tests/fuzzer/makefile.unix @@ -8,10 +8,10 @@ CFLAGS = -fsanitize=fuzzer -I../../src -I../.. CXXFLAGS = $(CFLAGS) LDFLAGS = -fsanitize=fuzzer LDLIBS = ../../src/mux/libwebpmux.a ../../src/demux/libwebpdemux.a -LDLIBS += ../../src/libwebp.a +LDLIBS += ../../src/libwebp.a ../../imageio/libimageio_util.a FUZZERS = advanced_api_fuzzer animation_api_fuzzer animencoder_fuzzer -FUZZERS += demux_api_fuzzer enc_dec_fuzzer simple_api_fuzzer +FUZZERS += animdecoder_fuzzer demux_api_fuzzer enc_dec_fuzzer simple_api_fuzzer %.o: %.c %.cc fuzz_utils.h img_alpha.h img_grid.h img_peak.h all: $(FUZZERS)