Add a fuzzer for ReadHuffmanCodes

Change-Id: If8c30aaa87c34007ae455a03daa7b3c0f22fc8c3

src/dec/vp8l_dec.c

@@ -364,7 +364,7 @@ static int ReadHuffmanCode(int alphabet_size, VP8LDecoder* const dec,
 
 static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize,
                             int color_cache_bits, int allow_recursion) {
-  int i, j;
+  int i;
   VP8LBitReader* const br = &dec->br_;
   VP8LMetadata* const hdr = &dec->hdr_;
   uint32_t* huffman_image = NULL;
@@ -372,10 +372,6 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize,
   HuffmanTables* huffman_tables = &hdr->huffman_tables_;
   int num_htree_groups = 1;
   int num_htree_groups_max = 1;
-  const int max_alphabet_size =
-      kAlphabetSize[0] + ((color_cache_bits > 0) ? 1 << color_cache_bits : 0);
-  int* code_lengths = NULL;
-  const int table_size = kTableSize[color_cache_bits];
   int* mapping = NULL;
   int ok = 0;
 
@@ -432,11 +428,49 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize,
 
   if (br->eos_) goto Error;
 
-  code_lengths = (int*)WebPSafeCalloc((uint64_t)max_alphabet_size,
-                                      sizeof(*code_lengths));
-  htree_groups = VP8LHtreeGroupsNew(num_htree_groups);
+  if (!ReadHuffmanCodesHelper(color_cache_bits, num_htree_groups,
+                              num_htree_groups_max, mapping, dec,
+                              huffman_tables, &htree_groups)) {
+    goto Error;
+  }
+  ok = 1;
 
-  if (htree_groups == NULL || code_lengths == NULL ||
+  // All OK. Finalize pointers.
+  hdr->huffman_image_ = huffman_image;
+  hdr->num_htree_groups_ = num_htree_groups;
+  hdr->htree_groups_ = htree_groups;
+
+ Error:
+  WebPSafeFree(mapping);
+  if (!ok) {
+    WebPSafeFree(huffman_image);
+    VP8LHuffmanTablesDeallocate(huffman_tables);
+    VP8LHtreeGroupsFree(htree_groups);
+  }
+  return ok;
+}
+
+int ReadHuffmanCodesHelper(int color_cache_bits, int num_htree_groups,
+                           int num_htree_groups_max, const int* const mapping,
+                           VP8LDecoder* const dec,
+                           HuffmanTables* const huffman_tables,
+                           HTreeGroup** const htree_groups) {
+  int i, j, ok = 0;
+  const int max_alphabet_size =
+      kAlphabetSize[0] + ((color_cache_bits > 0) ? 1 << color_cache_bits : 0);
+  const int table_size = kTableSize[color_cache_bits];
+  int* code_lengths = NULL;
+
+  if ((mapping == NULL && num_htree_groups != num_htree_groups_max) ||
+      num_htree_groups > num_htree_groups_max) {
+    goto Error;
+  }
+
+  code_lengths =
+      (int*)WebPSafeCalloc((uint64_t)max_alphabet_size, sizeof(*code_lengths));
+  *htree_groups = VP8LHtreeGroupsNew(num_htree_groups);
+
+  if (*htree_groups == NULL || code_lengths == NULL ||
       !VP8LHuffmanTablesAllocate(num_htree_groups * table_size,
                                  huffman_tables)) {
     VP8LSetError(dec, VP8_STATUS_OUT_OF_MEMORY);
@@ -459,7 +493,7 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize,
       }
     } else {
       HTreeGroup* const htree_group =
-          &htree_groups[(mapping == NULL) ? i : mapping[i]];
+          &(*htree_groups)[(mapping == NULL) ? i : mapping[i]];
       HuffmanCode** const htrees = htree_group->htrees;
       int size;
       int total_size = 0;
@@ -511,18 +545,12 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize,
   }
   ok = 1;
 
-  // All OK. Finalize pointers.
-  hdr->huffman_image_ = huffman_image;
-  hdr->num_htree_groups_ = num_htree_groups;
-  hdr->htree_groups_ = htree_groups;
-
  Error:
   WebPSafeFree(code_lengths);
-  WebPSafeFree(mapping);
   if (!ok) {
-    WebPSafeFree(huffman_image);
     VP8LHuffmanTablesDeallocate(huffman_tables);
-    VP8LHtreeGroupsFree(htree_groups);
+    VP8LHtreeGroupsFree(*htree_groups);
+    *htree_groups = NULL;
   }
   return ok;
 }

src/dec/vp8li_dec.h

@@ -126,6 +126,19 @@ void VP8LClear(VP8LDecoder* const dec);
 // Clears and deallocate a lossless decoder instance.
 void VP8LDelete(VP8LDecoder* const dec);
 
+// Helper function for reading the different Huffman codes and storing them in
+// 'huffman_tables' and 'htree_groups'.
+// If mapping is NULL 'num_htree_groups_max' must equal 'num_htree_groups'.
+// If it is not NULL, it maps 'num_htree_groups_max' indices to the
+// 'num_htree_groups' groups. If 'num_htree_groups_max' > 'num_htree_groups',
+// some of those indices map to -1. This is used for non-balanced codes to
+// limit memory usage.
+int ReadHuffmanCodesHelper(int color_cache_bits, int num_htree_groups,
+                           int num_htree_groups_max, const int* const mapping,
+                           VP8LDecoder* const dec,
+                           HuffmanTables* const huffman_tables,
+                           HTreeGroup** const htree_groups);
+
 //------------------------------------------------------------------------------
 
 #ifdef __cplusplus

tests/fuzzer/huffman_fuzzer.c

@@ -0,0 +1,65 @@
+// Copyright 2023 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+
+#include <stdint.h>
+#include <string.h>
+
+#include "src/dec/vp8li_dec.h"
+#include "src/utils/bit_reader_utils.h"
+#include "src/utils/huffman_utils.h"
+#include "src/utils/utils.h"
+#include "src/webp/format_constants.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t* const data, size_t size) {
+  // Number of bits to initialize data.
+  static const int kColorCacheBitsBits = 4;
+  // 'num_htree_groups' is contained in the RG channel, hence 16 bits.
+  static const int kNumHtreeGroupsBits = 16;
+  if (size * sizeof(*data) < kColorCacheBitsBits + kNumHtreeGroupsBits) {
+    return 0;
+  }
+
+  // A non-NULL mapping brings minor changes that are tested by the normal
+  // fuzzer.
+  int* const mapping = NULL;
+  HuffmanTables huffman_tables;
+  memset(&huffman_tables, 0, sizeof(huffman_tables));
+  HTreeGroup* htree_groups = NULL;
+
+  VP8LDecoder* dec = VP8LNew();
+  if (dec == NULL) goto Error;
+  VP8LBitReader* const br = &dec->br_;
+  VP8LInitBitReader(br, data, size);
+
+  const int color_cache_bits = VP8LReadBits(br, kColorCacheBitsBits);
+  if (color_cache_bits < 1 || color_cache_bits > MAX_CACHE_BITS) goto Error;
+
+  const int num_htree_groups = VP8LReadBits(br, kNumHtreeGroupsBits);
+  // 'num_htree_groups' cannot be 0 as it is built from a non-empty image.
+  if (num_htree_groups == 0) goto Error;
+  // This variable is only useful when mapping is not NULL.
+  const int num_htree_groups_max = num_htree_groups;
+  ReadHuffmanCodesHelper(color_cache_bits, num_htree_groups,
+                         num_htree_groups_max, mapping, dec, &huffman_tables,
+                         &htree_groups);
+
+ Error:
+  WebPSafeFree(mapping);
+  VP8LHtreeGroupsFree(htree_groups);
+  VP8LHuffmanTablesDeallocate(&huffman_tables);
+  VP8LDelete(dec);
+  return 0;
+}

tests/fuzzer/makefile.unix

@@ -11,9 +11,9 @@ LDLIBS = ../../src/mux/libwebpmux.a ../../src/demux/libwebpdemux.a
 LDLIBS += ../../src/libwebp.a ../../imageio/libimageio_util.a
 LDLIBS += ../../sharpyuv/libsharpyuv.a
 
-FUZZERS = advanced_api_fuzzer animation_api_fuzzer animencoder_fuzzer
-FUZZERS += animdecoder_fuzzer mux_demux_api_fuzzer enc_dec_fuzzer
-FUZZERS += simple_api_fuzzer
+FUZZERS = advanced_api_fuzzer animation_api_fuzzer animdecoder_fuzzer
+FUZZERS += animencoder_fuzzer enc_dec_fuzzer huffman_fuzzer
+FUZZERS += mux_demux_api_fuzzer simple_api_fuzzer
 
 %.o: fuzz_utils.h img_alpha.h img_grid.h img_peak.h
 all: $(FUZZERS)