advanced_api_fuzzer: add extreme config value coverage

this enables cases that might trigger overflows, but increases the risk
of OOM and timeouts

Bug: chromium:1196850
Change-Id: I317b5109525646731e762faa3c34ed28a27595dc

tests/fuzzer/advanced_api_fuzzer.c

@@ -14,10 +14,13 @@
 //
 ////////////////////////////////////////////////////////////////////////////////
 
+#include <string.h>
+
 #include "./fuzz_utils.h"
 #include "webp/decode.h"
 
 int LLVMFuzzerTestOneInput(const uint8_t* const data, size_t size) {
+  int i;
   WebPDecoderConfig config;
   if (!WebPInitDecoderConfig(&config)) return 0;
   if (WebPGetFeatures(data, size, &config.input) != VP8_STATUS_OK) return 0;
@@ -59,39 +62,53 @@ int LLVMFuzzerTestOneInput(const uint8_t* const data, size_t size) {
   config.output.colorspace = (WEBP_CSP_MODE)(value % MODE_LAST);
 #endif  // WEBP_REDUCE_CSP
 
-  if (size % 3) {
+  for (i = 0; i < 2; ++i) {
-    // Decodes incrementally in chunks of increasing size.
+    if (i == 1) {
-    WebPIDecoder* idec = WebPIDecode(NULL, 0, &config);
+      // Use the bitstream data to generate extreme ranges for the options. An
-    if (!idec) return 0;
+      // alternative approach would be to use a custom corpus containing webp
-    VP8StatusCode status;
+      // files prepended with sizeof(config.options) zeroes to allow the fuzzer
-    if (size & 8) {
+      // to modify these independently.
-      size_t available_size = value + 1;
+      const int data_offset = 50;
-      while (1) {
+      if (size > data_offset + sizeof(config.options)) {
-        if (available_size > size) available_size = size;
+        memcpy(&config.options, data + data_offset, sizeof(config.options));
-        status = WebPIUpdate(idec, data, available_size);
+      } else {
-        if (status != VP8_STATUS_SUSPENDED || available_size == size) break;
+        break;
-        available_size *= 2;
-      }
-    } else {
-      // WebPIAppend expects new data and its size with each call.
-      // Implemented here by simply advancing the pointer into data.
-      const uint8_t* new_data = data;
-      size_t new_size = value + 1;
-      while (1) {
-        if (new_data + new_size > data + size) {
-          new_size = data + size - new_data;
-        }
-        status = WebPIAppend(idec, new_data, new_size);
-        if (status != VP8_STATUS_SUSPENDED || new_size == 0) break;
-        new_data += new_size;
-        new_size *= 2;
       }
     }
-    WebPIDelete(idec);
+    if (size % 3) {
-  } else {
+      // Decodes incrementally in chunks of increasing size.
-    WebPDecode(data, size, &config);
+      WebPIDecoder* idec = WebPIDecode(NULL, 0, &config);
-  }
+      if (!idec) return 0;
+      VP8StatusCode status;
+      if (size & 8) {
+        size_t available_size = value + 1;
+        while (1) {
+          if (available_size > size) available_size = size;
+          status = WebPIUpdate(idec, data, available_size);
+          if (status != VP8_STATUS_SUSPENDED || available_size == size) break;
+          available_size *= 2;
+        }
+      } else {
+        // WebPIAppend expects new data and its size with each call.
+        // Implemented here by simply advancing the pointer into data.
+        const uint8_t* new_data = data;
+        size_t new_size = value + 1;
+        while (1) {
+          if (new_data + new_size > data + size) {
+            new_size = data + size - new_data;
+          }
+          status = WebPIAppend(idec, new_data, new_size);
+          if (status != VP8_STATUS_SUSPENDED || new_size == 0) break;
+          new_data += new_size;
+          new_size *= 2;
+        }
+      }
+      WebPIDelete(idec);
+    } else {
+      WebPDecode(data, size, &config);
+    }
 
-  WebPFreeDecBuffer(&config.output);
+    WebPFreeDecBuffer(&config.output);
+  }
   return 0;
 }