dany/libwebp
1
0
Fork 0
mirror of https://github.com/webmproject/libwebp.git synced 2026-04-09 14:22:31 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
Files
3307a349edfacd0296a849bc36a1c8105c3e62d4
libwebp/tests/fuzzer/simple_api_fuzzer.cc
James Zern c696aadf69 ALPHInit: move assignment closer to first use 
This fixes a spurious unsigned integer overflow with invalid content:

```
src/dec/alpha_dec.c:61:44: runtime error: unsigned integer overflow: 0 -
  1 cannot be represented in type 'size_t' (aka 'unsigned long')
```

Bug: 498965803, 498966235, 498966511, 498967090
Change-Id: I350d9144d0c1e4e35286e9e1ca68a574ff6f86a1
2026-04-02 14:49:09 -07:00

118 lines
4.2 KiB
C++
Raw Blame History

// Copyright 2018 Google Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
////////////////////////////////////////////////////////////////////////////////
#include <cstddef>
#include <cstdint>
#include <cstdlib>
#include <string>
#include <string_view>
#include "./fuzz_utils.h"
#include "gtest/gtest.h"
#include "webp/decode.h"
#include "webp/types.h"
namespace {
void SimpleApiTest(std::string_view data_in) {
const uint8_t* const data = reinterpret_cast<const uint8_t*>(data_in.data());
const size_t size = data_in.size();
int w, h;
if (!WebPGetInfo(data, size, &w, &h)) return;
if ((size_t)w * h > fuzz_utils::kFuzzPxLimit) return;
const uint8_t value = fuzz_utils::FuzzHash(data, size);
uint8_t* buf = NULL;
// For *Into functions, which decode into an external buffer, an
// intentionally too small buffer can be given with low probability.
if (value < 0x16) {
buf = WebPDecodeRGBA(data, size, &w, &h);
} else if (value < 0x2b) {
buf = WebPDecodeBGRA(data, size, &w, &h);
#if !defined(WEBP_REDUCE_CSP)
} else if (value < 0x40) {
buf = WebPDecodeARGB(data, size, &w, &h);
} else if (value < 0x55) {
buf = WebPDecodeRGB(data, size, &w, &h);
} else if (value < 0x6a) {
buf = WebPDecodeBGR(data, size, &w, &h);
#endif // !defined(WEBP_REDUCE_CSP)
} else if (value < 0x7f) {
uint8_t *u, *v;
int stride, uv_stride;
buf = WebPDecodeYUV(data, size, &w, &h, &u, &v, &stride, &uv_stride);
} else if (value < 0xe8) {
const int stride = (value < 0xbe ? 4 : 3) * w;
size_t buf_size = stride * h;
if (value % 0x10 == 0) buf_size--;
uint8_t* const ext_buf = (uint8_t*)malloc(buf_size);
if (value < 0x94) {
(void)WebPDecodeRGBAInto(data, size, ext_buf, buf_size, stride);
#if !defined(WEBP_REDUCE_CSP)
} else if (value < 0xa9) {
(void)WebPDecodeARGBInto(data, size, ext_buf, buf_size, stride);
} else if (value < 0xbe) {
(void)WebPDecodeBGRInto(data, size, ext_buf, buf_size, stride);
} else if (value < 0xd3) {
(void)WebPDecodeRGBInto(data, size, ext_buf, buf_size, stride);
#endif // !defined(WEBP_REDUCE_CSP)
} else {
(void)WebPDecodeBGRAInto(data, size, ext_buf, buf_size, stride);
}
free(ext_buf);
} else {
size_t luma_size = w * h;
const int uv_stride = (w + 1) / 2;
size_t u_size = uv_stride * (h + 1) / 2;
size_t v_size = uv_stride * (h + 1) / 2;
if (value % 0x10 == 0) {
if (size & 1) luma_size--;
if (size & 2) u_size--;
if (size & 4) v_size--;
}
uint8_t* const luma_buf = (uint8_t*)malloc(luma_size);
uint8_t* const u_buf = (uint8_t*)malloc(u_size);
uint8_t* const v_buf = (uint8_t*)malloc(v_size);
(void)WebPDecodeYUVInto(data, size, luma_buf, luma_size,
w /* luma_stride */, u_buf, u_size, uv_stride,
v_buf, v_size, uv_stride);
free(luma_buf);
free(u_buf);
free(v_buf);
}
if (buf) WebPFree(buf);
}
} // namespace
FUZZ_TEST(SimpleApi, SimpleApiTest)
.WithDomains(fuzztest::String().WithMaxSize(fuzz_utils::kMaxWebPFileSize +
1));
TEST(SimpleApi, Buganizer498966511) {
SimpleApiTest(
std::string("ALPH\004\000\000\000A\377\377\377\377LP\010\000\000\000\000"
"\000\000\311H\006\000\000\000\"E\356PW\"ALPH\000\000\000\000"
"ALpH\004\000\000\000\004\010\000\200VP8 "
"T\000\000\000\266\003\000\235\001*"
"\001\000\002\000y\336n\366\001O\363\374\243\000\003LPS\"\002"
"iF\000FjRsa\232vP\"EO\"K\217OM;rOect\275n\"Wsection_JUNQ="
"\"JUNQ\"\250YO,_I\362\021\"ANIM\"",
150));
}
Reference in New Issue View Git Blame Copy Permalink