libwebp/tests/fuzzer/animdecoder_fuzzer.cc
James Zern 6325882327 animdecoder_fuzzer: validate canvas size
avoids some OOMs due to extreme resolutions

BUG=oss-fuzz:28658

Change-Id: I60b5fb3d7a7d17694a89237d521b851b0897e9fb
2020-12-18 11:18:11 -08:00

52 lines
1.8 KiB
C++

// Copyright 2020 Google Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
////////////////////////////////////////////////////////////////////////////////
#include "examples/anim_util.h"
#include "imageio/imageio_util.h"
#include "webp/demux.h"
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
// WebPAnimDecoderGetInfo() is too late to check the canvas size as
// WebPAnimDecoderNew() will handle the allocations.
WebPBitstreamFeatures features;
if (WebPGetFeatures(data, size, &features) == VP8_STATUS_OK) {
if (!ImgIoUtilCheckSizeArgumentsOverflow(features.width * 4,
features.height)) {
return 0;
}
}
// decode everything as an animation
WebPData webp_data = { data, size };
WebPAnimDecoder* const dec = WebPAnimDecoderNew(&webp_data, NULL);
if (dec == NULL) return 0;
WebPAnimInfo info;
if (!WebPAnimDecoderGetInfo(dec, &info)) return 0;
if (!ImgIoUtilCheckSizeArgumentsOverflow(info.canvas_width * 4,
info.canvas_height)) {
return 0;
}
while (WebPAnimDecoderHasMoreFrames(dec)) {
uint8_t* buf;
int timestamp;
if (!WebPAnimDecoderGetNext(dec, &buf, &timestamp)) break;
}
WebPAnimDecoderDelete(dec);
return 0;
}