oss-fuzz/projects/giflib/dgif_fuzz_common.cc

191 lines
5.0 KiB
C++
Raw Normal View History

#include "dgif_fuzz_common.h"
#include <iostream>
using namespace std;
extern "C" void PrintGifError(int ErrorCode);
int stub_input_reader(GifFileType *gifFileType, GifByteType *gifByteType, int len)
{
struct gifUserData *gud = (struct gifUserData *)gifFileType->UserData;
if (gud->gifLen == 0)
return 0;
int read_len = (len > gud->gifLen ? gud->gifLen : len);
memcpy(gifByteType, gud->gifData, read_len);
gud->gifData += read_len;
gud->gifLen -= read_len;
return read_len;
}
int fuzz_dgif(const uint8_t *Data, size_t Size)
{
GifFileType *GifFile;
int Error;
uint8_t *gifData = (uint8_t *)malloc(Size);
memcpy(gifData, Data, Size);
struct gifUserData gUData = {Size, gifData};
GifFile = DGifOpen((void *)&gUData, stub_input_reader, &Error);
if (GifFile != NULL)
{
DGifSlurp(GifFile);
DGifCloseFile(GifFile, &Error);
}
free(gifData);
return 0;
}
int fuzz_dgif_extended(const uint8_t *Data, size_t Size)
{
GifFileType *GifFile;
int Error;
uint8_t *gifData = (uint8_t *)malloc(Size);
memcpy(gifData, Data, Size);
struct gifUserData gUData = {Size, gifData};
GifFile = DGifOpen((void *)&gUData, stub_input_reader, &Error);
if (GifFile == NULL)
{
free(gifData);
return 0;
}
if (DGifSlurp(GifFile) != GIF_OK)
{
DGifCloseFile(GifFile, &Error);
free(gifData);
return 0;
}
GraphicsControlBlock gcb;
for (int i = 0; i < GifFile->ImageCount; i++)
{
DGifSavedExtensionToGCB(GifFile, i, &gcb);
}
const ColorMapObject *cmap = GifFile->SColorMap;
if (cmap)
{
DGifSavedExtensionToGCB(GifFile, 0, &gcb);
}
DGifCloseFile(GifFile, &Error);
free(gifData);
return 0;
}
static Color8888 gifColorToColor8888(const GifColorType &color)
{
return ARGB_TO_COLOR8888(0xff, color.Red, color.Green, color.Blue);
}
static bool willBeCleared(const GraphicsControlBlock &gcb)
{
return gcb.DisposalMode == DISPOSE_BACKGROUND || gcb.DisposalMode == DISPOSE_PREVIOUS;
}
static long getDelayMs(GraphicsControlBlock &gcb)
{
return gcb.DelayTime * 10;
}
int fuzz_dgif_ala_android(const uint8_t *Data, size_t Size)
{
GifFileType *GifFile;
int Error;
uint8_t *gifData = (uint8_t *)malloc(Size);
memcpy(gifData, Data, Size);
struct gifUserData gUData = {Size, gifData};
GifFile = DGifOpen((void *)&gUData, stub_input_reader, &Error);
if (GifFile == NULL)
{
free(gifData);
return 0;
}
if (DGifSlurp(GifFile) != GIF_OK)
{
PrintGifError(GifFile->Error);
DGifCloseFile(GifFile, &Error);
free(gifData);
return 0;
}
long durationMs = 0;
int lastUnclearedFrame = -1;
bool *preservedFrames = new bool[GifFile->ImageCount];
int *restoringFrames = new int[GifFile->ImageCount];
int loopCount = 0;
Color8888 bgColor = 0;
GraphicsControlBlock gcb;
for (int i = 0; i < GifFile->ImageCount; i++)
{
const SavedImage &image = GifFile->SavedImages[i];
// find the loop extension pair
for (int j = 0; (j + 1) < image.ExtensionBlockCount; j++)
{
ExtensionBlock *eb1 = image.ExtensionBlocks + j;
ExtensionBlock *eb2 = image.ExtensionBlocks + j + 1;
if (eb1->Function == APPLICATION_EXT_FUNC_CODE
// look for "NETSCAPE2.0" app extension
&& eb1->ByteCount == 11 && !memcmp((const char *)(eb1->Bytes), "NETSCAPE2.0", 11)
// verify extension contents and get loop count
&& eb2->Function == CONTINUE_EXT_FUNC_CODE && eb2->ByteCount == 3 && eb2->Bytes[0] == 1)
{
loopCount = (int)(eb2->Bytes[2] << 8) + (int)(eb2->Bytes[1]);
}
}
DGifSavedExtensionToGCB(GifFile, i, &gcb);
// timing
durationMs += getDelayMs(gcb);
// preserve logic
preservedFrames[i] = false;
restoringFrames[i] = -1;
if (gcb.DisposalMode == DISPOSE_PREVIOUS && lastUnclearedFrame >= 0)
{
preservedFrames[lastUnclearedFrame] = true;
restoringFrames[i] = lastUnclearedFrame;
}
if (!willBeCleared(gcb))
{
lastUnclearedFrame = i;
}
// Draw
// assert(y+8 <= Image->ImageDesc.Height);
// assert(x+8*strlen(legend) <= Image->ImageDesc.Width);
int imgHeight = GifFile->SavedImages[i].ImageDesc.Height;
int imgWidth = GifFile->SavedImages[i].ImageDesc.Width;
// TODO: Source x,y, string, and color from fuzzer input
int x = 0;
int y = 0;
int strLen = 6;
if (y + 8 <= imgHeight && x + 8 * strLen <= imgWidth)
GifDrawText8x8(&GifFile->SavedImages[i], 0, 0, "legend", 42);
}
#if GIF_DEBUG
ALOGD("FrameSequence_gif created with size %d %d, frames %d dur %ld",
GifFile->SWidth, GifFile->SHeight, GifFile->ImageCount, durationMs);
for (int i = 0; i < GifFile->ImageCount; i++)
{
DGifSavedExtensionToGCB(GifFile, i, &gcb);
ALOGD(" Frame %d - must preserve %d, restore point %d, trans color %d",
i, preservedFrames[i], restoringFrames[i], gcb.TransparentColor);
}
#endif
const ColorMapObject *cmap = GifFile->SColorMap;
if (cmap)
{
// calculate bg color
GraphicsControlBlock gcb;
DGifSavedExtensionToGCB(GifFile, 0, &gcb);
if (gcb.TransparentColor == NO_TRANSPARENT_COLOR && GifFile->SBackGroundColor < cmap->ColorCount)
{
bgColor = gifColorToColor8888(cmap->Colors[GifFile->SBackGroundColor]);
}
}
DGifCloseFile(GifFile, &Error);
free(gifData);
delete[] preservedFrames;
delete[] restoringFrames;
return 0;
}