From 104d81572ee6fea549a08a367e4139016eb8e127 Mon Sep 17 00:00:00 2001
From: mmoroz <mmoroz@chromium.org>
Date: Tue, 13 Sep 2016 16:32:45 +0200
Subject: [PATCH] Add libpng fuzzer with a dictionary and a couple of
 modifications.

---
 libpng/Dockerfile                 |  22 ++++++
 libpng/Jenkinsfile                |  24 ++++++
 libpng/build.sh                   |  34 +++++++++
 libpng/libpng_read_fuzzer.cc      | 123 ++++++++++++++++++++++++++++++
 libpng/libpng_read_fuzzer.options |   2 +
 libpng/png.dict                   |  38 +++++++++
 6 files changed, 243 insertions(+)
 create mode 100644 libpng/Dockerfile
 create mode 100644 libpng/Jenkinsfile
 create mode 100755 libpng/build.sh
 create mode 100644 libpng/libpng_read_fuzzer.cc
 create mode 100644 libpng/libpng_read_fuzzer.options
 create mode 100644 libpng/png.dict

diff --git a/libpng/Dockerfile b/libpng/Dockerfile
new file mode 100644
index 000000000..42eea7345
--- /dev/null
+++ b/libpng/Dockerfile
@@ -0,0 +1,22 @@
+
+# Copyright 2016 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+FROM ossfuzz/base-libfuzzer
+MAINTAINER mmoroz@chromium.org
+RUN apt-get install -y make autoconf automake libtool zlib1g-dev
+
+CMD /src/oss-fuzz/libpng/build.sh
diff --git a/libpng/Jenkinsfile b/libpng/Jenkinsfile
new file mode 100644
index 000000000..6b7e6ea4a
--- /dev/null
+++ b/libpng/Jenkinsfile
@@ -0,0 +1,24 @@
+
+// Copyright 2016 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+
+def libfuzzerBuild = fileLoader.fromGit('infra/libfuzzer-pipeline.groovy',
+                                        'https://github.com/google/oss-fuzz.git',
+                                        'master', null, '')
+
+libfuzzerBuild {
+  git = "git://git.code.sf.net/p/libpng/code"
+}
diff --git a/libpng/build.sh b/libpng/build.sh
new file mode 100755
index 000000000..6a6ede7f7
--- /dev/null
+++ b/libpng/build.sh
@@ -0,0 +1,34 @@
+
+#!/bin/bash -eu
+# Copyright 2016 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+cd /src/libpng
+
+# Disable logging via library build configuration control.
+cat scripts/pnglibconf.dfa | sed -e "s/option STDIO/option STDIO disabled/" \
+> scripts/pnglibconf.dfa.temp
+mv scripts/pnglibconf.dfa.temp scripts/pnglibconf.dfa
+
+# build the library.
+./autogen.sh
+./configure
+make clean all
+
+# build libpng_read_fuzzer
+$CXX $CXXFLAGS -std=c++11 -I. -lz \
+     /src/oss-fuzz/libpng/libpng_read_fuzzer.cc -o /out/libpng_read_fuzzer \
+     /work/libfuzzer/*.o .libs/libpng16.a $LDFLAGS
diff --git a/libpng/libpng_read_fuzzer.cc b/libpng/libpng_read_fuzzer.cc
new file mode 100644
index 000000000..ca489b090
--- /dev/null
+++ b/libpng/libpng_read_fuzzer.cc
@@ -0,0 +1,123 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include <vector>
+
+#define PNG_INTERNAL
+#include "png.h"
+
+struct BufState {
+  const uint8_t* data;
+  size_t bytes_left;
+};
+
+struct PngObjectHandler {
+  png_infop info_ptr = nullptr;
+  png_structp png_ptr = nullptr;
+  png_voidp row_ptr = nullptr;
+  BufState* buf_state = nullptr;
+
+  ~PngObjectHandler() {
+    if (row_ptr && png_ptr) {
+      png_free(png_ptr, row_ptr);
+    }
+    if (png_ptr && info_ptr) {
+      png_destroy_read_struct(&png_ptr, &info_ptr, nullptr);
+    }
+    delete buf_state;
+  }
+};
+
+void user_read_data(png_structp png_ptr, png_bytep data, png_size_t length) {
+  BufState* buf_state = static_cast<BufState*>(png_get_io_ptr(png_ptr));
+  if (length > buf_state->bytes_left) {
+    png_error(png_ptr, "read error");
+  }
+  memcpy(data, buf_state->data, length);
+  buf_state->bytes_left -= length;
+  buf_state->data += length;
+}
+
+static const int kPngHeaderSize = 8;
+
+// Entry point for LibFuzzer.
+// Roughly follows the libpng book example:
+// http://www.libpng.org/pub/png/book/chapter13.html
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  if (size < kPngHeaderSize) {
+    return 0;
+  }
+
+  std::vector<unsigned char> v(data, data + size);
+  if (png_sig_cmp(v.data(), 0, kPngHeaderSize)) {
+    // not a PNG.
+    return 0;
+  }
+
+  PngObjectHandler png_handler;
+  png_handler.png_ptr = png_create_read_struct
+    (PNG_LIBPNG_VER_STRING, nullptr, nullptr, nullptr);
+  if (!png_handler.png_ptr) {
+    return 0;
+  }
+
+  png_set_crc_action(png_handler.png_ptr, PNG_CRC_QUIET_USE, PNG_CRC_QUIET_USE);
+
+  png_handler.info_ptr = png_create_info_struct(png_handler.png_ptr);
+  if (!png_handler.info_ptr) {
+    return 0;
+  }
+
+  // Setting up reading from buffer.
+  png_handler.buf_state = new BufState();
+  png_handler.buf_state->data = data + kPngHeaderSize;
+  png_handler.buf_state->bytes_left = size - kPngHeaderSize;
+  png_set_read_fn(png_handler.png_ptr, png_handler.buf_state, user_read_data);
+  png_set_sig_bytes(png_handler.png_ptr, kPngHeaderSize);
+
+  // libpng error handling.
+  if (setjmp(png_jmpbuf(png_handler.png_ptr))) {
+    return 0;
+  }
+
+  // Reading.
+  png_read_info(png_handler.png_ptr, png_handler.info_ptr);
+  png_handler.row_ptr = png_malloc(
+      png_handler.png_ptr, png_get_rowbytes(png_handler.png_ptr,
+                                               png_handler.info_ptr));
+
+  // reset error handler to put png_deleter into scope.
+  if (setjmp(png_jmpbuf(png_handler.png_ptr))) {
+    return 0;
+  }
+
+  png_uint_32 width, height;
+  int bit_depth, color_type, interlace_type, compression_type;
+  int filter_type;
+
+  if (!png_get_IHDR(png_handler.png_ptr, png_handler.info_ptr, &width,
+                    &height, &bit_depth, &color_type, &interlace_type,
+                    &compression_type, &filter_type)) {
+    return 0;
+  }
+
+  // This is going to be too slow.
+  if (width && height > 100000000 / width)
+    return 0;
+
+  int passes = png_set_interlace_handling(png_handler.png_ptr);
+  png_start_read_image(png_handler.png_ptr);
+
+  for (int pass = 0; pass < passes; ++pass) {
+    for (png_uint_32 y = 0; y < height; ++y) {
+      png_read_row(png_handler.png_ptr,
+                   static_cast<png_bytep>(png_handler.row_ptr), NULL);
+    }
+  }
+
+  return 0;
+}
diff --git a/libpng/libpng_read_fuzzer.options b/libpng/libpng_read_fuzzer.options
new file mode 100644
index 000000000..2005291a0
--- /dev/null
+++ b/libpng/libpng_read_fuzzer.options
@@ -0,0 +1,2 @@
+[libfuzzer]
+dict = png.dict
diff --git a/libpng/png.dict b/libpng/png.dict
new file mode 100644
index 000000000..ea12d19e6
--- /dev/null
+++ b/libpng/png.dict
@@ -0,0 +1,38 @@
+#
+# AFL dictionary for PNG images
+# -----------------------------
+#
+# Just the basic, standard-originating sections; does not include vendor
+# extensions.
+#
+# Created by Michal Zalewski <lcamtuf@google.com>
+#
+
+header_png="\x89PNG\x0d\x0a\x1a\x0a"
+
+section_IDAT="IDAT"
+section_IEND="IEND"
+section_IHDR="IHDR"
+section_PLTE="PLTE"
+section_bKGD="bKGD"
+section_cHRM="cHRM"
+section_fRAc="fRAc"
+section_gAMA="gAMA"
+section_gIFg="gIFg"
+section_gIFt="gIFt"
+section_gIFx="gIFx"
+section_hIST="hIST"
+section_iCCP="iCCP"
+section_iTXt="iTXt"
+section_oFFs="oFFs"
+section_pCAL="pCAL"
+section_pHYs="pHYs"
+section_sBIT="sBIT"
+section_sCAL="sCAL"
+section_sPLT="sPLT"
+section_sRGB="sRGB"
+section_sTER="sTER"
+section_tEXt="tEXt"
+section_tIME="tIME"
+section_tRNS="tRNS"
+section_zTXt="zTXt"