From 15bf80e2ec8e549579d7ba0b8bd5d5a90f366c3a Mon Sep 17 00:00:00 2001
From: DavidKorczynski <david@adalogics.com>
Date: Mon, 29 Aug 2022 22:37:13 +0100
Subject: [PATCH] lcms: extend to have double as source format (#8372)

* lcms: extend to have double as source format

srcFormats of double was supported but never actually hit, which is due
to the bits in the srcFormat not actually being accurate, e.g.
T_BYTES(srcFormat) == 0 would never be satisfied. This includes in the
cms_transform_fuzzer. This is an effort to overcoming this.

* lcms: avoid timeouts by only running a single test per iteration

Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50723
---
 projects/lcms/cms_transform_extended_fuzzer.c | 32 +++++++++++--------
 1 file changed, 19 insertions(+), 13 deletions(-)

diff --git a/projects/lcms/cms_transform_extended_fuzzer.c b/projects/lcms/cms_transform_extended_fuzzer.c
index 34bbf8743..2a20bc125 100644
--- a/projects/lcms/cms_transform_extended_fuzzer.c
+++ b/projects/lcms/cms_transform_extended_fuzzer.c
@@ -58,6 +58,10 @@ run_test(const uint8_t *data,
     dstProfile = cmsCreateLab4Profile(NULL);
     dstFormat = TYPE_Lab_DBL;
   }
+  else if (dstVal == 7) {
+    dstProfile = cmsCreateLab4Profile(NULL);
+    dstFormat = TYPE_Lab_DBL;
+  }
   else {
     dstProfile = cmsCreate_sRGBProfile();
     dstFormat = TYPE_RGB_8;
@@ -73,8 +77,14 @@ run_test(const uint8_t *data,
   cmsUInt32Number nSrcComponents = cmsChannelsOf(srcCS);
   cmsUInt32Number srcFormat;
   if (srcCS == cmsSigLabData) {
-    srcFormat =
-        COLORSPACE_SH(PT_Lab) | CHANNELS_SH(nSrcComponents) | BYTES_SH(0);
+    if (dstVal != 7) {
+        srcFormat =
+            COLORSPACE_SH(PT_Lab) | CHANNELS_SH(nSrcComponents) | BYTES_SH(0);
+    }
+    else {
+        srcFormat =
+            COLORSPACE_SH(PT_Lab) | CHANNELS_SH(nSrcComponents) | BYTES_SH(0) | FLOAT_SH(1);
+    }
   } else {
     srcFormat =
         COLORSPACE_SH(PT_ANY) | CHANNELS_SH(nSrcComponents) | BYTES_SH(1);
@@ -100,7 +110,8 @@ run_test(const uint8_t *data,
   // The output buffer type depends on the dstFormat
   // The input buffer type depends on the srcFormat.
   if (T_BYTES(srcFormat) == 0) {  // 0 means double
-    uint8_t output[4];
+    // Ensure output is large enough
+    long long output[nSrcComponents*4];
     double input[nSrcComponents];
     for (uint32_t i = 0; i < nSrcComponents; i++) input[i] = 0.5f;
     cmsDoTransform(hTransform, input, output, 1);
@@ -131,23 +142,18 @@ run_test(const uint8_t *data,
 
 
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
-  if (size < 8) {
+  if (size < 12) {
     return 0;
   }
 
   uint32_t flags         = *((const uint32_t *)data+0);
   uint32_t intent        = *((const uint32_t *)data+1) % 16;
-  data += 8;
-  size -= 8;
+  int decider = *((int*)data+2) % 10;
+  data += 12;
+  size -= 12;
 
   // Transform using various output formats.
-  run_test(data, size, intent, flags, 0);
-  run_test(data, size, intent, flags, 1);
-  run_test(data, size, intent, flags, 2);
-  run_test(data, size, intent, flags, 3);
-  run_test(data, size, intent, flags, 4);
-  run_test(data, size, intent, flags, 5);
-  run_test(data, size, intent, flags, 6);
+  run_test(data, size, intent, flags, decider);
 
   return 0;
 }