From 8284b6bbddcfce2432cd946d29f74a66f1819494 Mon Sep 17 00:00:00 2001
From: Google AutoFuzz Team <security-tps@google.com>
Date: Fri, 29 May 2020 12:01:23 +0200
Subject: [PATCH] [libgd] Add another fuzzer to libgd (#3892)

---
 projects/libgd/Dockerfile                |  2 +-
 projects/libgd/build.sh                  |  7 ++++
 projects/libgd/gd_image_string_fuzzer.cc | 53 ++++++++++++++++++++++++
 3 files changed, 61 insertions(+), 1 deletion(-)
 create mode 100644 projects/libgd/gd_image_string_fuzzer.cc

diff --git a/projects/libgd/Dockerfile b/projects/libgd/Dockerfile
index a85269eef..617b0a50b 100644
--- a/projects/libgd/Dockerfile
+++ b/projects/libgd/Dockerfile
@@ -21,4 +21,4 @@ RUN apt-get update && \
 RUN git clone --depth 1 https://github.com/libgd/libgd
 ADD https://lcamtuf.coredump.cx/afl/demo/afl_testcases.tgz $SRC/afl_testcases.tgz
 WORKDIR libgd
-COPY build.sh parser_target.cc $SRC/
+COPY build.sh *.cc $SRC/
diff --git a/projects/libgd/build.sh b/projects/libgd/build.sh
index c49d21b4f..4aabb063c 100755
--- a/projects/libgd/build.sh
+++ b/projects/libgd/build.sh
@@ -32,6 +32,13 @@ for target in Bmp Gd Gd2 Gif Jpeg Png Tga Tiff WBMP Webp; do
       $LIB_FUZZING_ENGINE -lgd -Wl,-Bstatic -lz -Wl,-Bdynamic
 done
 
+for fuzzers in $(find $SRC -name '*_fuzzer.cc'); do
+      fuzz_basename=$(basename -s .cc $fuzzers)
+      $CXX $CXXFLAGS -std=c++11 -I"$WORK/include" -L"$WORK/lib" \
+      $fuzzers -o $OUT/$fuzz_basename \
+      $LIB_FUZZING_ENGINE -lgd -Wl,-Bstatic -lz -Wl,-Bdynamic
+done
+
 mkdir afl_testcases
 (cd afl_testcases; tar xvf "$SRC/afl_testcases.tgz")
 for format in bmp gif png webp; do
diff --git a/projects/libgd/gd_image_string_fuzzer.cc b/projects/libgd/gd_image_string_fuzzer.cc
new file mode 100644
index 000000000..f3435cc7e
--- /dev/null
+++ b/projects/libgd/gd_image_string_fuzzer.cc
@@ -0,0 +1,53 @@
+// Copyright 2020 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+/////////////////////////////////////////////////////////////////////////////
+
+#include <fuzzer/FuzzedDataProvider.h>
+
+#include <cstddef>
+#include <cstdint>
+#include <cstdlib>
+#include <string>
+
+#include "gd.h"
+#include "gdfontg.h"
+#include "gdfontl.h"
+#include "gdfontmb.h"
+#include "gdfonts.h"
+#include "gdfontt.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+    FuzzedDataProvider stream(data, size);
+    const uint8_t slate_width = stream.ConsumeIntegral<uint8_t>();
+    const uint8_t slate_height = stream.ConsumeIntegral<uint8_t>();
+    gdImagePtr slate_image = gdImageCreateTrueColor(slate_width, slate_height);
+    if (slate_image == nullptr) {
+      return 0;
+    }
+
+    const int x_position = stream.ConsumeIntegral<int>();
+    const int y_position = stream.ConsumeIntegral<int>();
+    const int text_color = stream.ConsumeIntegral<int>();
+    const gdFontPtr font_ptr = stream.PickValueInArray(
+        {gdFontGetGiant(), gdFontGetLarge(), gdFontGetMediumBold(),
+        gdFontGetSmall(), gdFontGetTiny()});
+    const std::string text = stream.ConsumeRemainingBytesAsString();
+
+    gdImageString(slate_image, font_ptr, x_position, y_position,
+                  reinterpret_cast<uint8_t*>(const_cast<char*>(text.c_str())),
+                  text_color);
+    gdImageDestroy(slate_image);
+    return 0;
+}