[libgd] Add another fuzzer to libgd (#3892)

2020-05-29 12:01:23 +02:00 · 2020-05-29 12:01:23 +02:00 · 8284b6bbdd
parent 5b114cdc02
commit 8284b6bbdd
3 changed files with 61 additions and 1 deletions
--- a/projects/libgd/Dockerfile
+++ b/projects/libgd/Dockerfile
@ -21,4 +21,4 @@ RUN apt-get update && \
 RUN git clone --depth 1 https://github.com/libgd/libgd
 ADD https://lcamtuf.coredump.cx/afl/demo/afl_testcases.tgz $SRC/afl_testcases.tgz
 WORKDIR libgd
-COPY build.sh parser_target.cc $SRC/
+COPY build.sh *.cc $SRC/
--- a/projects/libgd/build.sh
+++ b/projects/libgd/build.sh
@ -32,6 +32,13 @@ for target in Bmp Gd Gd2 Gif Jpeg Png Tga Tiff WBMP Webp; do
      $LIB_FUZZING_ENGINE -lgd -Wl,-Bstatic -lz -Wl,-Bdynamic
 done

+for fuzzers in $(find $SRC -name '*_fuzzer.cc'); do
+      fuzz_basename=$(basename -s .cc $fuzzers)
+      $CXX $CXXFLAGS -std=c++11 -I"$WORK/include" -L"$WORK/lib" \
+      $fuzzers -o $OUT/$fuzz_basename \
+      $LIB_FUZZING_ENGINE -lgd -Wl,-Bstatic -lz -Wl,-Bdynamic
+done
+
 mkdir afl_testcases
 (cd afl_testcases; tar xvf "$SRC/afl_testcases.tgz")
 for format in bmp gif png webp; do
--- a/projects/libgd/gd_image_string_fuzzer.cc
+++ b/projects/libgd/gd_image_string_fuzzer.cc
@ -0,0 +1,53 @@
+// Copyright 2020 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+/////////////////////////////////////////////////////////////////////////////
+
+#include <fuzzer/FuzzedDataProvider.h>
+
+#include <cstddef>
+#include <cstdint>
+#include <cstdlib>
+#include <string>
+
+#include "gd.h"
+#include "gdfontg.h"
+#include "gdfontl.h"
+#include "gdfontmb.h"
+#include "gdfonts.h"
+#include "gdfontt.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+    FuzzedDataProvider stream(data, size);
+    const uint8_t slate_width = stream.ConsumeIntegral<uint8_t>();
+    const uint8_t slate_height = stream.ConsumeIntegral<uint8_t>();
+    gdImagePtr slate_image = gdImageCreateTrueColor(slate_width, slate_height);
+    if (slate_image == nullptr) {
+      return 0;
+    }
+
+    const int x_position = stream.ConsumeIntegral<int>();
+    const int y_position = stream.ConsumeIntegral<int>();
+    const int text_color = stream.ConsumeIntegral<int>();
+    const gdFontPtr font_ptr = stream.PickValueInArray(
+        {gdFontGetGiant(), gdFontGetLarge(), gdFontGetMediumBold(),
+        gdFontGetSmall(), gdFontGetTiny()});
+    const std::string text = stream.ConsumeRemainingBytesAsString();
+
+    gdImageString(slate_image, font_ptr, x_position, y_position,
+                  reinterpret_cast<uint8_t*>(const_cast<char*>(text.c_str())),
+                  text_color);
+    gdImageDestroy(slate_image);
+    return 0;
+}