From 8968a41910a5f1dbbfe1c9b8eea62f671fb1ce87 Mon Sep 17 00:00:00 2001
From: DavidKorczynski <david@adalogics.com>
Date: Thu, 21 Jul 2022 11:31:09 +0100
Subject: [PATCH] lcms: add extended transform fuzzer (#8050)

---
 projects/lcms/Dockerfile                 |  2 +-
 projects/lcms/build.sh                   |  2 +-
 projects/lcms/cms_transform_all_fuzzer.c | 59 ++++++++++++++++++++++++
 3 files changed, 61 insertions(+), 2 deletions(-)
 create mode 100644 projects/lcms/cms_transform_all_fuzzer.c

diff --git a/projects/lcms/Dockerfile b/projects/lcms/Dockerfile
index ed6532851..d9b04222a 100644
--- a/projects/lcms/Dockerfile
+++ b/projects/lcms/Dockerfile
@@ -18,4 +18,4 @@ FROM gcr.io/oss-fuzz-base/base-builder
 RUN apt-get update && apt-get install -y make autoconf automake libtool
 RUN git clone --depth 1 https://github.com/mm2/Little-CMS.git lcms
 WORKDIR lcms
-COPY build.sh cmsIT8_load_fuzzer.* cms_transform_fuzzer.* cms_overwrite_transform_fuzzer.* icc.dict $SRC/
+COPY build.sh cmsIT8_load_fuzzer.* cms_transform_fuzzer.* cms_overwrite_transform_fuzzer.* cms_transform_all_fuzzer.c icc.dict $SRC/
diff --git a/projects/lcms/build.sh b/projects/lcms/build.sh
index 1c03aad15..bdd2397dc 100755
--- a/projects/lcms/build.sh
+++ b/projects/lcms/build.sh
@@ -20,7 +20,7 @@
 make -j$(nproc) all
 
 # build your fuzzer(s)
-FUZZERS="cmsIT8_load_fuzzer cms_transform_fuzzer cms_overwrite_transform_fuzzer"
+FUZZERS="cmsIT8_load_fuzzer cms_transform_fuzzer cms_overwrite_transform_fuzzer cms_transform_all_fuzzer"
 for F in $FUZZERS; do
     $CC $CFLAGS -c -Iinclude \
         $SRC/$F.c -o $SRC/$F.o
diff --git a/projects/lcms/cms_transform_all_fuzzer.c b/projects/lcms/cms_transform_all_fuzzer.c
new file mode 100644
index 000000000..0684505ee
--- /dev/null
+++ b/projects/lcms/cms_transform_all_fuzzer.c
@@ -0,0 +1,59 @@
+/* Copyright 2022 Google LLC
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+      http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <stdint.h>
+#include "lcms2.h"
+
+void
+run_test(const uint8_t *data,
+         size_t size,
+         uint32_t intent_id,
+         uint32_t input_format,
+         uint32_t output_format,
+         uint32_t flags) {
+ if (size < 2) {
+   return;
+ }
+
+ size_t mid = size / 2;
+
+ cmsHPROFILE hInProfile, hOutProfile;
+ cmsHTRANSFORM hTransform;
+
+ hInProfile = cmsOpenProfileFromMem(data, mid);
+ hOutProfile = cmsOpenProfileFromMem(data + mid, size - mid);
+ hTransform = cmsCreateTransform(hInProfile, input_format, hOutProfile,
+                                 output_format, intent_id, flags);
+ cmsCloseProfile(hInProfile);
+ cmsCloseProfile(hOutProfile);
+
+ if (hTransform) {
+   cmsDeleteTransform(hTransform);
+ }
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ if (size < 16) {
+  return 0;
+ }
+
+ // Generate a random set of args for cmsCreateTransform
+ uint32_t input_format  = *((const uint32_t *)data);
+ uint32_t output_format = *((const uint32_t *)data+1);
+ uint32_t flags         = *((const uint32_t *)data+2);
+ uint32_t intent        = *((const uint32_t *)data+3) % 16;
+ data += 16;
+ size -= 16;
+
+ run_test(data, size, intent, input_format, output_format, flags);
+ return 0;
+}