From b793e9a7c749e204a7fcec79c2e6ad3657f8e48d Mon Sep 17 00:00:00 2001
From: Markus Kusano <mukusano@gmail.com>
Date: Wed, 19 Dec 2018 10:56:47 -0500
Subject: [PATCH] Integrate FreeImage and add a fuzz target. (#2035)

* Integrate FreeImage and add a fuzz target.

* Initialize FreeImage within LLVMFuzzerTestOneInput.

* Return 0 and not EXIT_SUCCESS.

* Use https when downloading FreeImage source.
---
 projects/freeimage/Dockerfile                 | 25 +++++++++++
 projects/freeimage/build.sh                   | 29 +++++++++++++
 projects/freeimage/load_from_memory_fuzzer.cc | 41 +++++++++++++++++++
 projects/freeimage/project.yaml               | 13 ++++++
 4 files changed, 108 insertions(+)
 create mode 100644 projects/freeimage/Dockerfile
 create mode 100755 projects/freeimage/build.sh
 create mode 100644 projects/freeimage/load_from_memory_fuzzer.cc
 create mode 100644 projects/freeimage/project.yaml

diff --git a/projects/freeimage/Dockerfile b/projects/freeimage/Dockerfile
new file mode 100644
index 000000000..86ab661ac
--- /dev/null
+++ b/projects/freeimage/Dockerfile
@@ -0,0 +1,25 @@
+# Copyright 2018 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+FROM gcr.io/oss-fuzz-base/base-builder
+RUN apt-get update && apt-get install -y make autoconf automake libtool wget
+# This downloads the latest version at the time of writing. There does not
+# appear to be a head version of FreeImage.
+RUN wget https://downloads.sourceforge.net/freeimage/FreeImage3180.zip
+RUN unzip FreeImage3180.zip
+WORKDIR $SRC
+COPY build.sh $SRC/
+COPY load_from_memory_fuzzer.cc $SRC/
diff --git a/projects/freeimage/build.sh b/projects/freeimage/build.sh
new file mode 100755
index 000000000..793b61128
--- /dev/null
+++ b/projects/freeimage/build.sh
@@ -0,0 +1,29 @@
+#!/bin/bash -eu
+# Copyright 2018 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+pushd FreeImage
+
+# b44ExpLogTable.cpp only contains a definition of main().
+sed -i 's/Source\/OpenEXR\/IlmImf\/b44ExpLogTable.cpp//' Makefile.srcs
+make LIBRARIES=-lc++ -j$(nproc)
+
+popd
+
+INSTALL_DIR=$SRC/FreeImage/Dist
+
+$CXX $CXXFLAGS -I${INSTALL_DIR}/ load_from_memory_fuzzer.cc \
+  ${INSTALL_DIR}/libfreeimage.a -lFuzzingEngine -o $OUT/load_from_memory_fuzzer
diff --git a/projects/freeimage/load_from_memory_fuzzer.cc b/projects/freeimage/load_from_memory_fuzzer.cc
new file mode 100644
index 000000000..146e3dfe1
--- /dev/null
+++ b/projects/freeimage/load_from_memory_fuzzer.cc
@@ -0,0 +1,41 @@
+#include <cstddef>
+#include <cstdint>
+#include <cstdlib>
+#include <vector>
+#include <FreeImage.h>
+
+namespace {
+
+// Returns true if the format should be attempted to loaded from memory.
+bool SafeToLoadFromMemory(FREE_IMAGE_FORMAT fif) {
+  // For now, just load if it is a BMP. Future heuristics may need to be based
+  // on the expected size in different formats for memory regions to avoid OOMs.
+  return fif == FIF_BMP;
+}
+
+}  // namespace
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  static bool initialized = false;
+  if (!initialized) {
+    FreeImage_Initialise();
+  }
+
+  if (size > 100 * 1000) {
+    return 0;
+  }
+
+  std::vector<uint8_t> fuzzer_data_vector(data, data + size);
+  FIMEMORY* fiMem = FreeImage_OpenMemory(
+      reinterpret_cast<unsigned char*>(fuzzer_data_vector.data()),
+      fuzzer_data_vector.size());
+
+  FREE_IMAGE_FORMAT fif = FreeImage_GetFileTypeFromMemory(fiMem, 0);
+  if (SafeToLoadFromMemory(fif)) {
+    FIBITMAP* fiBitmap = FreeImage_LoadFromMemory(fif, fiMem);
+    FreeImage_Unload(fiBitmap);
+  }
+  FreeImage_CloseMemory(fiMem);
+
+  return 0;
+}
diff --git a/projects/freeimage/project.yaml b/projects/freeimage/project.yaml
new file mode 100644
index 000000000..621f741a6
--- /dev/null
+++ b/projects/freeimage/project.yaml
@@ -0,0 +1,13 @@
+homepage: "http://freeimage.sourceforge.net/"
+primary_contact: "kusano@google.com"
+
+experimental: true
+
+sanitizers:
+  - address
+  - memory
+  - undefined
+
+labels:
+  load_from_memory_fuzzer:
+    - sundew