From c9f81256f9a9d376cac798cdb9d849e19dbc6ca1 Mon Sep 17 00:00:00 2001 From: DavidKorczynski Date: Sat, 23 Jul 2022 13:20:03 +0100 Subject: [PATCH] lcms: add seeds and profile fuzzer (#8063) --- projects/lcms/Dockerfile | 11 ++++++- projects/lcms/build.sh | 4 ++- projects/lcms/cms_profile_fuzzer.c | 53 ++++++++++++++++++++++++++++++ 3 files changed, 66 insertions(+), 2 deletions(-) create mode 100644 projects/lcms/cms_profile_fuzzer.c diff --git a/projects/lcms/Dockerfile b/projects/lcms/Dockerfile index d9b04222a..aaa551794 100644 --- a/projects/lcms/Dockerfile +++ b/projects/lcms/Dockerfile @@ -17,5 +17,14 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN apt-get update && apt-get install -y make autoconf automake libtool RUN git clone --depth 1 https://github.com/mm2/Little-CMS.git lcms +RUN mkdir $SRC/seeds && \ + cd seeds && \ + cp $SRC/lcms/testbed/bad.icc . && \ + cp $SRC/lcms/testbed/toosmall.icc . && \ + cp $SRC/lcms/testbed/test1.icc . && \ + cp $SRC/lcms/testbed/crayons.icc . && \ + cp $SRC/lcms/testbed/ibm-t61.icc . && \ + zip -rj $SRC/seed_corpus.zip $SRC/seeds/* + WORKDIR lcms -COPY build.sh cmsIT8_load_fuzzer.* cms_transform_fuzzer.* cms_overwrite_transform_fuzzer.* cms_transform_all_fuzzer.c icc.dict $SRC/ +COPY build.sh *.c *.options *.dict $SRC/ diff --git a/projects/lcms/build.sh b/projects/lcms/build.sh index bdd2397dc..14e23771f 100755 --- a/projects/lcms/build.sh +++ b/projects/lcms/build.sh @@ -20,7 +20,7 @@ make -j$(nproc) all # build your fuzzer(s) -FUZZERS="cmsIT8_load_fuzzer cms_transform_fuzzer cms_overwrite_transform_fuzzer cms_transform_all_fuzzer" +FUZZERS="cmsIT8_load_fuzzer cms_transform_fuzzer cms_overwrite_transform_fuzzer cms_transform_all_fuzzer cms_profile_fuzzer" for F in $FUZZERS; do $CC $CFLAGS -c -Iinclude \ $SRC/$F.c -o $SRC/$F.o @@ -30,3 +30,5 @@ for F in $FUZZERS; do done cp $SRC/icc.dict $SRC/*.options $OUT/ +cp $SRC/seed_corpus.zip $OUT/cms_transform_fuzzer_seed_corpus.zip +cp $SRC/seed_corpus.zip $OUT/cms_profile_fuzzer_seed_corpus.zip diff --git a/projects/lcms/cms_profile_fuzzer.c b/projects/lcms/cms_profile_fuzzer.c new file mode 100644 index 000000000..308b5e593 --- /dev/null +++ b/projects/lcms/cms_profile_fuzzer.c @@ -0,0 +1,53 @@ +/* Copyright 2022 Google LLC +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +#include +#include +#include +#include + +#include "lcms2.h" + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + if (size == 0) + return 0; + + char filename[256]; + sprintf(filename, "/tmp/libfuzzer.%d.icc", getpid()); + FILE *fp = fopen(filename, "wb"); + if (!fp) { + return 0; + } + fwrite(data, size, 1, fp); + fclose(fp); + + cmsHPROFILE hProfile = cmsOpenProfileFromFile(filename, "r"); + // If we have a profile, perform a set of operations + if (hProfile) { + char tagBuffer[4]; + + // Perform multiple tag reads + cmsReadRawTag(hProfile, cmsSigGreenColorantTag, tagBuffer, 4); + cmsReadRawTag(hProfile, cmsSigGreenColorantTag, NULL, 0); + cmsReadRawTag(hProfile, cmsSigGreenColorantTag, tagBuffer, 4); + cmsReadTag(hProfile, cmsSigGamutTag); + + // Save to random file + cmsSaveProfileToFile(hProfile, "random.icc"); + + cmsCloseProfile(hProfile); + } + + unlink(filename); + + return 0; +}