From fa6d0abdbcf787f4a591025f3c3b0da8180450f8 Mon Sep 17 00:00:00 2001 From: Kuang-che Wu Date: Tue, 8 Nov 2016 00:29:50 +0800 Subject: [PATCH] Add fuzzers for lcms. Fixes #43 (#77) cmsIT8_load_fuzzer is ported from https://github.com/google/libfuzzer-bot/tree/master/dockerfiles/lcms2 cms_transform_fuzzer is simplified from pdfium's usage https://pdfium.googlesource.com/pdfium/+/master/testing/libfuzzer/pdf_codec_icc_fuzzer.cc --- targets/README.md | 1 + targets/lcms/Dockerfile | 21 ++++++++++++ targets/lcms/Jenkinsfile | 22 +++++++++++++ targets/lcms/build.sh | 30 +++++++++++++++++ targets/lcms/cmsIT8_load_fuzzer.c | 31 ++++++++++++++++++ targets/lcms/cms_transform_fuzzer.c | 50 +++++++++++++++++++++++++++++ 6 files changed, 155 insertions(+) create mode 100644 targets/lcms/Dockerfile create mode 100644 targets/lcms/Jenkinsfile create mode 100755 targets/lcms/build.sh create mode 100644 targets/lcms/cmsIT8_load_fuzzer.c create mode 100644 targets/lcms/cms_transform_fuzzer.c diff --git a/targets/README.md b/targets/README.md index 1cc6a95e8..8129f810f 100644 --- a/targets/README.md +++ b/targets/README.md @@ -14,6 +14,7 @@ Targets integrated with oss-fuzz. | [libarchive](https://github.com/libarchive/libarchive) | [/targets/libarchive](libarchive) | | [libass](https://github.com/libass/libass) | [/targets/libass](libass) | | [libchewing](http://chewing.im/) | [/targets/libchewing](libchewing) | +| [lcms](https://github.com/mm2/Little-CMS) | [/targets/lcms](lcms) | | [libpng](http://www.libpng.org/pub/png/libpng.html) | [/targets/libpng](libpng) | | [libteken](http://80386.nl/projects/libteken/) | [/targets/libteken](libteken) | | [libtsm](https://www.freedesktop.org/wiki/Software/kmscon/libtsm/) | [/targets/libtsm](libtsm) | diff --git a/targets/lcms/Dockerfile b/targets/lcms/Dockerfile new file mode 100644 index 000000000..d33a3a093 --- /dev/null +++ b/targets/lcms/Dockerfile @@ -0,0 +1,21 @@ +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM ossfuzz/base-libfuzzer +MAINTAINER kcwu@google.com +RUN apt-get install -y make autoconf automake libtool +RUN git clone https://github.com/mm2/Little-CMS.git lcms +COPY build.sh cmsIT8_load_fuzzer.c cms_transform_fuzzer.c /src/ diff --git a/targets/lcms/Jenkinsfile b/targets/lcms/Jenkinsfile new file mode 100644 index 000000000..314036f91 --- /dev/null +++ b/targets/lcms/Jenkinsfile @@ -0,0 +1,22 @@ +// Copyright 2016 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +def libfuzzerBuild = fileLoader.fromGit('infra/libfuzzer-pipeline.groovy', + 'https://github.com/google/oss-fuzz.git') + +libfuzzerBuild { + git = "https://github.com/mm2/Little-CMS.git" +} diff --git a/targets/lcms/build.sh b/targets/lcms/build.sh new file mode 100755 index 000000000..85a83e7c0 --- /dev/null +++ b/targets/lcms/build.sh @@ -0,0 +1,30 @@ +#!/bin/bash -eu +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +cd /src/lcms + +# build the target. +./configure +make -j$(nproc) all + +# build your fuzzer(s) +FUZZERS="cmsIT8_load_fuzzer cms_transform_fuzzer" +for F in $FUZZERS; do + $CC $CFLAGS -Iinclude \ + /src/$F.c -o /out/$F \ + -lfuzzer src/.libs/liblcms2.a $FUZZER_LDFLAGS +done diff --git a/targets/lcms/cmsIT8_load_fuzzer.c b/targets/lcms/cmsIT8_load_fuzzer.c new file mode 100644 index 000000000..b336eaff2 --- /dev/null +++ b/targets/lcms/cmsIT8_load_fuzzer.c @@ -0,0 +1,31 @@ +// Copyright 2016 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +#include + +#include "lcms2.h" + +// The main sink +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + if (size == 0) + return 0; + + cmsHANDLE handle = cmsIT8LoadFromMem(0, (void *)data, size); + if (handle) + cmsIT8Free(handle); + + return 0; +} diff --git a/targets/lcms/cms_transform_fuzzer.c b/targets/lcms/cms_transform_fuzzer.c new file mode 100644 index 000000000..6653f61dc --- /dev/null +++ b/targets/lcms/cms_transform_fuzzer.c @@ -0,0 +1,50 @@ +// Copyright 2016 The PDFium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. +#include + +#include "lcms2.h" + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + cmsHPROFILE srcProfile = cmsOpenProfileFromMem(data, size); + if (!srcProfile) return 0; + + cmsHPROFILE dstProfile = cmsCreate_sRGBProfile(); + if (!dstProfile) { + cmsCloseProfile(srcProfile); + return 0; + } + + cmsColorSpaceSignature srcCS = cmsGetColorSpace(srcProfile); + cmsUInt32Number nSrcComponents = cmsChannelsOf(srcCS); + cmsUInt32Number srcFormat; + if (srcCS == cmsSigLabData) { + srcFormat = + COLORSPACE_SH(PT_Lab) | CHANNELS_SH(nSrcComponents) | BYTES_SH(0); + } else { + srcFormat = + COLORSPACE_SH(PT_ANY) | CHANNELS_SH(nSrcComponents) | BYTES_SH(1); + } + + cmsUInt32Number intent = 0; + cmsUInt32Number flags = 0; + cmsHTRANSFORM hTransform = cmsCreateTransform( + srcProfile, srcFormat, dstProfile, TYPE_BGR_8, intent, flags); + cmsCloseProfile(srcProfile); + cmsCloseProfile(dstProfile); + if (!hTransform) return 0; + + uint8_t output[4]; + if (T_BYTES(srcFormat) == 0) { // 0 means double + double input[nSrcComponents]; + for (uint32_t i = 0; i < nSrcComponents; i++) input[i] = 0.5f; + cmsDoTransform(hTransform, input, output, 1); + } else { + uint8_t input[nSrcComponents]; + for (uint32_t i = 0; i < nSrcComponents; i++) input[i] = 128; + cmsDoTransform(hTransform, input, output, 1); + } + cmsDeleteTransform(hTransform); + + return 0; +}