The image formats we've selected to fuzz test libvips with are typically
those likely to originate from untrusted sources, and this very much
includes the web.
libjxl was added as a dependency of libvips around 18 months ago in
anticipation the JPEG-XL format being adopted for the web. A year ago we
added a couple of the libjxl maintainers to help triage OSS-Fuzz issues
as its inclusion generated a relatively large number of new problems,
including one that was later issued a CVE.
https://bugs.chromium.org/p/oss-fuzz/issues/list?q=libvips%20libjxl&can=1
The libvips maintainers would love for JPEG-XL to succeed as a format
and we hope to add libjxl back soon, but for now we would like to remove
it to help reduce the support overhead.
/cc @jcupitt
- Remove libgflags-dev, no longer needed by libjxl.
- Remove CMake options that are already default.
- Split long build options across multiple lines.
- Use the RelWithDebInfo build type for CMake builds.
- Use the debugoptimized build type for Meson builds (except for libvips itself).
- Avoid using the bundled lcms2 dependency in libjxl.
- Ensure libjxl builds against the static zlib library.
* libvips: add pdfium to build
Many Rails users will shortly be switching to libvips pdfium load for
PDF rendering. pdfium is well tested and doesn't need fuzzing itself,
but we do need to fuzz the code that links libvips to pdfium.
This PR adds pdfium nightly builds to the libvips fuzzer.
* fix pdfium download
* ooop missing RUN
* fix pdfium install
* Fix PDFium link
* layout
Co-authored-by: Kleis Auke Wolthuizen <github@kleisauke.nl>
- Remove unused dependencies.
- Prefer .git URLs in git clone invocations.
- Use the --static flag of pkg-config for all invocations.
- Remove suspicious LDFLAGS environment variable.
- Disable NLS in libexif.
- Make libc++ a private dependency of libheif and libjxl.
- Build libspng with Meson.
- Ninja does not require a -j flag.
- Re-order linker flags.
- Use libbrotli from system.
- Build libjxl without sjpeg support.
- Link fuzzers against libmount and libblkid (needed by libgio).
- Sort and remove duplicated apt-get packages.
* libvips: add lcms and libspng as dependencies
* libvips: fix AVIF fuzzer
- Ensure libheif is able to detect the headers provided by libaom.
- Disable the build of dynamic modules.
* libvips: fix JXL fuzzer
* fix link failure with libtiff
The fuzz targets were failing to link with:
```
Step #4: /work/lib/libtiff.a(tif_lzma.o): In function `TIFFInitLZMA':
Step #4: /src/libtiff/libtiff/tif_lzma.c:465: undefined reference to
`lzma_lzma_preset'
```
It looks like it's become necessary to explicitly link -llzma, see:
4159bda6db
oss-fuzz issue:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18928#c4
Thanks to @lovell.
* pin libtiff to 4.1.0
It seems there's an issue with git master libtiff -- it fails to link on
systems without lzma installed.
For now, pin to 4.1.0, the current stable version.
* explicitly disable lzma
lzma detection in libtiff seems to be broken as of 20 nov. Disable
explicitly.
Kleis Auke Wolthuizen