1 /*
2 * Copyright 2016 Google Inc.
3 *
4 * Use of this source code is governed by a BSD-style license that can be
5 * found in the LICENSE file.
6 */
7
8 #ifndef Fuzz_DEFINED
9 #define Fuzz_DEFINED
10
11 #include "include/core/SkData.h"
12 #include "include/core/SkImageFilter.h"
13 #include "include/core/SkRegion.h"
14 #include "include/core/SkTypes.h"
15 #include "include/private/SkMalloc.h"
16 #include "tools/Registry.h"
17
18 #include <limits>
19 #include <cmath>
20 #include <signal.h>
21 #include <limits>
22
23 class Fuzz : SkNoncopyable {
24 public:
Fuzz(sk_sp<SkData> bytes)25 explicit Fuzz(sk_sp<SkData> bytes) : fBytes(bytes), fNextByte(0) {}
26
27 // Returns the total number of "random" bytes available.
size()28 size_t size() { return fBytes->size(); }
29 // Returns if there are no bytes remaining for fuzzing.
exhausted()30 bool exhausted() {
31 return fBytes->size() == fNextByte;
32 }
33
remaining()34 size_t remaining() {
35 return fBytes->size() - fNextByte;
36 }
37
deplete()38 void deplete() {
39 fNextByte = fBytes->size();
40 }
41
42 // next() loads fuzzed bytes into the variable passed in by pointer.
43 // We use this approach instead of T next() because different compilers
44 // evaluate function parameters in different orders. If fuzz->next()
45 // returned 5 and then 7, foo(fuzz->next(), fuzz->next()) would be
46 // foo(5, 7) when compiled on GCC and foo(7, 5) when compiled on Clang.
47 // By requiring params to be passed in, we avoid the temptation to call
48 // next() in a way that does not consume fuzzed bytes in a single
49 // platform-independent order.
50 template <typename T>
next(T * t)51 void next(T* t) { this->nextBytes(t, sizeof(T)); }
52
53 // This is a convenient way to initialize more than one argument at a time.
54 template <typename Arg, typename... Args>
55 void next(Arg* first, Args... rest);
56
57 // nextRange returns values only in [min, max].
58 template <typename T, typename Min, typename Max>
59 void nextRange(T*, Min, Max);
60
61 // nextEnum is a wrapper around nextRange for enums.
62 template <typename T>
63 void nextEnum(T* ptr, T max);
64
65 // nextN loads n * sizeof(T) bytes into ptr
66 template <typename T>
67 void nextN(T* ptr, int n);
68
signalBug()69 void signalBug(){
70 // Tell the fuzzer that these inputs found a bug.
71 SkDebugf("Signal bug\n");
72 raise(SIGSEGV);
73 }
74
75 // Specialized versions for when true random doesn't quite make sense
76 void next(bool* b);
77 void next(SkImageFilter::CropRect* cropRect);
78 void next(SkRegion* region);
79
80 void nextRange(float* f, float min, float max);
81
82 private:
83 template <typename T>
84 T nextT();
85
86 sk_sp<SkData> fBytes;
87 size_t fNextByte;
88 friend void fuzz__MakeEncoderCorpus(Fuzz*);
89
90 void nextBytes(void* ptr, size_t size);
91 };
92
93 template <typename Arg, typename... Args>
next(Arg * first,Args...rest)94 inline void Fuzz::next(Arg* first, Args... rest) {
95 this->next(first);
96 this->next(rest...);
97 }
98
99 template <typename T, typename Min, typename Max>
nextRange(T * value,Min min,Max max)100 inline void Fuzz::nextRange(T* value, Min min, Max max) {
101 this->next(value);
102 if (*value < (T)min) { *value = (T)min; }
103 if (*value > (T)max) { *value = (T)max; }
104 }
105
106 template <typename T>
nextEnum(T * value,T max)107 inline void Fuzz::nextEnum(T* value, T max) {
108 // This works around the fact that UBSAN will assert if we put an invalid
109 // value into an enum. We might see issues with enums being represented
110 // on Windows differently than Linux, but that's not a thing we can fix here.
111 using U = typename std::underlying_type<T>::type;
112 U v;
113 this->next(&v);
114 if (v < (U)0) { *value = (T)0; return;}
115 if (v > (U)max) { *value = (T)max; return;}
116 *value = (T)v;
117 }
118
119 template <typename T>
nextN(T * ptr,int n)120 inline void Fuzz::nextN(T* ptr, int n) {
121 for (int i = 0; i < n; i++) {
122 this->next(ptr+i);
123 }
124 }
125
126 struct Fuzzable {
127 const char* name;
128 void (*fn)(Fuzz*);
129 };
130
131 // Not static so that we can link these into oss-fuzz harnesses if we like.
132 #define DEF_FUZZ(name, f) \
133 void fuzz_##name(Fuzz*); \
134 sk_tools::Registry<Fuzzable> register_##name({#name, fuzz_##name}); \
135 void fuzz_##name(Fuzz* f)
136
137 #endif//Fuzz_DEFINED
138