• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2018 Google Inc.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //      http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ////////////////////////////////////////////////////////////////////////////////
16 
17 #include "fuzz.h"
18 #include "webp/mux.h"
19 #include "webp/demux.h"
20 
LLVMFuzzerTestOneInput(const uint8_t * const data,size_t size)21 int LLVMFuzzerTestOneInput(const uint8_t* const data, size_t size) {
22   WebPData webp_data;
23   WebPDataInit(&webp_data);
24   webp_data.size = size;
25   webp_data.bytes = data;
26 
27   // Extracted chunks and frames are not processed or decoded,
28   // which is already covered extensively by the other fuzz targets.
29 
30   if (size & 1) {
31     // Mux API
32     WebPMux* mux = WebPMuxCreate(&webp_data, size & 2);
33     if (!mux) return 0;
34 
35     WebPData chunk;
36     WebPMuxGetChunk(mux, "EXIF", &chunk);
37     WebPMuxGetChunk(mux, "ICCP", &chunk);
38     WebPMuxGetChunk(mux, "FUZZ", &chunk);  // unknown
39 
40     uint32_t flags;
41     WebPMuxGetFeatures(mux, &flags);
42 
43     WebPMuxAnimParams params;
44     WebPMuxGetAnimationParams(mux, &params);
45 
46     WebPMuxError status;
47     WebPMuxFrameInfo info;
48     for (int i = 0; i < kFuzzFrameLimit; i++) {
49       status = WebPMuxGetFrame(mux, i + 1, &info);
50       if (status == WEBP_MUX_NOT_FOUND) {
51         break;
52       } else if (status == WEBP_MUX_OK) {
53         WebPDataClear(&info.bitstream);
54       }
55     }
56 
57     WebPMuxDelete(mux);
58   } else {
59     // Demux API
60     WebPDemuxer* demux;
61     if (size & 2) {
62       WebPDemuxState state;
63       demux = WebPDemuxPartial(&webp_data, &state);
64       if (state < WEBP_DEMUX_PARSED_HEADER) {
65         WebPDemuxDelete(demux);
66         return 0;
67       }
68     } else {
69       demux = WebPDemux(&webp_data);
70       if (!demux) return 0;
71     }
72 
73     WebPChunkIterator chunk_iter;
74     if (WebPDemuxGetChunk(demux, "EXIF", 1, &chunk_iter)) {
75       WebPDemuxNextChunk(&chunk_iter);
76     }
77     WebPDemuxReleaseChunkIterator(&chunk_iter);
78     if (WebPDemuxGetChunk(demux, "ICCP", 0, &chunk_iter)) {  // 0 == last
79       WebPDemuxPrevChunk(&chunk_iter);
80     }
81     WebPDemuxReleaseChunkIterator(&chunk_iter);
82     // Skips FUZZ because the Demux API has no concept of (un)known chunks.
83 
84     WebPIterator iter;
85     if (WebPDemuxGetFrame(demux, 1, &iter)) {
86       for (int i = 1; i < kFuzzFrameLimit; i++) {
87         if (!WebPDemuxNextFrame(&iter)) break;
88       }
89     }
90 
91     WebPDemuxReleaseIterator(&iter);
92     WebPDemuxDelete(demux);
93   }
94 
95   return 0;
96 }
97