1 // Copyright 2016 The PDFium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <cstdint>
6
7 #include "core/fpdfapi/parser/cpdf_array.h"
8 #include "core/fpdfapi/parser/cpdf_boolean.h"
9 #include "core/fpdfapi/parser/cpdf_dictionary.h"
10 #include "core/fpdfapi/parser/cpdf_hint_tables.h"
11 #include "core/fpdfapi/parser/cpdf_linearized_header.h"
12 #include "core/fpdfapi/parser/cpdf_number.h"
13 #include "core/fxcrt/cfx_bitstream.h"
14 #include "third_party/base/ptr_util.h"
15 #include "third_party/base/span.h"
16
GetData(const int32_t ** data32,const uint8_t ** data,size_t * size)17 int32_t GetData(const int32_t** data32, const uint8_t** data, size_t* size) {
18 const int32_t* ret = *data32;
19 ++(*data32);
20 *data += 4;
21 *size -= 4;
22 return *ret;
23 }
24
25 class HintTableForFuzzing final : public CPDF_HintTables {
26 public:
HintTableForFuzzing(CPDF_LinearizedHeader * pLinearized,int shared_hint_table_offset)27 HintTableForFuzzing(CPDF_LinearizedHeader* pLinearized,
28 int shared_hint_table_offset)
29 : CPDF_HintTables(nullptr, pLinearized),
30 shared_hint_table_offset_(shared_hint_table_offset) {}
~HintTableForFuzzing()31 ~HintTableForFuzzing() {}
32
Fuzz(const uint8_t * data,size_t size)33 void Fuzz(const uint8_t* data, size_t size) {
34 if (shared_hint_table_offset_ <= 0)
35 return;
36
37 if (size < static_cast<size_t>(shared_hint_table_offset_))
38 return;
39
40 CFX_BitStream bs(pdfium::make_span(data, size));
41 if (!ReadPageHintTable(&bs))
42 return;
43 ReadSharedObjHintTable(&bs, shared_hint_table_offset_);
44 }
45
46 private:
47 int shared_hint_table_offset_;
48 };
49
50 class FakeLinearized final : public CPDF_LinearizedHeader {
51 public:
FakeLinearized(CPDF_Dictionary * linearized_dict)52 explicit FakeLinearized(CPDF_Dictionary* linearized_dict)
53 : CPDF_LinearizedHeader(linearized_dict, 0) {}
54 };
55
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)56 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
57 // Need 28 bytes for |linearized_dict|.
58 // The header section of page offset hint table is 36 bytes.
59 // The header section of shared object hint table is 24 bytes.
60 if (size < 28 + 36 + 24)
61 return 0;
62
63 const int32_t* data32 = reinterpret_cast<const int32_t*>(data);
64
65 auto linearized_dict = pdfium::MakeRetain<CPDF_Dictionary>();
66 // Set initial value.
67 linearized_dict->SetNewFor<CPDF_Boolean>("Linearized", true);
68 // Set first page end offset
69 linearized_dict->SetNewFor<CPDF_Number>("E", GetData(&data32, &data, &size));
70 // Set page count
71 linearized_dict->SetNewFor<CPDF_Number>("N", GetData(&data32, &data, &size));
72 // Set first page obj num
73 linearized_dict->SetNewFor<CPDF_Number>("O", GetData(&data32, &data, &size));
74 // Set first page no
75 linearized_dict->SetNewFor<CPDF_Number>("P", GetData(&data32, &data, &size));
76
77 auto hint_info = pdfium::MakeRetain<CPDF_Array>();
78 // Add primary hint stream offset
79 hint_info->AddNew<CPDF_Number>(GetData(&data32, &data, &size));
80 // Add primary hint stream size
81 hint_info->AddNew<CPDF_Number>(GetData(&data32, &data, &size));
82 // Set hint stream info.
83 linearized_dict->SetFor("H", std::move(hint_info));
84
85 const int shared_hint_table_offset = GetData(&data32, &data, &size);
86
87 {
88 FakeLinearized linearized(linearized_dict.Get());
89 HintTableForFuzzing hint_table(&linearized, shared_hint_table_offset);
90 hint_table.Fuzz(data, size);
91 }
92 return 0;
93 }
94