1 // Copyright 2018 Google Inc.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ////////////////////////////////////////////////////////////////////////////////
16
17 #include "fuzz.h"
18 #include "webp/decode.h"
19
LLVMFuzzerTestOneInput(const uint8_t * const data,size_t size)20 int LLVMFuzzerTestOneInput(const uint8_t* const data, size_t size) {
21 WebPDecoderConfig config;
22 if (!WebPInitDecoderConfig(&config)) return 0;
23 if (WebPGetFeatures(data, size, &config.input) != VP8_STATUS_OK) return 0;
24 if ((size_t)config.input.width * config.input.height > kFuzzPxLimit) return 0;
25
26 // Using two independent criteria ensures that all combinations of options
27 // can reach each path at the decoding stage, with meaningful differences.
28
29 const uint8_t value = FuzzHash(data, size);
30 const float factor = value / 255.f; // 0-1
31
32 config.options.flip = value & 1;
33 config.options.bypass_filtering = value & 2;
34 config.options.no_fancy_upsampling = value & 4;
35 config.options.use_threads = value & 8;
36 if (size & 1) {
37 config.options.use_cropping = 1;
38 config.options.crop_width = (int)(config.input.width * (1 - factor));
39 config.options.crop_height = (int)(config.input.height * (1 - factor));
40 config.options.crop_left = config.input.width - config.options.crop_width;
41 config.options.crop_top = config.input.height - config.options.crop_height;
42 }
43 if (size & 2) {
44 int strength = (int)(factor * 100);
45 config.options.dithering_strength = strength;
46 config.options.alpha_dithering_strength = 100 - strength;
47 }
48 if (size & 4) {
49 config.options.use_scaling = 1;
50 config.options.scaled_width = (int)(config.input.width * factor * 2);
51 config.options.scaled_height = (int)(config.input.height * factor * 2);
52 }
53
54 config.output.colorspace = (WEBP_CSP_MODE)(value % MODE_LAST);
55
56 if (size % 3) {
57 // Decodes incrementally in chunks of increasing size.
58 WebPIDecoder* idec = WebPIDecode(NULL, 0, &config);
59 if (!idec) return 0;
60 VP8StatusCode status;
61 if (size & 8) {
62 size_t available_size = value + 1;
63 while (1) {
64 if (available_size > size) available_size = size;
65 status = WebPIUpdate(idec, data, available_size);
66 if (status != VP8_STATUS_SUSPENDED || available_size == size) break;
67 available_size *= 2;
68 }
69 } else {
70 // WebPIAppend expects new data and its size with each call.
71 // Implemented here by simply advancing the pointer into data.
72 const uint8_t* new_data = data;
73 size_t new_size = value + 1;
74 while (1) {
75 if (new_data + new_size > data + size) {
76 new_size = data + size - new_data;
77 }
78 status = WebPIAppend(idec, new_data, new_size);
79 if (status != VP8_STATUS_SUSPENDED || new_size == 0) break;
80 new_data += new_size;
81 new_size *= 2;
82 }
83 }
84 WebPIDelete(idec);
85 } else {
86 WebPDecode(data, size, &config);
87 }
88
89 WebPFreeDecBuffer(&config.output);
90 return 0;
91 }
92