• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2020 Google Inc.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //      http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ////////////////////////////////////////////////////////////////////////////////
16 
17 #include <cstddef>
18 #include <cstdint>
19 #include <string_view>
20 
21 #include "./fuzz_utils.h"
22 #include "imageio/imageio_util.h"
23 #include "src/webp/decode.h"
24 #include "src/webp/demux.h"
25 #include "src/webp/mux_types.h"
26 
27 namespace {
28 
AnimDecoderTest(std::string_view blob)29 void AnimDecoderTest(std::string_view blob) {
30   const uint8_t* const data = reinterpret_cast<const uint8_t*>(blob.data());
31   const size_t size = blob.size();
32 
33   // WebPAnimDecoderGetInfo() is too late to check the canvas size as
34   // WebPAnimDecoderNew() will handle the allocations.
35   const size_t kMaxNumBytes = 2684354560;  // RSS (resident set size) limit.
36   const size_t kMaxNumPixels = kMaxNumBytes / 4;       // At most ARGB.
37   const size_t kMaxNumPixelsSafe = kMaxNumPixels / 2;  // Allow one buffer copy.
38   WebPBitstreamFeatures features;
39   if (WebPGetFeatures(data, size, &features) == VP8_STATUS_OK) {
40     if (!ImgIoUtilCheckSizeArgumentsOverflow(features.width * 4,
41                                              features.height) ||
42         static_cast<size_t>(features.width) * features.height >
43             kMaxNumPixelsSafe) {
44       return;
45     }
46   }
47 
48   // decode everything as an animation
49   WebPData webp_data = {data, size};
50   WebPAnimDecoder* const dec = WebPAnimDecoderNew(&webp_data, nullptr);
51   if (dec == nullptr) return;
52 
53   WebPAnimInfo info;
54   if (!WebPAnimDecoderGetInfo(dec, &info)) goto End;
55   if (!ImgIoUtilCheckSizeArgumentsOverflow(info.canvas_width * 4,
56                                            info.canvas_height)) {
57     goto End;
58   }
59 
60   while (WebPAnimDecoderHasMoreFrames(dec)) {
61     uint8_t* buf;
62     int timestamp;
63     if (!WebPAnimDecoderGetNext(dec, &buf, &timestamp)) break;
64   }
65 End:
66   WebPAnimDecoderDelete(dec);
67 }
68 
69 }  // namespace
70 
71 FUZZ_TEST(AnimDecoder, AnimDecoderTest)
72     .WithDomains(
73         fuzztest::String()
74             .WithMaxSize(fuzz_utils::kMaxWebPFileSize + 1));
75