1 // Copyright 2018 Google Inc.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ////////////////////////////////////////////////////////////////////////////////
16
17 #include <algorithm>
18 #include <cstddef>
19 #include <cstdint>
20 #include <string_view>
21
22 #include "./fuzz_utils.h"
23 #include "src/dec/webpi_dec.h"
24 #include "src/utils/rescaler_utils.h"
25 #include "src/webp/decode.h"
26
27 namespace {
28
AdvancedApiTest(std::string_view blob,uint8_t factor_u8,bool flip,bool bypass_filtering,bool no_fancy_upsampling,bool use_threads,bool use_cropping,bool use_scaling,bool use_dithering,int colorspace,bool incremental)29 void AdvancedApiTest(std::string_view blob, uint8_t factor_u8, bool flip,
30 bool bypass_filtering, bool no_fancy_upsampling,
31 bool use_threads, bool use_cropping, bool use_scaling,
32 bool use_dithering, int colorspace, bool incremental) {
33 WebPDecoderConfig config;
34 if (!WebPInitDecoderConfig(&config)) return;
35 const uint8_t* const data = reinterpret_cast<const uint8_t*>(blob.data());
36 const size_t size = blob.size();
37 if (WebPGetFeatures(data, size, &config.input) != VP8_STATUS_OK) return;
38 if ((size_t)config.input.width * config.input.height >
39 fuzz_utils::kFuzzPxLimit) {
40 return;
41 }
42
43 // Using two independent criteria ensures that all combinations of options
44 // can reach each path at the decoding stage, with meaningful differences.
45
46 const uint8_t value = fuzz_utils::FuzzHash(data, size);
47 const float factor = factor_u8 / 255.f; // 0-1
48
49 config.options.flip = flip;
50 config.options.bypass_filtering = bypass_filtering;
51 config.options.no_fancy_upsampling = no_fancy_upsampling;
52 config.options.use_threads = use_threads;
53 if (use_cropping) {
54 config.options.use_cropping = 1;
55 config.options.crop_width = (int)(config.input.width * (1 - factor));
56 config.options.crop_height = (int)(config.input.height * (1 - factor));
57 config.options.crop_left = config.input.width - config.options.crop_width;
58 config.options.crop_top = config.input.height - config.options.crop_height;
59 }
60 if (use_dithering) {
61 int strength = (int)(factor * 100);
62 config.options.dithering_strength = strength;
63 config.options.alpha_dithering_strength = 100 - strength;
64 }
65 if (use_scaling) {
66 config.options.use_scaling = 1;
67 config.options.scaled_width = (int)(config.input.width * factor * 2);
68 config.options.scaled_height = (int)(config.input.height * factor * 2);
69 }
70 config.output.colorspace = static_cast<WEBP_CSP_MODE>(colorspace);
71
72 for (int i = 0; i < 2; ++i) {
73 if (i == 1) {
74 // Use the bitstream data to generate extreme ranges for the options. An
75 // alternative approach would be to use a custom corpus containing webp
76 // files prepended with sizeof(config.options) zeroes to allow the fuzzer
77 // to modify these independently.
78 const int data_offset = 50;
79 if (data_offset + sizeof(config.options) >= size) break;
80 memcpy(&config.options, data + data_offset, sizeof(config.options));
81
82 // Skip easily avoidable out-of-memory fuzzing errors.
83 if (config.options.use_scaling) {
84 int input_width = config.input.width;
85 int input_height = config.input.height;
86 if (config.options.use_cropping) {
87 const int cw = config.options.crop_width;
88 const int ch = config.options.crop_height;
89 const int x = config.options.crop_left & ~1;
90 const int y = config.options.crop_top & ~1;
91 if (WebPCheckCropDimensions(input_width, input_height, x, y, cw,
92 ch)) {
93 input_width = cw;
94 input_height = ch;
95 }
96 }
97
98 int scaled_width = config.options.scaled_width;
99 int scaled_height = config.options.scaled_height;
100 if (WebPRescalerGetScaledDimensions(input_width, input_height,
101 &scaled_width, &scaled_height)) {
102 size_t fuzz_px_limit = fuzz_utils::kFuzzPxLimit;
103 if (scaled_width != config.input.width ||
104 scaled_height != config.input.height) {
105 // Using the WebPRescalerImport internally can significantly slow
106 // down the execution. Avoid timeouts due to that.
107 fuzz_px_limit /= 2;
108 }
109 // A big output canvas can lead to out-of-memory and timeout issues,
110 // but a big internal working buffer can too. Also, rescaling from a
111 // very wide input image to a very tall canvas can be as slow as
112 // decoding a huge number of pixels. Avoid timeouts due to these.
113 const uint64_t max_num_operations =
114 (uint64_t)std::max(scaled_width, config.input.width) *
115 std::max(scaled_height, config.input.height);
116 if (max_num_operations > fuzz_px_limit) {
117 break;
118 }
119 }
120 }
121 }
122 if (incremental) {
123 // Decodes incrementally in chunks of increasing size.
124 WebPIDecoder* idec = WebPIDecode(NULL, 0, &config);
125 if (!idec) return;
126 VP8StatusCode status;
127 if (size & 8) {
128 size_t available_size = value + 1;
129 while (1) {
130 if (available_size > size) available_size = size;
131 status = WebPIUpdate(idec, data, available_size);
132 if (status != VP8_STATUS_SUSPENDED || available_size == size) break;
133 available_size *= 2;
134 }
135 } else {
136 // WebPIAppend expects new data and its size with each call.
137 // Implemented here by simply advancing the pointer into data.
138 const uint8_t* new_data = data;
139 size_t new_size = value + 1;
140 while (1) {
141 if (new_data + new_size > data + size) {
142 new_size = data + size - new_data;
143 }
144 status = WebPIAppend(idec, new_data, new_size);
145 if (status != VP8_STATUS_SUSPENDED || new_size == 0) break;
146 new_data += new_size;
147 new_size *= 2;
148 }
149 }
150 WebPIDelete(idec);
151 } else {
152 (void)WebPDecode(data, size, &config);
153 }
154
155 WebPFreeDecBuffer(&config.output);
156 }
157 }
158
159 } // namespace
160
161 FUZZ_TEST(AdvancedApi, AdvancedApiTest)
162 .WithDomains(
163 fuzztest::String()
164 .WithMaxSize(fuzz_utils::kMaxWebPFileSize + 1),
165 /*factor_u8=*/fuzztest::Arbitrary<uint8_t>(),
166 /*flip=*/fuzztest::Arbitrary<bool>(),
167 /*bypass_filtering=*/fuzztest::Arbitrary<bool>(),
168 /*no_fancy_upsampling=*/fuzztest::Arbitrary<bool>(),
169 /*use_threads=*/fuzztest::Arbitrary<bool>(),
170 /*use_cropping=*/fuzztest::Arbitrary<bool>(),
171 /*use_scaling=*/fuzztest::Arbitrary<bool>(),
172 /*use_dithering=*/fuzztest::Arbitrary<bool>(),
173 #if defined(WEBP_REDUCE_CSP)
174 fuzztest::ElementOf<int>({static_cast<int>(MODE_RGBA),
175 static_cast<int>(MODE_BGRA),
176 static_cast<int>(MODE_rgbA),
177 static_cast<int>(MODE_bgrA)}),
178 #else
179 fuzztest::InRange<int>(0, static_cast<int>(MODE_LAST) - 1),
180 #endif
181 /*incremental=*/fuzztest::Arbitrary<bool>());
182