1 // Copyright 2018 Google Inc.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //      http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ////////////////////////////////////////////////////////////////////////////////
16 
17 #include <string.h>
18 
19 #include "./fuzz_utils.h"
20 #include "src/webp/decode.h"
21 
LLVMFuzzerTestOneInput(const uint8_t* const data, size_t size)22 int LLVMFuzzerTestOneInput(const uint8_t* const data, size_t size) {
23   int i;
24   WebPDecoderConfig config;
25   if (!WebPInitDecoderConfig(&config)) return 0;
26   if (WebPGetFeatures(data, size, &config.input) != VP8_STATUS_OK) return 0;
27   if ((size_t)config.input.width * config.input.height > kFuzzPxLimit) return 0;
28 
29   // Using two independent criteria ensures that all combinations of options
30   // can reach each path at the decoding stage, with meaningful differences.
31 
32   const uint8_t value = FuzzHash(data, size);
33   const float factor = value / 255.f;  // 0-1
34 
35   config.options.flip = value & 1;
36   config.options.bypass_filtering = value & 2;
37   config.options.no_fancy_upsampling = value & 4;
38   config.options.use_threads = value & 8;
39   if (size & 1) {
40     config.options.use_cropping = 1;
41     config.options.crop_width = (int)(config.input.width * (1 - factor));
42     config.options.crop_height = (int)(config.input.height * (1 - factor));
43     config.options.crop_left = config.input.width - config.options.crop_width;
44     config.options.crop_top = config.input.height - config.options.crop_height;
45   }
46   if (size & 2) {
47     int strength = (int)(factor * 100);
48     config.options.dithering_strength = strength;
49     config.options.alpha_dithering_strength = 100 - strength;
50   }
51   if (size & 4) {
52     config.options.use_scaling = 1;
53     config.options.scaled_width = (int)(config.input.width * factor * 2);
54     config.options.scaled_height = (int)(config.input.height * factor * 2);
55   }
56 
57 #if defined(WEBP_REDUCE_CSP)
58   config.output.colorspace = (value & 1)
59                                  ? ((value & 2) ? MODE_RGBA : MODE_BGRA)
60                                  : ((value & 2) ? MODE_rgbA : MODE_bgrA);
61 #else
62   config.output.colorspace = (WEBP_CSP_MODE)(value % MODE_LAST);
63 #endif  // WEBP_REDUCE_CSP
64 
65   for (i = 0; i < 2; ++i) {
66     if (i == 1) {
67       // Use the bitstream data to generate extreme ranges for the options. An
68       // alternative approach would be to use a custom corpus containing webp
69       // files prepended with sizeof(config.options) zeroes to allow the fuzzer
70       // to modify these independently.
71       const int data_offset = 50;
72       if (size > data_offset + sizeof(config.options)) {
73         memcpy(&config.options, data + data_offset, sizeof(config.options));
74       } else {
75         break;
76       }
77     }
78     if (size % 3) {
79       // Decodes incrementally in chunks of increasing size.
80       WebPIDecoder* idec = WebPIDecode(NULL, 0, &config);
81       if (!idec) return 0;
82       VP8StatusCode status;
83       if (size & 8) {
84         size_t available_size = value + 1;
85         while (1) {
86           if (available_size > size) available_size = size;
87           status = WebPIUpdate(idec, data, available_size);
88           if (status != VP8_STATUS_SUSPENDED || available_size == size) break;
89           available_size *= 2;
90         }
91       } else {
92         // WebPIAppend expects new data and its size with each call.
93         // Implemented here by simply advancing the pointer into data.
94         const uint8_t* new_data = data;
95         size_t new_size = value + 1;
96         while (1) {
97           if (new_data + new_size > data + size) {
98             new_size = data + size - new_data;
99           }
100           status = WebPIAppend(idec, new_data, new_size);
101           if (status != VP8_STATUS_SUSPENDED || new_size == 0) break;
102           new_data += new_size;
103           new_size *= 2;
104         }
105       }
106       WebPIDelete(idec);
107     } else {
108       WebPDecode(data, size, &config);
109     }
110 
111     WebPFreeDecBuffer(&config.output);
112   }
113   return 0;
114 }
115