From a090195adab9b936bff1deae58ed5c0f141430b4 Mon Sep 17 00:00:00 2001 From: Vignesh Venkatasubramanian Date: Thu, 4 Aug 2022 09:43:30 -0700 Subject: external/libyuv: Move files/fuzz to top level directory fuzz subdirectory is not part of upstream libyuv and is specific to android's copy of libyuv. So by moving it to the top level external/libyuv directory, we can make sure that "files" subdirectory contains a pristine copy of upstream libyuv. It also makes updating libyuv from upstream easier. Bug: 241008246 Test: libyuv_mjpeg_dec_fuzz target builds successfully Merged-In: Iab37b2c9365725362443408f5fc493730fafcd86 Change-Id: I8684819a8069c5cd0f2b8a36824ee424cf086130 --- files/fuzz/Android.bp | 24 -------- files/fuzz/OWNERS | 2 - files/fuzz/mjpeg_dec_fuzz.cc | 139 ------------------------------------------- fuzz/Android.bp | 24 ++++++++ fuzz/OWNERS | 2 + fuzz/mjpeg_dec_fuzz.cc | 139 +++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 165 insertions(+), 165 deletions(-) delete mode 100644 files/fuzz/Android.bp delete mode 100644 files/fuzz/OWNERS delete mode 100644 files/fuzz/mjpeg_dec_fuzz.cc create mode 100644 fuzz/Android.bp create mode 100644 fuzz/OWNERS create mode 100644 fuzz/mjpeg_dec_fuzz.cc diff --git a/files/fuzz/Android.bp b/files/fuzz/Android.bp deleted file mode 100644 index 0e495899..00000000 --- a/files/fuzz/Android.bp +++ /dev/null @@ -1,24 +0,0 @@ - -package { - // See: http://go/android-license-faq - // A large-scale-change added 'default_applicable_licenses' to import - // all of the 'license_kinds' from "external_libyuv_files_license" - // to get the below license kinds: - // SPDX-license-identifier-BSD - default_applicable_licenses: ["external_libyuv_files_license"], -} - -cc_fuzz { - name: "libyuv_mjpeg_dec_fuzz", - host_supported: false, - srcs: [ - "mjpeg_dec_fuzz.cc", - ], - static_libs: [ - "libyuv", - ], - - shared_libs: [ - "libjpeg", - ], -} diff --git a/files/fuzz/OWNERS b/files/fuzz/OWNERS deleted file mode 100644 index 37481f5d..00000000 --- a/files/fuzz/OWNERS +++ /dev/null @@ -1,2 +0,0 @@ -ispo@google.com -fbarchard@google.com diff --git a/files/fuzz/mjpeg_dec_fuzz.cc b/files/fuzz/mjpeg_dec_fuzz.cc deleted file mode 100644 index 3be8410a..00000000 --- a/files/fuzz/mjpeg_dec_fuzz.cc +++ /dev/null @@ -1,139 +0,0 @@ -// ----------------------------------------------------------------------------- -// Fuzz Target for libyuv's mjpeg decoder. -// -// This fuzz target focuses on the decoding from JPEG to YUV format. -// ----------------------------------------------------------------------------- -#include "libyuv/basic_types.h" -#include "libyuv/mjpeg_decoder.h" - -#include -#include -#include -#include -#include - - -// ----------------------------------------------------------------------------- -// Checks whether 3 values are equal. -// -inline bool IsEqual(int a, int b, int c) { - return (a == b && a == c); -} - -// ----------------------------------------------------------------------------- -// libFuzzer's callback that is invoked upon startup. -// -extern "C" int LLVMFuzzerInitialize(int *unused_argc, char ***unused_argv) { - (void) unused_argc; // Avoid "-Wunused-parameter" warnings. - (void) unused_argv; - // Printing this message is benefial as we can infer which fuzzer runs - // just by looking at the logs which are stored in the cloud. - printf("[*] Fuzz Target for libyuv mjpeg decoder started.\n"); - - return 0; -} - -// ----------------------------------------------------------------------------- -// Decodes a JPEG image into a YUV format. -// -extern "C" bool Decode(libyuv::MJpegDecoder &decoder) { - // YUV colors are represented with one "luminance" component called Y - // and two "chrominance" components, called U and V. - // Planar formats use separate matrices for each of the 3 color components. - // - // If we don't have 3 components abort. - // - // NOTE: It may be possible to have 4 planes for CMYK and alpha, but it's - // very rare and not supported. - int num_planes = decoder.GetNumComponents(); - - if (num_planes != 3) { - return false; - } - - /* NOTE: Without a jpeg corpus, we can't reach this point */ - - int width = decoder.GetWidth(); - int height = decoder.GetHeight(); - int y_width = decoder.GetComponentWidth(0); - int y_height = decoder.GetComponentHeight(0); - int u_width = decoder.GetComponentWidth(1); - int u_height = decoder.GetComponentHeight(1); - int v_width = decoder.GetComponentWidth(2); - int v_height = decoder.GetComponentHeight(2); - uint8_t *y; - uint8_t *u; - uint8_t *v; - - // Make sure that width and heigh stay at decent levels (< 16K * 16K). - // (Y is the largest buffer). - if (width > (1 << 14) || height > (1 << 14)) { - // Ok, if this happens it's a DoS, but let's ignore it for now. - return false; - } - - // Allocate stides according to the sampling type. - if (IsEqual(y_width, u_width, v_width) && - IsEqual(y_height, u_height, v_height)) { - // Sampling type: YUV444. - y = new uint8_t[width * height]; - u = new uint8_t[width * height]; - v = new uint8_t[width * height]; - - } else if (IsEqual((y_width + 1) / 2, u_width, v_width) && - IsEqual(y_height, u_height, v_height)) { - // Sampling type: YUV422. - y = new uint8_t[width * height]; - u = new uint8_t[((width + 1) / 2) * height]; - v = new uint8_t[((width + 1) / 2) * height]; - - } else if (IsEqual((y_width + 1) / 2, u_width, v_width) && - IsEqual((y_height + 1) / 2, u_height, v_height)) { - // Sampling type: YUV420. - y = new uint8_t[width * height]; - u = new uint8_t[((width + 1) / 2) * ((height + 1) / 2)]; - v = new uint8_t[((width + 1) / 2) * ((height + 1) / 2)]; - - } else { - // Invalid sampling type. - return false; - } - - uint8_t* planes[] = {y, u, v}; - - // Do the actual decoding. (Ignore return values). - decoder.DecodeToBuffers(planes, width, height); - - delete[] y; - delete[] u; - delete[] v; - - return true; // Success! -} - -// ----------------------------------------------------------------------------- -// libFuzzer's callback that performs the actual fuzzing. -// -extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - // Make sure that we have a minimum length (32 or something small). - if (size < 32) { - return 0; - } - - // Create the decoder object. - libyuv::MJpegDecoder decoder; - - // Load frame, read its headers and determine uncompress image format. - if (decoder.LoadFrame(data, size) == LIBYUV_FALSE) { - // Header parsing error. Discrad frame. - return 0; - } - - // Do the actual decoding. - Decode(decoder); - - // Unload the frame. - decoder.UnloadFrame(); - - return 0; -} diff --git a/fuzz/Android.bp b/fuzz/Android.bp new file mode 100644 index 00000000..a8d552b1 --- /dev/null +++ b/fuzz/Android.bp @@ -0,0 +1,24 @@ + +package { + // See: http://go/android-license-faq + // A large-scale-change added 'default_applicable_licenses' to import + // all of the 'license_kinds' from "external_libyuv_license" + // to get the below license kinds: + // SPDX-license-identifier-BSD + default_applicable_licenses: ["external_libyuv_license"], +} + +cc_fuzz { + name: "libyuv_mjpeg_dec_fuzz", + host_supported: false, + srcs: [ + "mjpeg_dec_fuzz.cc", + ], + static_libs: [ + "libyuv", + ], + + shared_libs: [ + "libjpeg", + ], +} diff --git a/fuzz/OWNERS b/fuzz/OWNERS new file mode 100644 index 00000000..37481f5d --- /dev/null +++ b/fuzz/OWNERS @@ -0,0 +1,2 @@ +ispo@google.com +fbarchard@google.com diff --git a/fuzz/mjpeg_dec_fuzz.cc b/fuzz/mjpeg_dec_fuzz.cc new file mode 100644 index 00000000..3be8410a --- /dev/null +++ b/fuzz/mjpeg_dec_fuzz.cc @@ -0,0 +1,139 @@ +// ----------------------------------------------------------------------------- +// Fuzz Target for libyuv's mjpeg decoder. +// +// This fuzz target focuses on the decoding from JPEG to YUV format. +// ----------------------------------------------------------------------------- +#include "libyuv/basic_types.h" +#include "libyuv/mjpeg_decoder.h" + +#include +#include +#include +#include +#include + + +// ----------------------------------------------------------------------------- +// Checks whether 3 values are equal. +// +inline bool IsEqual(int a, int b, int c) { + return (a == b && a == c); +} + +// ----------------------------------------------------------------------------- +// libFuzzer's callback that is invoked upon startup. +// +extern "C" int LLVMFuzzerInitialize(int *unused_argc, char ***unused_argv) { + (void) unused_argc; // Avoid "-Wunused-parameter" warnings. + (void) unused_argv; + // Printing this message is benefial as we can infer which fuzzer runs + // just by looking at the logs which are stored in the cloud. + printf("[*] Fuzz Target for libyuv mjpeg decoder started.\n"); + + return 0; +} + +// ----------------------------------------------------------------------------- +// Decodes a JPEG image into a YUV format. +// +extern "C" bool Decode(libyuv::MJpegDecoder &decoder) { + // YUV colors are represented with one "luminance" component called Y + // and two "chrominance" components, called U and V. + // Planar formats use separate matrices for each of the 3 color components. + // + // If we don't have 3 components abort. + // + // NOTE: It may be possible to have 4 planes for CMYK and alpha, but it's + // very rare and not supported. + int num_planes = decoder.GetNumComponents(); + + if (num_planes != 3) { + return false; + } + + /* NOTE: Without a jpeg corpus, we can't reach this point */ + + int width = decoder.GetWidth(); + int height = decoder.GetHeight(); + int y_width = decoder.GetComponentWidth(0); + int y_height = decoder.GetComponentHeight(0); + int u_width = decoder.GetComponentWidth(1); + int u_height = decoder.GetComponentHeight(1); + int v_width = decoder.GetComponentWidth(2); + int v_height = decoder.GetComponentHeight(2); + uint8_t *y; + uint8_t *u; + uint8_t *v; + + // Make sure that width and heigh stay at decent levels (< 16K * 16K). + // (Y is the largest buffer). + if (width > (1 << 14) || height > (1 << 14)) { + // Ok, if this happens it's a DoS, but let's ignore it for now. + return false; + } + + // Allocate stides according to the sampling type. + if (IsEqual(y_width, u_width, v_width) && + IsEqual(y_height, u_height, v_height)) { + // Sampling type: YUV444. + y = new uint8_t[width * height]; + u = new uint8_t[width * height]; + v = new uint8_t[width * height]; + + } else if (IsEqual((y_width + 1) / 2, u_width, v_width) && + IsEqual(y_height, u_height, v_height)) { + // Sampling type: YUV422. + y = new uint8_t[width * height]; + u = new uint8_t[((width + 1) / 2) * height]; + v = new uint8_t[((width + 1) / 2) * height]; + + } else if (IsEqual((y_width + 1) / 2, u_width, v_width) && + IsEqual((y_height + 1) / 2, u_height, v_height)) { + // Sampling type: YUV420. + y = new uint8_t[width * height]; + u = new uint8_t[((width + 1) / 2) * ((height + 1) / 2)]; + v = new uint8_t[((width + 1) / 2) * ((height + 1) / 2)]; + + } else { + // Invalid sampling type. + return false; + } + + uint8_t* planes[] = {y, u, v}; + + // Do the actual decoding. (Ignore return values). + decoder.DecodeToBuffers(planes, width, height); + + delete[] y; + delete[] u; + delete[] v; + + return true; // Success! +} + +// ----------------------------------------------------------------------------- +// libFuzzer's callback that performs the actual fuzzing. +// +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + // Make sure that we have a minimum length (32 or something small). + if (size < 32) { + return 0; + } + + // Create the decoder object. + libyuv::MJpegDecoder decoder; + + // Load frame, read its headers and determine uncompress image format. + if (decoder.LoadFrame(data, size) == LIBYUV_FALSE) { + // Header parsing error. Discrad frame. + return 0; + } + + // Do the actual decoding. + Decode(decoder); + + // Unload the frame. + decoder.UnloadFrame(); + + return 0; +} -- cgit v1.2.3