2 // libpng_read_fuzzer.cc
3 // Copyright 2017-2018 Glenn Randers-Pehrson
4 // Copyright 2015 The Chromium Authors. All rights reserved.
5 // Use of this source code is governed by a BSD-style license that may
6 // be found in the LICENSE file https://cs.chromium.org/chromium/src/LICENSE
8 // The modifications in 2017 by Glenn Randers-Pehrson include
9 // 1. addition of a PNG_CLEANUP macro,
10 // 2. setting the option to ignore ADLER32 checksums,
11 // 3. adding "#include <string.h>" which is needed on some platforms
12 // to provide memcpy().
13 // 4. adding read_end_info() and creating an end_info structure.
14 // 5. adding calls to png_set_*() transforms commonly used by browsers.
27 if(png_handler.png_ptr) \
29 if (png_handler.row_ptr) \
30 png_free(png_handler.png_ptr, png_handler.row_ptr); \
31 if (png_handler.end_info_ptr) \
32 png_destroy_read_struct(&png_handler.png_ptr, &png_handler.info_ptr,\
33 &png_handler.end_info_ptr); \
34 else if (png_handler.info_ptr) \
35 png_destroy_read_struct(&png_handler.png_ptr, &png_handler.info_ptr,\
38 png_destroy_read_struct(&png_handler.png_ptr, nullptr, nullptr); \
39 png_handler.png_ptr = nullptr; \
40 png_handler.row_ptr = nullptr; \
41 png_handler.info_ptr = nullptr; \
42 png_handler.end_info_ptr = nullptr; \
50 struct PngObjectHandler {
51 png_infop info_ptr = nullptr;
52 png_structp png_ptr = nullptr;
53 png_infop end_info_ptr = nullptr;
54 png_voidp row_ptr = nullptr;
55 BufState* buf_state = nullptr;
59 png_free(png_ptr, row_ptr);
61 png_destroy_read_struct(&png_ptr, &info_ptr, &end_info_ptr);
63 png_destroy_read_struct(&png_ptr, &info_ptr, nullptr);
65 png_destroy_read_struct(&png_ptr, nullptr, nullptr);
70 void user_read_data(png_structp png_ptr, png_bytep data, size_t length) {
71 BufState* buf_state = static_cast<BufState*>(png_get_io_ptr(png_ptr));
72 if (length > buf_state->bytes_left) {
73 png_error(png_ptr, "read error");
75 memcpy(data, buf_state->data, length);
76 buf_state->bytes_left -= length;
77 buf_state->data += length;
80 void* limited_malloc(png_structp, png_alloc_size_t size) {
81 // libpng may allocate large amounts of memory that the fuzzer reports as
82 // an error. In order to silence these errors, make libpng fail when trying
83 // to allocate a large amount. This allocator used to be in the Chromium
84 // version of this fuzzer.
85 // This number is chosen to match the default png_user_chunk_malloc_max.
92 void default_free(png_structp, png_voidp ptr) {
96 static const int kPngHeaderSize = 8;
98 // Entry point for LibFuzzer.
99 // Roughly follows the libpng book example:
100 // http://www.libpng.org/pub/png/book/chapter13.html
101 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
102 if (size < kPngHeaderSize) {
106 std::vector<unsigned char> v(data, data + size);
107 if (png_sig_cmp(v.data(), 0, kPngHeaderSize)) {
112 PngObjectHandler png_handler;
113 png_handler.png_ptr = nullptr;
114 png_handler.row_ptr = nullptr;
115 png_handler.info_ptr = nullptr;
116 png_handler.end_info_ptr = nullptr;
118 png_handler.png_ptr = png_create_read_struct
119 (PNG_LIBPNG_VER_STRING, nullptr, nullptr, nullptr);
120 if (!png_handler.png_ptr) {
124 png_handler.info_ptr = png_create_info_struct(png_handler.png_ptr);
125 if (!png_handler.info_ptr) {
130 png_handler.end_info_ptr = png_create_info_struct(png_handler.png_ptr);
131 if (!png_handler.end_info_ptr) {
136 // Use a custom allocator that fails for large allocations to avoid OOM.
137 png_set_mem_fn(png_handler.png_ptr, nullptr, limited_malloc, default_free);
139 png_set_crc_action(png_handler.png_ptr, PNG_CRC_QUIET_USE, PNG_CRC_QUIET_USE);
140 #ifdef PNG_IGNORE_ADLER32
141 png_set_option(png_handler.png_ptr, PNG_IGNORE_ADLER32, PNG_OPTION_ON);
144 // Setting up reading from buffer.
145 png_handler.buf_state = new BufState();
146 png_handler.buf_state->data = data + kPngHeaderSize;
147 png_handler.buf_state->bytes_left = size - kPngHeaderSize;
148 png_set_read_fn(png_handler.png_ptr, png_handler.buf_state, user_read_data);
149 png_set_sig_bytes(png_handler.png_ptr, kPngHeaderSize);
151 if (setjmp(png_jmpbuf(png_handler.png_ptr))) {
157 png_read_info(png_handler.png_ptr, png_handler.info_ptr);
159 // reset error handler to put png_deleter into scope.
160 if (setjmp(png_jmpbuf(png_handler.png_ptr))) {
165 png_uint_32 width, height;
166 int bit_depth, color_type, interlace_type, compression_type;
169 if (!png_get_IHDR(png_handler.png_ptr, png_handler.info_ptr, &width,
170 &height, &bit_depth, &color_type, &interlace_type,
171 &compression_type, &filter_type)) {
176 // This is going to be too slow.
177 if (width && height > 100000000 / width) {
182 // Set several transforms that browsers typically use:
183 png_set_gray_to_rgb(png_handler.png_ptr);
184 png_set_expand(png_handler.png_ptr);
185 png_set_packing(png_handler.png_ptr);
186 png_set_scale_16(png_handler.png_ptr);
187 png_set_tRNS_to_alpha(png_handler.png_ptr);
189 int passes = png_set_interlace_handling(png_handler.png_ptr);
191 png_read_update_info(png_handler.png_ptr, png_handler.info_ptr);
193 png_handler.row_ptr = png_malloc(
194 png_handler.png_ptr, png_get_rowbytes(png_handler.png_ptr,
195 png_handler.info_ptr));
197 for (int pass = 0; pass < passes; ++pass) {
198 for (png_uint_32 y = 0; y < height; ++y) {
199 png_read_row(png_handler.png_ptr,
200 static_cast<png_bytep>(png_handler.row_ptr), nullptr);
204 png_read_end(png_handler.png_ptr, png_handler.end_info_ptr);