| Index: third_party/afl/src/experimental/canvas_harness/canvas_harness.html
|
| diff --git a/third_party/afl/src/experimental/canvas_harness/canvas_harness.html b/third_party/afl/src/experimental/canvas_harness/canvas_harness.html
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..192936675ce1d3de74b3eb0ad4441f56cf3c57f0
|
| --- /dev/null
|
| +++ b/third_party/afl/src/experimental/canvas_harness/canvas_harness.html
|
| @@ -0,0 +1,170 @@
|
| +<html>
|
| +<!--
|
| +
|
| + american fuzzy lop - <canvas> harness
|
| + -------------------------------------
|
| +
|
| + Written and maintained by Michal Zalewski <lcamtuf@google.com>
|
| +
|
| + Copyright 2013, 2014 Google Inc. All rights reserved.
|
| +
|
| + Licensed under the Apache License, Version 2.0 (the "License");
|
| + you may not use this file except in compliance with the License.
|
| + You may obtain a copy of the License at:
|
| +
|
| + http://www.apache.org/licenses/LICENSE-2.0
|
| +
|
| + A simple harness for going through afl-generated test cases, rendering them in
|
| + the browser environment, and discovering the use of uninitialized memory and
|
| + similar bugs. This code led to the discovery of a fair number of library and
|
| + browser security bugs!
|
| +
|
| + The url_list[] array is a placeholder; for this to work properly, it needs to
|
| + be initialized with web-reachable paths to individual test cases. This can
|
| + be done manually or with a simple script.
|
| +
|
| +-->
|
| +
|
| +<body onload="set_images()">
|
| +
|
| +<div id="status"></div>
|
| +
|
| +<div id="image_div"></div>
|
| +
|
| +<canvas height=64 width=64 id=cvs></canvas>
|
| +
|
| +<h2>Results</h2>
|
| +
|
| +<ul id="output"></ul>
|
| +
|
| +<script>
|
| +
|
| +var c = document.getElementById('cvs');
|
| +var ctx = c.getContext('2d');
|
| +
|
| +var url_list = [
|
| + "images/id:000000,[...].jpg",
|
| + "images/id:000001,[...].jpg",
|
| + /* ... */
|
| + null
|
| +];
|
| +
|
| +var USE_IMAGES = 50;
|
| +var cur_image = 0;
|
| +
|
| +if (location.hash) cur_image = parseInt(location.hash.substr(1));
|
| +
|
| +var loaded = 0;
|
| +var image_obj = [];
|
| +
|
| +var msie_cleanup;
|
| +
|
| +function check_results() {
|
| +
|
| + var uniques = [];
|
| +
|
| + clearTimeout(msie_cleanup);
|
| +
|
| + ctx.clearRect(0, 0, 64, 64);
|
| +
|
| + uniques.push(image_obj[0].imgdata);
|
| +
|
| + for (var i = 1; i < USE_IMAGES; i++) {
|
| +
|
| + if (!image_obj[i].imgdata) continue;
|
| +
|
| + if (image_obj[0].imgdata != image_obj[i].imgdata) {
|
| +
|
| + for (var j = 1; j < uniques.length; j++)
|
| + if (uniques[j] == image_obj[i].imgdata) break;
|
| +
|
| + if (j == uniques.length) uniques.push(image_obj[i].imgdata);
|
| +
|
| +
|
| + }
|
| +
|
| + }
|
| +
|
| + if (uniques.length > 1) {
|
| +
|
| + var str = '<li> Image ' + url_list[cur_image] + ' has ' + uniques.length + ' variants: ';
|
| +
|
| + for (var i = 0; i < uniques.length; i++)
|
| + str += '<img src="' + uniques[i] + '">';
|
| +
|
| + document.getElementById('output').innerHTML += str;
|
| +
|
| + }
|
| +
|
| + cur_image++;
|
| + set_images();
|
| +}
|
| +
|
| +
|
| +function count_image() {
|
| +
|
| + if (!this.complete || this.counted) return;
|
| +
|
| + this.counted = true;
|
| +
|
| + loaded++;
|
| +
|
| + ctx.clearRect(0, 0, 64, 64);
|
| +
|
| + try {
|
| + ctx.drawImage(this, 0, 0, 64, 64);
|
| + } catch (e) { }
|
| +
|
| + this.imgdata = c.toDataURL();
|
| +
|
| + if (loaded == USE_IMAGES) check_results();
|
| +}
|
| +
|
| +
|
| +function set_images() {
|
| +
|
| + loaded = 0;
|
| +
|
| + document.getElementById('status').innerHTML = 'Now processing ' + cur_image + '...';
|
| + location.hash = '#' + cur_image;
|
| +
|
| + if (url_list[cur_image] == null) {
|
| + alert('Done!');
|
| + return;
|
| + }
|
| +
|
| + restart_images();
|
| +
|
| + msie_cleanup = setTimeout(check_results, 5000);
|
| +
|
| + for (var i = 0; i < USE_IMAGES; i++)
|
| + image_obj[i].src = url_list[cur_image] + '?' + Math.random();
|
| +
|
| +}
|
| +
|
| +
|
| +function restart_images() {
|
| +
|
| + for (var i = 0; i < USE_IMAGES; i++)
|
| + if (image_obj[i]) image_obj[i].counted = true;
|
| +
|
| + document.getElementById('image_div').innerHTML = '';
|
| + image_obj = [];
|
| +
|
| + for (var i = 0; i < USE_IMAGES; i++) {
|
| +
|
| + image_obj[i] = new Image();
|
| + image_obj[i].height = 64;
|
| + image_obj[i].width = 64;
|
| + image_obj[i].onerror = count_image;
|
| + image_obj[i].onload = count_image;
|
| +
|
| + document.getElementById('image_div').appendChild(image_obj[i]);
|
| +
|
| + }
|
| +
|
| +}
|
| +
|
| +</script>
|
| +
|
| +<iframe src='http://www.cnn.com/'></iframe>
|
|
|
Chromium Code Reviews
Issue 2075883002:
Add American Fuzzy Lop (afl) to third_party/afl/ (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master