| Index: third_party/afl/src/experimental/post_library/post_library_png.so.c
|
| diff --git a/third_party/afl/src/experimental/post_library/post_library_png.so.c b/third_party/afl/src/experimental/post_library/post_library_png.so.c
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..080a6938ac814653e4cbd9c7a15de353454c9f20
|
| --- /dev/null
|
| +++ b/third_party/afl/src/experimental/post_library/post_library_png.so.c
|
| @@ -0,0 +1,113 @@
|
| +/*
|
| + american fuzzy lop - postprocessor for PNG
|
| + ------------------------------------------
|
| +
|
| + Written and maintained by Michal Zalewski <lcamtuf@google.com>
|
| +
|
| + Copyright 2015 Google Inc. All rights reserved.
|
| +
|
| + Licensed under the Apache License, Version 2.0 (the "License");
|
| + you may not use this file except in compliance with the License.
|
| + You may obtain a copy of the License at:
|
| +
|
| + http://www.apache.org/licenses/LICENSE-2.0
|
| +
|
| + See post_library.so.c for a general discussion of how to implement
|
| + postprocessors. This specific postprocessor attempts to fix up PNG
|
| + checksums, providing a slightly more complicated example than found
|
| + in post_library.so.c.
|
| +
|
| + Compile with:
|
| +
|
| + gcc -shared -Wall -O3 post_library_png.so.c -o post_library_png.so -lz
|
| +
|
| + */
|
| +
|
| +#include <stdio.h>
|
| +#include <stdlib.h>
|
| +#include <stdint.h>
|
| +#include <string.h>
|
| +#include <zlib.h>
|
| +
|
| +#include <arpa/inet.h>
|
| +
|
| +/* A macro to round an integer up to 4 kB. */
|
| +
|
| +#define UP4K(_i) ((((_i) >> 12) + 1) << 12)
|
| +
|
| +const unsigned char* afl_postprocess(const unsigned char* in_buf,
|
| + unsigned int* len) {
|
| +
|
| + static unsigned char* saved_buf;
|
| + static unsigned int saved_len;
|
| +
|
| + unsigned char* new_buf = (unsigned char*)in_buf;
|
| + unsigned int pos = 8;
|
| +
|
| + /* Don't do anything if there's not enough room for the PNG header
|
| + (8 bytes). */
|
| +
|
| + if (*len < 8) return in_buf;
|
| +
|
| + /* Minimum size of a zero-length PNG chunk is 12 bytes; if we
|
| + don't have that, we can bail out. */
|
| +
|
| + while (pos + 12 <= *len) {
|
| +
|
| + unsigned int chunk_len, real_cksum, file_cksum;
|
| +
|
| + /* Chunk length is the first big-endian dword in the chunk. */
|
| +
|
| + chunk_len = ntohl(*(uint32_t*)(in_buf + pos));
|
| +
|
| + /* Bail out if chunk size is too big or goes past EOF. */
|
| +
|
| + if (chunk_len > 1024 * 1024 || pos + 12 + chunk_len > *len) break;
|
| +
|
| + /* Chunk checksum is calculated for chunk ID (dword) and the actual
|
| + payload. */
|
| +
|
| + real_cksum = htonl(crc32(0, in_buf + pos + 4, chunk_len + 4));
|
| +
|
| + /* The in-file checksum is the last dword past the chunk data. */
|
| +
|
| + file_cksum = *(uint32_t*)(in_buf + pos + 8 + chunk_len);
|
| +
|
| + /* If the checksums do not match, we need to fix the file. */
|
| +
|
| + if (real_cksum != file_cksum) {
|
| +
|
| + /* First modification? Make a copy of the input buffer. Round size
|
| + up to 4 kB to minimize the number of reallocs needed. */
|
| +
|
| + if (new_buf == in_buf) {
|
| +
|
| + if (*len <= saved_len) {
|
| +
|
| + new_buf = saved_buf;
|
| +
|
| + } else {
|
| +
|
| + new_buf = realloc(saved_buf, UP4K(*len));
|
| + if (!new_buf) return in_buf;
|
| + saved_buf = new_buf;
|
| + saved_len = UP4K(*len);
|
| + memcpy(new_buf, in_buf, *len);
|
| +
|
| + }
|
| +
|
| + }
|
| +
|
| + *(uint32_t*)(new_buf + pos + 8 + chunk_len) = real_cksum;
|
| +
|
| + }
|
| +
|
| + /* Skip the entire chunk and move to the next one. */
|
| +
|
| + pos += 12 + chunk_len;
|
| +
|
| + }
|
| +
|
| + return new_buf;
|
| +
|
| +}
|
|
|
Chromium Code Reviews
Issue 2075883002:
Add American Fuzzy Lop (afl) to third_party/afl/ (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master