Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(87)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/WebKit/Source/platform/PngFuzzer.cpp

Issue 2603303003: Add fuzzer for (A)PNG decoder (Closed)
Patch Set: Respond to comments in original issue Created 3 years, 12 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« third_party/WebKit/Source/platform/BUILD.gn ('K') | « third_party/WebKit/Source/platform/BUILD.gn ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/Source/platform/PngFuzzer.cpp
diff --git a/third_party/WebKit/Source/platform/PngFuzzer.cpp b/third_party/WebKit/Source/platform/PngFuzzer.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..0529c0a323485c3ac4f81cd9d8eb59fed32099e4
--- /dev/null
+++ b/third_party/WebKit/Source/platform/PngFuzzer.cpp
@@ -0,0 +1,66 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// TODO (scroggo): Move this to
+// third_party/WebKit/Source/platform/image-decoders ?
+
+// Compile with:
+// gn gen out/Fuzz '--args=use_libfuzzer=true is_asan=true
+// is_debug=false is_ubsan_security=true' --check
+// ninja -C out/Fuzz blink_png_decoder_fuzzer
+//
+// Run with:
+// ./out/Fuzz/blink_png_decoder_fuzzer
+// third_party/WebKit/LayoutTests/images/resources/pngfuzz
+//
+// Alternatively, it can be run with:
+// ./out/Fuzz/blink_png_decoder_fuzzer ~/another_dir_to_store_corpus
+// third_party/WebKit/LayoutTests/images/resources/pngfuzz
+//
+// so the fuzzer will read both directories passed, but all new generated
+// testcases will go into
+// `~/another_dir_to_store_corpus
mmoroz 2017/01/04 08:37:54 Looks like a typo: "`"
scroggo_chromium 2017/01/05 14:26:09 Done.
+//
+// For more details, see
+// https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/README.md
+
+#include "platform/image-decoders/png/PNGImageDecoder.cpp"
+#include "platform/testing/BlinkFuzzerTestSupport.h"
+
+namespace blink {
+
+std::unique_ptr<ImageDecoder> createDecoder(
+ ImageDecoder::AlphaOption alphaOption) {
+ return WTF::wrapUnique(new PNGImageDecoder(
+ alphaOption, ColorBehavior::transformToTargetForTesting(),
+ ImageDecoder::noDecodedImageByteLimit));
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+ auto buffer = SharedBuffer::create(data, size);
+ // TODO (scroggo): Also test ImageDecoder::AlphaNotPremultiplied?
+ auto decoder = createDecoder(ImageDecoder::AlphaPremultiplied);
+ const bool allDataReceived = true;
+ decoder->setData(buffer.get(), allDataReceived);
+ decoder->frameCount();
+ if (decoder->failed())
+ return 0;
+ for (size_t frame = 0; frame < decoder->frameCount(); frame++) {
+ decoder->frameBufferAtIndex(frame);
+ if (decoder->failed())
+ return 0;
+ }
+ return 0;
+}
+
+} // namespace blink
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+ return blink::LLVMFuzzerTestOneInput(data, size);
+}
+
+extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) {
+ blink::InitializeBlinkFuzzTest(argc, argv);
+ return 0;
+}
« third_party/WebKit/Source/platform/BUILD.gn ('K') | « third_party/WebKit/Source/platform/BUILD.gn ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698