Fixed bad bitmap size crashes

samplecode/SampleFilterFuzz.cpp

 /*
  * Copyright 2013 Google Inc.
  *
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
 #include "SampleCode.h"
 #include "SkBicubicImageFilter.h"
 #include "SkBitmapDevice.h"
 #include "SkBitmapSource.h"
 #include "SkBlurImageFilter.h"
 #include "SkCanvas.h"
 #include "SkColorFilter.h"
 #include "SkColorFilterImageFilter.h"
 #include "SkComposeImageFilter.h"
 #include "SkData.h"
 #include "SkDisplacementMapEffect.h"
 #include "SkDropShadowImageFilter.h"
 #include "SkFlattenableSerialization.h"
 #include "SkLightingImageFilter.h"
 #include "SkMagnifierImageFilter.h"
 #include "SkMergeImageFilter.h"
 #include "SkMorphologyImageFilter.h"
 #include "SkOffsetImageFilter.h"
 #include "SkPerlinNoiseShader.h"
 #include "SkRandom.h"
 #include "SkRectShaderImageFilter.h"
+#include "SkTileImageFilter.h"
 #include "SkView.h"
 #include "SkXfermodeImageFilter.h"
+#include <stdio.h>
+#include <time.h>
 
-static const uint32_t kSeed = 1;
+static const uint32_t kSeed = (uint32_t)(time(NULL));
 static SkRandom gRand(kSeed);
 static bool return_large = false;
 static bool return_undef = false;
 
 static const int kBitmapSize = 24;
 
 static int R(float x) {
     return (int)floor(SkScalarToFloat(gRand.nextUScalar1()) * x);
 }
 
@@ skipping 34 matching lines @@
     }
 
     if (!positiveOnly && (R(4) == 1)) v = -v;
     return v;
 }
 
 static SkScalar make_scalar(bool positiveOnly = false) {
     return make_number(positiveOnly);
 }
 
-static SkRect make_rect(int offset = 1) {
-    return SkRect::MakeWH(SkIntToScalar(R(static_cast<float>(kBitmapSize))+offset),
-                          SkIntToScalar(R(static_cast<float>(kBitmapSize))+offset));
+static SkRect make_rect() {
+    return SkRect::MakeWH(SkIntToScalar(R(static_cast<float>(kBitmapSize))),
+                          SkIntToScalar(R(static_cast<float>(kBitmapSize))));
 }
 
 static SkXfermode::Mode make_xfermode() {
     return static_cast<SkXfermode::Mode>(R(SkXfermode::kLastMode+1));
 }
 
 static SkColor make_color() {
     return (R(2) == 1) ? 0xFFC0F0A0 : 0xFF000090;
 }
 
@@ skipping 57 matching lines @@
 }
 
 static SkImageFilter* make_image_filter(bool canBeNull = true) {
     SkImageFilter* filter = 0;
 
     // Add a 1 in 3 chance to get a NULL input
     if (canBeNull && (R(3) == 1)) { return filter; }
 
     enum { BICUBIC, MERGE, COLOR, BLUR, MAGNIFIER, XFERMODE, OFFSET, COMPOSE,
            DISTANT_LIGHT, POINT_LIGHT, SPOT_LIGHT, NOISE, DROP_SHADOW,
-           MORPHOLOGY, BITMAP, DISPLACE, NUM_FILTERS };
+           MORPHOLOGY, BITMAP, DISPLACE, TILE, NUM_FILTERS };
 
     switch (R(NUM_FILTERS)) {
     case BICUBIC:
         // Scale is set to 1 here so that it can fit in the DAG without resizing the output
         filter = SkBicubicImageFilter::CreateMitchell(SkSize::Make(1, 1), make_image_filter());
         break;
     case MERGE:
         filter = new SkMergeImageFilter(make_image_filter(), make_image_filter(), make_xfermode());
         break;
     case COLOR:
     {
         SkAutoTUnref<SkColorFilter> cf((R(2) == 1) ?
                  SkColorFilter::CreateModeFilter(make_color(), make_xfermode()) :
                  SkColorFilter::CreateLightingFilter(make_color(), make_color()));
         filter = cf.get() ? SkColorFilterImageFilter::Create(cf, make_image_filter()) : 0;
     }
         break;
     case BLUR:
         filter = new SkBlurImageFilter(make_scalar(true), make_scalar(true), make_image_filter());
         break;
     case MAGNIFIER:
-        filter = new SkMagnifierImageFilter(make_rect(0), make_scalar(true));
+        filter = new SkMagnifierImageFilter(make_rect(), make_scalar(true));
         break;
     case XFERMODE:
     {
         SkAutoTUnref<SkXfermode> mode(SkXfermode::Create(make_xfermode()));
         filter = new SkXfermodeImageFilter(mode, make_image_filter(), make_image_filter());
     }
         break;
     case OFFSET:
         filter = new SkOffsetImageFilter(make_scalar(), make_scalar(), make_image_filter());
         break;
@@ skipping 50 matching lines @@
                 R(static_cast<float>(kBitmapSize)), make_image_filter());
         break;
     case BITMAP:
         filter = new SkBitmapSource(make_bitmap());
         break;
     case DISPLACE:
         filter = new SkDisplacementMapEffect(make_channel_selector_type(),
                      make_channel_selector_type(), make_scalar(),
                      make_image_filter(false), make_image_filter());
         break;
+    case TILE:
+        filter = new SkTileImageFilter(make_rect(), make_rect(), make_image_filter(false));
+        break;
     default:
         break;
     }
     return (filter || canBeNull) ? filter : make_image_filter(canBeNull);
 }
 
 static SkImageFilter* make_serialized_image_filter() {
     SkAutoTUnref<SkImageFilter> filter(make_image_filter(false));
     SkAutoTUnref<SkData> data(SkValidatingSerializeFlattenable(filter));
     const unsigned char* ptr = static_cast<const unsigned char*>(data->data());
     size_t len = data->size();
 #ifdef SK_ADD_RANDOM_BIT_FLIPS
     unsigned char* p = const_cast<unsigned char*>(ptr);
     for (size_t i = 0; i < len; ++i, ++p) {
-        if ((R(1000) == 1)) { // 0.1% of the time, flip a bit
-            *p ^= (1 << R(8));
+        if (R(250) == 1) { // 0.4% of the time, flip a bit or byte
+            if (R(10) == 1) { // Then 10% of the time, change a whole byte
+                switch(R(3)) {
+                case 0:
+                    *p ^= 0xFF; // Flip entire byte
+                    break;
+                case 1:
+                    *p = 0xFF; // Set all bits to 1
+                    break;
+                case 2:
+                    *p = 0x00; // Set all bits to 0
+                    break;
+                }
+            } else {
+                *p ^= (1 << R(8));
+            }
         }
     }
 #endif // SK_ADD_RANDOM_BIT_FLIPS
     SkFlattenable* flattenable = SkValidatingDeserializeFlattenable(ptr, len,
                                     SkImageFilter::GetFlattenableType());
-    SkASSERT(NULL != flattenable);
     return static_cast<SkImageFilter*>(flattenable);
 }
 
 static void drawClippedBitmap(SkCanvas* canvas, int x, int y, const SkPaint& paint) {
     canvas->save();
     canvas->clipRect(SkRect::MakeXYWH(SkIntToScalar(x), SkIntToScalar(y),
         SkIntToScalar(kBitmapSize), SkIntToScalar(kBitmapSize)));
     canvas->drawBitmap(make_bitmap(), SkIntToScalar(x), SkIntToScalar(y), &paint);
     canvas->restore();
 }
 
 static void do_fuzz(SkCanvas* canvas) {
+#ifdef SK_FUZZER_IS_VERBOSE
+    static uint32_t filterId = 0;
+    if (0 == filterId) {
+        printf("Fuzzing with %u\n", kSeed);
+    }
+    printf("Filter no %u\r", filterId);
+    fflush(stdout);
+    filterId++;
+#endif
+
     SkPaint paint;
-    paint.setImageFilter(make_serialized_image_filter())->unref();
+    SkSafeUnref(paint.setImageFilter(make_serialized_image_filter()));
     drawClippedBitmap(canvas, 0, 0, paint);
 }
 
 //////////////////////////////////////////////////////////////////////////////
 
 class ImageFilterFuzzView : public SampleView {
 public:
     ImageFilterFuzzView() {
         this->setBGColor(0xFFDDDDDD);
     }
@@ skipping 18 matching lines @@
     }
 
 private:
     typedef SkView INHERITED;
 };
 
 //////////////////////////////////////////////////////////////////////////////
 
 static SkView* MyFactory() { return new ImageFilterFuzzView; }
 static SkViewRegister reg(MyFactory);