/* * Copyright 2016 Google Inc. * * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. */ #include "Fuzz.h" #include "FuzzCommon.h" #include "SkPath.h" #include "SkPathOps.h" #include "SkRect.h" const uint8_t MAX_OPS = 20; DEF_FUZZ(Pathop, fuzz) { uint8_t choice; fuzz->nextRange(&choice, 0, 4); switch (choice) { case 0: { uint8_t ops; fuzz->nextRange(&ops, 0, MAX_OPS); SkOpBuilder builder; for (uint8_t i = 0; i < ops && !fuzz->exhausted(); i++) { SkPath path; FuzzEvilPath(fuzz, &path, SkPath::Verb::kDone_Verb); SkPath::FillType ft; fuzz->nextRange(&ft, 0, SkPath::kInverseEvenOdd_FillType); path.setFillType(ft); SkPathOp op; fuzz->nextRange(&op, 0, SkPathOp::kReverseDifference_SkPathOp); builder.add(path, op); } SkPath result; builder.resolve(&result); break; } case 1: { SkPath path; FuzzEvilPath(fuzz, &path, SkPath::Verb::kDone_Verb); SkPath::FillType ft; fuzz->nextRange(&ft, 0, SkPath::kInverseEvenOdd_FillType); path.setFillType(ft); SkPath result; bool isSame; fuzz->next(&isSame); if (isSame) { result = path; } Simplify(path, &result); break; } case 2: { SkPath path; FuzzEvilPath(fuzz, &path, SkPath::Verb::kDone_Verb); SkPath::FillType ft; fuzz->nextRange(&ft, 0, SkPath::kInverseEvenOdd_FillType); path.setFillType(ft); SkPath path2; FuzzEvilPath(fuzz, &path2, SkPath::Verb::kDone_Verb); fuzz->nextRange(&ft, 0, SkPath::kInverseEvenOdd_FillType); path.setFillType(ft); SkPathOp op; fuzz->nextRange(&op, 0, SkPathOp::kReverseDifference_SkPathOp); SkPath result; uint8_t pickOutput; fuzz->nextRange(&pickOutput, 0, 2); if (pickOutput == 1) { result = path; } else if (pickOutput == 2) { result = path2; } Op(path, path2, op, &result); break; } case 3: { SkPath path; FuzzEvilPath(fuzz, &path, SkPath::Verb::kDone_Verb); SkPath::FillType ft; fuzz->nextRange(&ft, 0, SkPath::kInverseEvenOdd_FillType); path.setFillType(ft); SkPath result; bool isSame; fuzz->next(&isSame); if (isSame) { result = path; } AsWinding(path, &result); break; } case 4: { SkPath path; FuzzEvilPath(fuzz, &path, SkPath::Verb::kDone_Verb); SkPath::FillType ft; fuzz->nextRange(&ft, 0, SkPath::kInverseEvenOdd_FillType); path.setFillType(ft); SkRect result; TightBounds(path, &result); break; } default: { SkASSERT(false); break; } } } const int kLastOp = SkPathOp::kReverseDifference_SkPathOp; void BuildPath(Fuzz* fuzz, SkPath* path) { while (!fuzz->exhausted()) { // Use a uint8_t to conserve bytes. This makes our "fuzzed bytes footprint" // smaller, which leads to more efficient fuzzing. uint8_t operation; fuzz->next(&operation); SkScalar a,b,c,d,e,f; switch (operation % (SkPath::Verb::kDone_Verb + 1)) { case SkPath::Verb::kMove_Verb: if (fuzz->remaining() < (2*sizeof(SkScalar))) { fuzz->deplete(); return; } fuzz->next(&a, &b); path->moveTo(a, b); break; case SkPath::Verb::kLine_Verb: if (fuzz->remaining() < (2*sizeof(SkScalar))) { fuzz->deplete(); return; } fuzz->next(&a, &b); path->lineTo(a, b); break; case SkPath::Verb::kQuad_Verb: if (fuzz->remaining() < (4*sizeof(SkScalar))) { fuzz->deplete(); return; } fuzz->next(&a, &b, &c, &d); path->quadTo(a, b, c, d); break; case SkPath::Verb::kConic_Verb: if (fuzz->remaining() < (5*sizeof(SkScalar))) { fuzz->deplete(); return; } fuzz->next(&a, &b, &c, &d, &e); path->conicTo(a, b, c, d, e); break; case SkPath::Verb::kCubic_Verb: if (fuzz->remaining() < (6*sizeof(SkScalar))) { fuzz->deplete(); return; } fuzz->next(&a, &b, &c, &d, &e, &f); path->cubicTo(a, b, c, d, e, f); break; case SkPath::Verb::kClose_Verb: path->close(); break; case SkPath::Verb::kDone_Verb: // In this case, simply exit. return; } } } DEF_FUZZ(LegacyChromiumPathop, fuzz) { // See https://cs.chromium.org/chromium/src/testing/libfuzzer/fuzzers/skia_pathop_fuzzer.cc SkOpBuilder builder; while (!fuzz->exhausted()) { SkPath path; uint8_t op; fuzz->next(&op); if (fuzz->exhausted()) { break; } BuildPath(fuzz, &path); builder.add(path, static_cast<SkPathOp>(op % (kLastOp + 1))); } SkPath result; builder.resolve(&result); }