C++程序  |  138行  |  3.67 KB

#ifdef __cplusplus
extern "C" {
#endif

#include <fcntl.h>
#include <inttypes.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>

#include <libhfuzz/libhfuzz.h>

#include "png.h"
#include "pngpriv.h"
#include "pngstruct.h"

#if defined(__clang__)
#if __has_feature(memory_sanitizer)
#include <sanitizer/msan_interface.h>
#endif /* __has_feature(memory_sanitizer) */
#endif /* defined(__clang__) */

void fatal(const char* s, ...) {
    va_list args;
    va_start(args, s);
    vfprintf(stderr, s, args);
    fprintf(stderr, "\n");
    va_end(args);
    _exit(EXIT_FAILURE);
}

typedef struct {
    const uint8_t* ptr;
    size_t len;
    size_t off;
} user_file_t;

size_t total_alloc = 0ULL;
int null_fd = -1;

void png_user_read_data(png_structp png_ptr, png_bytep data, png_size_t length) {
#if defined(__clang__)
#if __has_feature(memory_sanitizer)
    __msan_poison(data, length);
#endif /* __has_feature(memory_sanitizer) */
#endif /* defined(__clang__) */

    user_file_t* f = (user_file_t*)png_ptr->io_ptr;

    if (length > f->len) {
        png_error(png_ptr, "Read Error");
        return;
    }
    memcpy(data, &f->ptr[f->off], length);
    f->len -= length;
    f->off += length;
}

int LLVMFuzzerInitialize(int* argc, char*** argv) {
    null_fd = open("/dev/null", O_WRONLY);
    return 0;
}

int LLVMFuzzerTestOneInput(const uint8_t* buf, size_t len) {
    png_structp png_ptr = NULL;
    png_infop info_ptr = NULL;

    total_alloc = 0ULL;
    png_ptr = png_create_read_struct(PNG_LIBPNG_VER_STRING, NULL, NULL, NULL);
    if (!png_ptr) {
        fatal("png_create_read_struct");
    }

    info_ptr = png_create_info_struct(png_ptr);
    if (!info_ptr) {
        png_destroy_read_struct(&png_ptr, (png_infopp)NULL, (png_infopp)NULL);
        fatal("png_create_info_struct()");
    }

    if (setjmp(png_jmpbuf(png_ptr))) {
        png_destroy_read_struct(&png_ptr, &info_ptr, NULL);
        return 0;
    }

    png_set_crc_action(png_ptr, PNG_CRC_QUIET_USE, PNG_CRC_QUIET_USE);
    png_set_user_limits(png_ptr, 10000U, 10000U);
    png_set_chunk_cache_max(png_ptr, 1024ULL * 1024ULL * 64ULL);
    png_set_chunk_malloc_max(png_ptr, 1024ULL * 1024ULL * 128ULL);

    user_file_t f = {
        .ptr = buf,
        .len = len,
        .off = 0UL,
    };
    png_set_read_fn(png_ptr, (void*)&f, png_user_read_data);

    png_read_png(png_ptr, info_ptr, ~(0), NULL);

    png_bytepp row_pointers = png_get_rows(png_ptr, info_ptr);
    png_uint_32 row_bytes = png_get_rowbytes(png_ptr, info_ptr);
    png_uint_32 height = png_get_image_height(png_ptr, info_ptr);

    for (png_uint_32 i = 0; i < height; i++) {
        write(null_fd, row_pointers[i], row_bytes);
    }

    /* Addtional API calls */
    png_uint_32 width, ret, res_x, res_y;
    double file_gamma;
    png_uint_16p hist;
    int bit_depth, color_type, interlace_method, compression_method, filter_method, unit_type,
        num_palette, num_text;
    png_textp text_ptr;
    png_colorp palette;
    png_timep mod_time;
    png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, &interlace_method,
        &compression_method, &filter_method);
    ret = png_get_gAMA(png_ptr, info_ptr, &file_gamma);
    ret = png_get_hIST(png_ptr, info_ptr, &hist);
    ret = png_get_pHYs(png_ptr, info_ptr, &res_x, &res_y, &unit_type);
    ret = png_get_PLTE(png_ptr, info_ptr, &palette, &num_palette);
    ret = png_get_text(png_ptr, info_ptr, &text_ptr, &num_text);
    ret = png_get_tIME(png_ptr, info_ptr, &mod_time);
    png_voidp vp = png_get_progressive_ptr(png_ptr);

    png_destroy_read_struct(&png_ptr, &info_ptr, NULL);

    return 0;
}

#ifdef __cplusplus
}
#endif