1 2 // libpng_read_fuzzer.cc 3 // Copyright 2017 Glenn Randers-Pehrson 4 // Copyright 2015 The Chromium Authors. All rights reserved. 5 // Use of this source code is governed by a BSD-style license that may 6 // be found in the LICENSE file https://cs.chromium.org/chromium/src/LICENSE 7 8 // Last changed in libpng 1.6.33beta03 [September 27, 2017] 9 10 // The modifications in 2017 by Glenn Randers-Pehrson include 11 // 1. addition of a PNG_CLEANUP macro, 12 // 2. setting the option to ignore ADLER32 checksums, 13 // 3. adding "#include <string.h>" which is needed on some platforms 14 // to provide memcpy(). 15 // 4. adding read_end_info() and creating an end_info structure. 16 17 #include <stddef.h> 18 #include <stdint.h> 19 #include <string.h> 20 21 #include <vector> 22 23 #define PNG_INTERNAL 24 #include "png.h" 25 26 struct BufState { 27 const uint8_t* data; 28 size_t bytes_left; 29 }; 30 31 struct PngObjectHandler { 32 png_infop info_ptr = nullptr; 33 png_structp png_ptr = nullptr; 34 png_infop end_info_ptr = nullptr; 35 png_voidp row_ptr = nullptr; 36 BufState* buf_state = nullptr; 37 38 ~PngObjectHandler() { 39 if (row_ptr) 40 png_free(png_ptr, row_ptr); 41 if (end_info_ptr) 42 png_destroy_read_struct(&png_ptr, &info_ptr, &end_info_ptr); 43 else if (info_ptr) 44 png_destroy_read_struct(&png_ptr, &info_ptr, nullptr); 45 else 46 png_destroy_read_struct(&png_ptr, nullptr, nullptr); 47 delete buf_state; 48 } 49 }; 50 51 void user_read_data(png_structp png_ptr, png_bytep data, png_size_t length) { 52 BufState* buf_state = static_cast<BufState*>(png_get_io_ptr(png_ptr)); 53 if (length > buf_state->bytes_left) { 54 png_error(png_ptr, "read error"); 55 } 56 memcpy(data, buf_state->data, length); 57 buf_state->bytes_left -= length; 58 buf_state->data += length; 59 } 60 61 static const int kPngHeaderSize = 8; 62 63 // Entry point for LibFuzzer. 64 // Roughly follows the libpng book example: 65 // http://www.libpng.org/pub/png/book/chapter13.html 66 67 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { 68 if (size < kPngHeaderSize) { 69 return 0; 70 } 71 72 std::vector<unsigned char> v(data, data + size); 73 if (png_sig_cmp(v.data(), 0, kPngHeaderSize)) { 74 // not a PNG. 75 return 0; 76 } 77 78 PngObjectHandler png_handler; 79 png_handler.png_ptr = nullptr; 80 png_handler.row_ptr = nullptr; 81 png_handler.info_ptr = nullptr; 82 png_handler.end_info_ptr = nullptr; 83 84 png_handler.png_ptr = png_create_read_struct 85 (PNG_LIBPNG_VER_STRING, nullptr, nullptr, nullptr); 86 if (!png_handler.png_ptr) { 87 return 0; 88 } 89 90 #define PNG_CLEANUP \ 91 if(png_handler.png_ptr) \ 92 { \ 93 if (png_handler.row_ptr) \ 94 png_free(png_handler.png_ptr, png_handler.row_ptr); \ 95 if (png_handler.end_info_ptr) \ 96 png_destroy_read_struct(&png_handler.png_ptr, &png_handler.info_ptr,\ 97 &png_handler.end_info_ptr); \ 98 else if (png_handler.info_ptr) \ 99 png_destroy_read_struct(&png_handler.png_ptr, &png_handler.info_ptr,\ 100 nullptr); \ 101 else \ 102 png_destroy_read_struct(&png_handler.png_ptr, nullptr, nullptr); \ 103 png_handler.png_ptr = nullptr; \ 104 png_handler.row_ptr = nullptr; \ 105 png_handler.info_ptr = nullptr; \ 106 png_handler.end_info_ptr = nullptr; \ 107 } 108 109 png_handler.info_ptr = png_create_info_struct(png_handler.png_ptr); 110 if (!png_handler.info_ptr) { 111 PNG_CLEANUP 112 return 0; 113 } 114 115 png_handler.end_info_ptr = png_create_info_struct(png_handler.png_ptr); 116 if (!png_handler.end_info_ptr) { 117 PNG_CLEANUP 118 return 0; 119 } 120 121 /* Treat benign errors as warnings */ 122 png_set_benign_errors(png_handler.png_ptr, 1); 123 124 png_set_crc_action(png_handler.png_ptr, PNG_CRC_QUIET_USE, PNG_CRC_QUIET_USE); 125 126 #ifdef PNG_IGNORE_ADLER32 127 png_set_option(png_handler.png_ptr, PNG_IGNORE_ADLER32, PNG_OPTION_ON); 128 #endif 129 130 // Setting up reading from buffer. 131 png_handler.buf_state = new BufState(); 132 png_handler.buf_state->data = data + kPngHeaderSize; 133 png_handler.buf_state->bytes_left = size - kPngHeaderSize; 134 png_set_read_fn(png_handler.png_ptr, png_handler.buf_state, user_read_data); 135 png_set_sig_bytes(png_handler.png_ptr, kPngHeaderSize); 136 137 if (setjmp(png_jmpbuf(png_handler.png_ptr))) { 138 PNG_CLEANUP 139 return 0; 140 } 141 142 // Reading. 143 png_read_info(png_handler.png_ptr, png_handler.info_ptr); 144 png_read_update_info(png_handler.png_ptr, png_handler.info_ptr); 145 png_handler.row_ptr = png_malloc( 146 png_handler.png_ptr, png_get_rowbytes(png_handler.png_ptr, 147 png_handler.info_ptr)); 148 149 // reset error handler to put png_deleter into scope. 150 if (setjmp(png_jmpbuf(png_handler.png_ptr))) { 151 PNG_CLEANUP 152 return 0; 153 } 154 155 png_uint_32 width, height; 156 int bit_depth, color_type, interlace_type, compression_type; 157 int filter_type; 158 159 if (!png_get_IHDR(png_handler.png_ptr, png_handler.info_ptr, &width, 160 &height, &bit_depth, &color_type, &interlace_type, 161 &compression_type, &filter_type)) { 162 PNG_CLEANUP 163 return 0; 164 } 165 166 // This is going to be too slow. 167 if (width && height > 100000000 / width) { 168 PNG_CLEANUP 169 return 0; 170 } 171 172 int passes = png_set_interlace_handling(png_handler.png_ptr); 173 png_start_read_image(png_handler.png_ptr); 174 175 /* To do: prevent the optimizer from removing this code entirely */ 176 for (int pass = 0; pass < passes; ++pass) { 177 for (png_uint_32 y = 0; y < height; ++y) { 178 png_read_row(png_handler.png_ptr, 179 static_cast<png_bytep>(png_handler.row_ptr), nullptr); 180 } 181 } 182 183 png_read_end(png_handler.png_ptr, png_handler.end_info_ptr); 184 185 PNG_CLEANUP 186 187 /* TO do: exercise the progressive reader here */ 188 189 return 0; 190 } 191
