Add tests/fuzzers for OSS Fuzz (#965)

2017-07-03 14:14:03 +02:00 · 2017-07-03 14:14:03 +02:00 · 1a8eac6a90
parent c308de39ed
commit 1a8eac6a90
8 changed files with 389 additions and 1 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -72,7 +72,7 @@ matrix:
 # Test with CLang 3.8
    - os: linux
      compiler: clang-3.8
-      env: OPJ_CI_CC=clang-3.8 OPJ_CI_CXX=clang-3.8 OPJ_CI_ARCH=x86_64 OPJ_CI_BUILD_CONFIGURATION=Release OPJ_CI_PERF_TESTS=1
+      env: OPJ_CI_CC=clang-3.8 OPJ_CI_CXX=clang-3.8 OPJ_CI_ARCH=x86_64 OPJ_CI_BUILD_CONFIGURATION=Release OPJ_CI_PERF_TESTS=1 OPJ_CI_BUILD_FUZZERS=1
      addons:
        apt:
          sources:
--- a/tests/fuzzers/GNUmakefile
+++ b/tests/fuzzers/GNUmakefile
@ -0,0 +1,12 @@
+default: dummyfuzzers
+
+clean:
+	$(RM) -f *.o *.a
+
+fuzzingengine.o: fuzzingengine.c
+	$(CC) $(CFLAGS) -c -o $@ $<
+
+dummyfuzzers: fuzzingengine.o
+	$(AR) r libFuzzingEngine.a fuzzingengine.o
+	CXX="${CXX}" CXXFLAGS="-L. ${CXXFLAGS}" SRC=/tmp OUT=/tmp ./build_google_oss_fuzzers.sh
+	OUT=/tmp ./build_seed_corpus.sh
--- a/tests/fuzzers/README.TXT
+++ b/tests/fuzzers/README.TXT
@ -0,0 +1,52 @@
+This directory contain fuzzer main functions and scripts for the
+Google OSS Fuzz project: https://github.com/google/oss-fuzz/
+
+The main build scripts are in:
+https://github.com/google/oss-fuzz/tree/master/projects/openjpeg
+and call scripts in this directory.
+
+The list of issues is in:
+https://bugs.chromium.org/p/oss-fuzz/issues/list?q=openjpeg
+
+
+- Simulate the build of (dummy) fuzzers like OSS Fuzz does:
+
+   Preliminary steps:
+    $ cd ${ROOT_OF_OPENJPEG}
+    $ git clone --depth 1 https://github.com/uclouvain/openjpeg-data data
+    $ mkdir build
+    $ cd build
+    $ cmake ..
+    $ make
+    $ cd ..
+
+   Actual building of fuzzer and seed corpus:
+    $ cd tests/fuzzers
+    $ make
+
+  They are created in /tmp/*_fuzzer as well as with the
+  /tmp/*_fuzzer_seed_corpus.zip files
+
+  Run one:
+    $ /tmp/opj_decompress_fuzzer a_file_name
+
+- Run locally OSS Fuzz:
+    $ git clone https://github.com/google/oss-fuzz.git
+    $ cd oss-fuzz
+    $ python infra/helper.py build_image openjpeg
+
+  Build fuzzers with the address sanitizer (could use undefined, etc...)
+    $ python infra/helper.py build_fuzzers --sanitizer address openjpeg
+
+  Test a particular fuzzer (replace opj_decompress_fuzzer by other fuzzers
+  like the ones generated in /tmp by "make dummyfuzzers")
+    $ python infra/helper.py run_fuzzer openjpeg opj_decompress_fuzzer
+
+
+How to deal with issues reported in https://bugs.chromium.org/p/oss-fuzz/issues/list?q=openjpeg ?
+
+    1. Leave a comment in (chromium database) bug entry to indicate that you work on it
+    2. Work
+    3. Commit a bug fix with log including "Credit to OSS-Fuzz" and a link to the bugs.chromium.org ticket
+    4. Add in the bugs.chromium.org ticket a link to the github commit implementing the fix.
+    5. Check chromium closed the bug (after one or two days typically)
--- a/tests/fuzzers/build_google_oss_fuzzers.sh
+++ b/tests/fuzzers/build_google_oss_fuzzers.sh
@ -0,0 +1,39 @@
+#!/bin/bash
+
+set -e
+
+if [ "$SRC" == "" ]; then
+    echo "SRC env var not defined"
+    exit 1
+fi
+
+if [ "$OUT" == "" ]; then
+    echo "OUT env var not defined"
+    exit 1
+fi
+
+if [ "$CXX" == "" ]; then
+    echo "CXX env var not defined"
+    exit 1
+fi
+
+SRC_DIR=$(dirname $0)/../..
+
+build_fuzzer()
+{
+    fuzzerName=$1
+    sourceFilename=$2
+    shift
+    shift
+    echo "Building fuzzer $fuzzerName"
+    $CXX $CXXFLAGS -std=c++11 -I$SRC_DIR/src/lib/openjp2 -I$SRC_DIR/build/src/lib/openjp2 \
+        $sourceFilename $* -o $OUT/$fuzzerName \
+        -lFuzzingEngine $SRC_DIR/build/bin/libopenjp2.a -lm -lpthread
+}
+
+fuzzerFiles=$(dirname $0)/*.cpp
+for F in $fuzzerFiles; do
+    fuzzerName=$(basename $F .cpp)
+    build_fuzzer $fuzzerName $F
+done
+
--- a/tests/fuzzers/build_seed_corpus.sh
+++ b/tests/fuzzers/build_seed_corpus.sh
@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -e
+
+if [ "$OUT" == "" ]; then
+    echo "OUT env var not defined"
+    exit 1
+fi
+
+SRC_DIR=$(dirname $0)/../..
+
+cd $SRC_DIR/data/input/conformance
+rm -f $OUT/opj_decompress_fuzzer_seed_corpus.zip
+zip $OUT/opj_decompress_fuzzer_seed_corpus.zip *.jp2 *.j2k
+cd $OLDPWD
--- a/tests/fuzzers/fuzzingengine.c
+++ b/tests/fuzzers/fuzzingengine.c
@ -0,0 +1,72 @@
+/*
+ * The copyright in this software is being made available under the 2-clauses
+ * BSD License, included below. This software may be subject to other third
+ * party and contributor rights, including patent rights, and no such rights
+ * are granted under this license.
+ *
+ * Copyright (c) 2017, IntoPix SA <contact@intopix.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS `AS IS'
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+
+int LLVMFuzzerTestOneInput(void *buf, size_t len);
+int LLVMFuzzerInitialize(int* argc, char*** argv);
+
+int main(int argc, char* argv[])
+{
+    LLVMFuzzerInitialize(&argc, &argv);
+    if (argc < 2) {
+        return LLVMFuzzerTestOneInput(" ", 1);
+    } else {
+        int nRet = 0;
+        void* buf = NULL;
+        int nLen = 0;
+        FILE* f = fopen(argv[1], "rb");
+        if (!f) {
+            fprintf(stderr, "%s does not exist.\n", argv[1]);
+            exit(1);
+        }
+        fseek(f, 0, SEEK_END);
+        nLen = (int)ftell(f);
+        fseek(f, 0, SEEK_SET);
+        buf = malloc(nLen);
+        if (!buf) {
+            fprintf(stderr, "malloc failed.\n");
+            fclose(f);
+            exit(1);
+        }
+        if (fread(buf, nLen, 1, f) != 1) {
+            fprintf(stderr, "fread failed.\n");
+            fclose(f);
+            free(buf);
+            exit(1);
+        }
+        fclose(f);
+        nRet = LLVMFuzzerTestOneInput(buf, nLen);
+        free(buf);
+        return nRet;
+    }
+}
--- a/tests/fuzzers/opj_decompress_fuzzer.cpp
+++ b/tests/fuzzers/opj_decompress_fuzzer.cpp
@ -0,0 +1,192 @@
+/*
+ * The copyright in this software is being made available under the 2-clauses
+ * BSD License, included below. This software may be subject to other third
+ * party and contributor rights, including patent rights, and no such rights
+ * are granted under this license.
+ *
+ * Copyright (c) 2017, IntoPix SA <contact@intopix.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS `AS IS'
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stddef.h>
+#include <stdint.h>
+#include <string.h>
+#include <limits.h>
+
+#include "openjpeg.h"
+
+extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv);
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len);
+
+typedef struct {
+    const uint8_t* pabyData;
+    size_t         nCurPos;
+    size_t         nLength;
+} MemFile;
+
+
+static void ErrorCallback(const char * msg, void *)
+{
+    (void)msg;
+    //fprintf(stderr, "%s\n", msg);
+}
+
+
+static void WarningCallback(const char *, void *)
+{
+}
+
+static void InfoCallback(const char *, void *)
+{
+}
+
+static OPJ_SIZE_T ReadCallback(void* pBuffer, OPJ_SIZE_T nBytes,
+                               void *pUserData)
+{
+    MemFile* memFile = (MemFile*)pUserData;
+    //printf("want to read %d bytes at %d\n", (int)memFile->nCurPos, (int)nBytes);
+    if (memFile->nCurPos >= memFile->nLength) {
+        return -1;
+    }
+    if (memFile->nCurPos + nBytes >= memFile->nLength) {
+        size_t nToRead = memFile->nLength - memFile->nCurPos;
+        memcpy(pBuffer, memFile->pabyData + memFile->nCurPos, nToRead);
+        memFile->nCurPos = memFile->nLength;
+        return nToRead;
+    }
+    if (nBytes == 0) {
+        return -1;
+    }
+    memcpy(pBuffer, memFile->pabyData + memFile->nCurPos, nBytes);
+    memFile->nCurPos += nBytes;
+    return nBytes;
+}
+
+static OPJ_BOOL SeekCallback(OPJ_OFF_T nBytes, void * pUserData)
+{
+    MemFile* memFile = (MemFile*)pUserData;
+    //printf("seek to %d\n", (int)nBytes);
+    memFile->nCurPos = nBytes;
+    return OPJ_TRUE;
+}
+
+static OPJ_OFF_T SkipCallback(OPJ_OFF_T nBytes, void * pUserData)
+{
+    MemFile* memFile = (MemFile*)pUserData;
+    memFile->nCurPos += nBytes;
+    return nBytes;
+}
+
+
+int LLVMFuzzerInitialize(int* /*argc*/, char*** argv)
+{
+    return 0;
+}
+
+static const unsigned char jpc_header[] = {0xff, 0x4f};
+static const unsigned char jp2_box_jp[] = {0x6a, 0x50, 0x20, 0x20}; /* 'jP  ' */
+
+int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len)
+{
+
+    OPJ_CODEC_FORMAT eCodecFormat;
+    if (len >= sizeof(jpc_header) &&
+            memcmp(buf, jpc_header, sizeof(jpc_header)) == 0) {
+        eCodecFormat = OPJ_CODEC_J2K;
+    } else if (len >= 4 + sizeof(jp2_box_jp) &&
+               memcmp(buf + 4, jp2_box_jp, sizeof(jp2_box_jp)) == 0) {
+        eCodecFormat = OPJ_CODEC_JP2;
+    } else {
+        return 0;
+    }
+
+    opj_codec_t* pCodec = opj_create_decompress(eCodecFormat);
+    opj_set_info_handler(pCodec, InfoCallback, NULL);
+    opj_set_warning_handler(pCodec, WarningCallback, NULL);
+    opj_set_error_handler(pCodec, ErrorCallback, NULL);
+
+    opj_dparameters_t parameters;
+    opj_set_default_decoder_parameters(&parameters);
+
+    opj_setup_decoder(pCodec, &parameters);
+
+    opj_stream_t *pStream = opj_stream_create(1024, OPJ_TRUE);
+    MemFile memFile;
+    memFile.pabyData = buf;
+    memFile.nLength = len;
+    memFile.nCurPos = 0;
+    opj_stream_set_user_data_length(pStream, len);
+    opj_stream_set_read_function(pStream, ReadCallback);
+    opj_stream_set_seek_function(pStream, SeekCallback);
+    opj_stream_set_skip_function(pStream, SkipCallback);
+    opj_stream_set_user_data(pStream, &memFile, NULL);
+
+    opj_image_t * psImage = NULL;
+    if (!opj_read_header(pStream, pCodec, &psImage)) {
+        opj_destroy_codec(pCodec);
+        opj_stream_destroy(pStream);
+        opj_image_destroy(psImage);
+        return 0;
+    }
+
+    OPJ_UINT32 width = psImage->x1 - psImage->x0;
+    OPJ_UINT32 height = psImage->y1 - psImage->y0;
+
+    // Reject too big images since that will require allocating a lot of
+    // memory
+    if (width != 0 && psImage->numcomps != 0 &&
+            (width > INT_MAX / psImage->numcomps ||
+             height > INT_MAX / (width * psImage->numcomps * sizeof(OPJ_UINT32)))) {
+        opj_stream_destroy(pStream);
+        opj_destroy_codec(pCodec);
+        opj_image_destroy(psImage);
+
+        return 0;
+    }
+
+    OPJ_UINT32 width_to_read = width;
+    if (width_to_read > 1024) {
+        width_to_read = 1024;
+    }
+    OPJ_UINT32 height_to_read = height;
+    if (height_to_read > 1024) {
+        height_to_read = 1024;
+    }
+
+    if (opj_set_decode_area(pCodec, psImage,
+                            psImage->x0, psImage->y0,
+                            psImage->x0 + width_to_read,
+                            psImage->y0 + height_to_read)) {
+        if (opj_decode(pCodec, pStream, psImage)) {
+            //printf("success\n");
+        }
+    }
+
+    opj_end_decompress(pCodec, pStream);
+    opj_stream_destroy(pStream);
+    opj_destroy_codec(pCodec);
+    opj_image_destroy(psImage);
+
+    return 0;
+}
--- a/tools/travis-ci/run.sh
+++ b/tools/travis-ci/run.sh
@ -344,6 +344,12 @@ New/unknown test failure found!!!
 	fi
 fi

+if [ "${OPJ_CI_BUILD_FUZZERS:-}" == "1" ]; then
+    cd tests/fuzzers
+    make
+    cd ../..
+fi
+
 if [ "${OPJ_CI_PERF_TESTS:-}" == "1" ]; then
    cd tests/performance
    echo "Running performance tests on current version (dry-run)"