Add tests/fuzzers for OSS Fuzz (#965)

This commit is contained in:
Even Rouault 2017-07-03 14:14:03 +02:00
parent c308de39ed
commit 1a8eac6a90
8 changed files with 389 additions and 1 deletions

View File

@ -72,7 +72,7 @@ matrix:
# Test with CLang 3.8
- os: linux
compiler: clang-3.8
env: OPJ_CI_CC=clang-3.8 OPJ_CI_CXX=clang-3.8 OPJ_CI_ARCH=x86_64 OPJ_CI_BUILD_CONFIGURATION=Release OPJ_CI_PERF_TESTS=1
env: OPJ_CI_CC=clang-3.8 OPJ_CI_CXX=clang-3.8 OPJ_CI_ARCH=x86_64 OPJ_CI_BUILD_CONFIGURATION=Release OPJ_CI_PERF_TESTS=1 OPJ_CI_BUILD_FUZZERS=1
addons:
apt:
sources:

12
tests/fuzzers/GNUmakefile Normal file
View File

@ -0,0 +1,12 @@
default: dummyfuzzers
clean:
$(RM) -f *.o *.a
fuzzingengine.o: fuzzingengine.c
$(CC) $(CFLAGS) -c -o $@ $<
dummyfuzzers: fuzzingengine.o
$(AR) r libFuzzingEngine.a fuzzingengine.o
CXX="${CXX}" CXXFLAGS="-L. ${CXXFLAGS}" SRC=/tmp OUT=/tmp ./build_google_oss_fuzzers.sh
OUT=/tmp ./build_seed_corpus.sh

52
tests/fuzzers/README.TXT Normal file
View File

@ -0,0 +1,52 @@
This directory contain fuzzer main functions and scripts for the
Google OSS Fuzz project: https://github.com/google/oss-fuzz/
The main build scripts are in:
https://github.com/google/oss-fuzz/tree/master/projects/openjpeg
and call scripts in this directory.
The list of issues is in:
https://bugs.chromium.org/p/oss-fuzz/issues/list?q=openjpeg
- Simulate the build of (dummy) fuzzers like OSS Fuzz does:
Preliminary steps:
$ cd ${ROOT_OF_OPENJPEG}
$ git clone --depth 1 https://github.com/uclouvain/openjpeg-data data
$ mkdir build
$ cd build
$ cmake ..
$ make
$ cd ..
Actual building of fuzzer and seed corpus:
$ cd tests/fuzzers
$ make
They are created in /tmp/*_fuzzer as well as with the
/tmp/*_fuzzer_seed_corpus.zip files
Run one:
$ /tmp/opj_decompress_fuzzer a_file_name
- Run locally OSS Fuzz:
$ git clone https://github.com/google/oss-fuzz.git
$ cd oss-fuzz
$ python infra/helper.py build_image openjpeg
Build fuzzers with the address sanitizer (could use undefined, etc...)
$ python infra/helper.py build_fuzzers --sanitizer address openjpeg
Test a particular fuzzer (replace opj_decompress_fuzzer by other fuzzers
like the ones generated in /tmp by "make dummyfuzzers")
$ python infra/helper.py run_fuzzer openjpeg opj_decompress_fuzzer
How to deal with issues reported in https://bugs.chromium.org/p/oss-fuzz/issues/list?q=openjpeg ?
1. Leave a comment in (chromium database) bug entry to indicate that you work on it
2. Work
3. Commit a bug fix with log including "Credit to OSS-Fuzz" and a link to the bugs.chromium.org ticket
4. Add in the bugs.chromium.org ticket a link to the github commit implementing the fix.
5. Check chromium closed the bug (after one or two days typically)

View File

@ -0,0 +1,39 @@
#!/bin/bash
set -e
if [ "$SRC" == "" ]; then
echo "SRC env var not defined"
exit 1
fi
if [ "$OUT" == "" ]; then
echo "OUT env var not defined"
exit 1
fi
if [ "$CXX" == "" ]; then
echo "CXX env var not defined"
exit 1
fi
SRC_DIR=$(dirname $0)/../..
build_fuzzer()
{
fuzzerName=$1
sourceFilename=$2
shift
shift
echo "Building fuzzer $fuzzerName"
$CXX $CXXFLAGS -std=c++11 -I$SRC_DIR/src/lib/openjp2 -I$SRC_DIR/build/src/lib/openjp2 \
$sourceFilename $* -o $OUT/$fuzzerName \
-lFuzzingEngine $SRC_DIR/build/bin/libopenjp2.a -lm -lpthread
}
fuzzerFiles=$(dirname $0)/*.cpp
for F in $fuzzerFiles; do
fuzzerName=$(basename $F .cpp)
build_fuzzer $fuzzerName $F
done

View File

@ -0,0 +1,15 @@
#!/bin/bash
set -e
if [ "$OUT" == "" ]; then
echo "OUT env var not defined"
exit 1
fi
SRC_DIR=$(dirname $0)/../..
cd $SRC_DIR/data/input/conformance
rm -f $OUT/opj_decompress_fuzzer_seed_corpus.zip
zip $OUT/opj_decompress_fuzzer_seed_corpus.zip *.jp2 *.j2k
cd $OLDPWD

View File

@ -0,0 +1,72 @@
/*
* The copyright in this software is being made available under the 2-clauses
* BSD License, included below. This software may be subject to other third
* party and contributor rights, including patent rights, and no such rights
* are granted under this license.
*
* Copyright (c) 2017, IntoPix SA <contact@intopix.com>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS `AS IS'
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <stdlib.h>
#include <stdio.h>
int LLVMFuzzerTestOneInput(void *buf, size_t len);
int LLVMFuzzerInitialize(int* argc, char*** argv);
int main(int argc, char* argv[])
{
LLVMFuzzerInitialize(&argc, &argv);
if (argc < 2) {
return LLVMFuzzerTestOneInput(" ", 1);
} else {
int nRet = 0;
void* buf = NULL;
int nLen = 0;
FILE* f = fopen(argv[1], "rb");
if (!f) {
fprintf(stderr, "%s does not exist.\n", argv[1]);
exit(1);
}
fseek(f, 0, SEEK_END);
nLen = (int)ftell(f);
fseek(f, 0, SEEK_SET);
buf = malloc(nLen);
if (!buf) {
fprintf(stderr, "malloc failed.\n");
fclose(f);
exit(1);
}
if (fread(buf, nLen, 1, f) != 1) {
fprintf(stderr, "fread failed.\n");
fclose(f);
free(buf);
exit(1);
}
fclose(f);
nRet = LLVMFuzzerTestOneInput(buf, nLen);
free(buf);
return nRet;
}
}

View File

@ -0,0 +1,192 @@
/*
* The copyright in this software is being made available under the 2-clauses
* BSD License, included below. This software may be subject to other third
* party and contributor rights, including patent rights, and no such rights
* are granted under this license.
*
* Copyright (c) 2017, IntoPix SA <contact@intopix.com>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS `AS IS'
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <stddef.h>
#include <stdint.h>
#include <string.h>
#include <limits.h>
#include "openjpeg.h"
extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv);
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len);
typedef struct {
const uint8_t* pabyData;
size_t nCurPos;
size_t nLength;
} MemFile;
static void ErrorCallback(const char * msg, void *)
{
(void)msg;
//fprintf(stderr, "%s\n", msg);
}
static void WarningCallback(const char *, void *)
{
}
static void InfoCallback(const char *, void *)
{
}
static OPJ_SIZE_T ReadCallback(void* pBuffer, OPJ_SIZE_T nBytes,
void *pUserData)
{
MemFile* memFile = (MemFile*)pUserData;
//printf("want to read %d bytes at %d\n", (int)memFile->nCurPos, (int)nBytes);
if (memFile->nCurPos >= memFile->nLength) {
return -1;
}
if (memFile->nCurPos + nBytes >= memFile->nLength) {
size_t nToRead = memFile->nLength - memFile->nCurPos;
memcpy(pBuffer, memFile->pabyData + memFile->nCurPos, nToRead);
memFile->nCurPos = memFile->nLength;
return nToRead;
}
if (nBytes == 0) {
return -1;
}
memcpy(pBuffer, memFile->pabyData + memFile->nCurPos, nBytes);
memFile->nCurPos += nBytes;
return nBytes;
}
static OPJ_BOOL SeekCallback(OPJ_OFF_T nBytes, void * pUserData)
{
MemFile* memFile = (MemFile*)pUserData;
//printf("seek to %d\n", (int)nBytes);
memFile->nCurPos = nBytes;
return OPJ_TRUE;
}
static OPJ_OFF_T SkipCallback(OPJ_OFF_T nBytes, void * pUserData)
{
MemFile* memFile = (MemFile*)pUserData;
memFile->nCurPos += nBytes;
return nBytes;
}
int LLVMFuzzerInitialize(int* /*argc*/, char*** argv)
{
return 0;
}
static const unsigned char jpc_header[] = {0xff, 0x4f};
static const unsigned char jp2_box_jp[] = {0x6a, 0x50, 0x20, 0x20}; /* 'jP ' */
int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len)
{
OPJ_CODEC_FORMAT eCodecFormat;
if (len >= sizeof(jpc_header) &&
memcmp(buf, jpc_header, sizeof(jpc_header)) == 0) {
eCodecFormat = OPJ_CODEC_J2K;
} else if (len >= 4 + sizeof(jp2_box_jp) &&
memcmp(buf + 4, jp2_box_jp, sizeof(jp2_box_jp)) == 0) {
eCodecFormat = OPJ_CODEC_JP2;
} else {
return 0;
}
opj_codec_t* pCodec = opj_create_decompress(eCodecFormat);
opj_set_info_handler(pCodec, InfoCallback, NULL);
opj_set_warning_handler(pCodec, WarningCallback, NULL);
opj_set_error_handler(pCodec, ErrorCallback, NULL);
opj_dparameters_t parameters;
opj_set_default_decoder_parameters(&parameters);
opj_setup_decoder(pCodec, &parameters);
opj_stream_t *pStream = opj_stream_create(1024, OPJ_TRUE);
MemFile memFile;
memFile.pabyData = buf;
memFile.nLength = len;
memFile.nCurPos = 0;
opj_stream_set_user_data_length(pStream, len);
opj_stream_set_read_function(pStream, ReadCallback);
opj_stream_set_seek_function(pStream, SeekCallback);
opj_stream_set_skip_function(pStream, SkipCallback);
opj_stream_set_user_data(pStream, &memFile, NULL);
opj_image_t * psImage = NULL;
if (!opj_read_header(pStream, pCodec, &psImage)) {
opj_destroy_codec(pCodec);
opj_stream_destroy(pStream);
opj_image_destroy(psImage);
return 0;
}
OPJ_UINT32 width = psImage->x1 - psImage->x0;
OPJ_UINT32 height = psImage->y1 - psImage->y0;
// Reject too big images since that will require allocating a lot of
// memory
if (width != 0 && psImage->numcomps != 0 &&
(width > INT_MAX / psImage->numcomps ||
height > INT_MAX / (width * psImage->numcomps * sizeof(OPJ_UINT32)))) {
opj_stream_destroy(pStream);
opj_destroy_codec(pCodec);
opj_image_destroy(psImage);
return 0;
}
OPJ_UINT32 width_to_read = width;
if (width_to_read > 1024) {
width_to_read = 1024;
}
OPJ_UINT32 height_to_read = height;
if (height_to_read > 1024) {
height_to_read = 1024;
}
if (opj_set_decode_area(pCodec, psImage,
psImage->x0, psImage->y0,
psImage->x0 + width_to_read,
psImage->y0 + height_to_read)) {
if (opj_decode(pCodec, pStream, psImage)) {
//printf("success\n");
}
}
opj_end_decompress(pCodec, pStream);
opj_stream_destroy(pStream);
opj_destroy_codec(pCodec);
opj_image_destroy(psImage);
return 0;
}

View File

@ -344,6 +344,12 @@ New/unknown test failure found!!!
fi
fi
if [ "${OPJ_CI_BUILD_FUZZERS:-}" == "1" ]; then
cd tests/fuzzers
make
cd ../..
fi
if [ "${OPJ_CI_PERF_TESTS:-}" == "1" ]; then
cd tests/performance
echo "Running performance tests on current version (dry-run)"