From 1a8eac6a90ca61f3703f9b97afc2ec4918f0ab55 Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Mon, 3 Jul 2017 14:14:03 +0200 Subject: [PATCH] Add tests/fuzzers for OSS Fuzz (#965) --- .travis.yml | 2 +- tests/fuzzers/GNUmakefile | 12 ++ tests/fuzzers/README.TXT | 52 ++++++ tests/fuzzers/build_google_oss_fuzzers.sh | 39 +++++ tests/fuzzers/build_seed_corpus.sh | 15 ++ tests/fuzzers/fuzzingengine.c | 72 ++++++++ tests/fuzzers/opj_decompress_fuzzer.cpp | 192 ++++++++++++++++++++++ tools/travis-ci/run.sh | 6 + 8 files changed, 389 insertions(+), 1 deletion(-) create mode 100644 tests/fuzzers/GNUmakefile create mode 100644 tests/fuzzers/README.TXT create mode 100755 tests/fuzzers/build_google_oss_fuzzers.sh create mode 100755 tests/fuzzers/build_seed_corpus.sh create mode 100644 tests/fuzzers/fuzzingengine.c create mode 100644 tests/fuzzers/opj_decompress_fuzzer.cpp diff --git a/.travis.yml b/.travis.yml index 282d0145..a7413bbe 100644 --- a/.travis.yml +++ b/.travis.yml @@ -72,7 +72,7 @@ matrix: # Test with CLang 3.8 - os: linux compiler: clang-3.8 - env: OPJ_CI_CC=clang-3.8 OPJ_CI_CXX=clang-3.8 OPJ_CI_ARCH=x86_64 OPJ_CI_BUILD_CONFIGURATION=Release OPJ_CI_PERF_TESTS=1 + env: OPJ_CI_CC=clang-3.8 OPJ_CI_CXX=clang-3.8 OPJ_CI_ARCH=x86_64 OPJ_CI_BUILD_CONFIGURATION=Release OPJ_CI_PERF_TESTS=1 OPJ_CI_BUILD_FUZZERS=1 addons: apt: sources: diff --git a/tests/fuzzers/GNUmakefile b/tests/fuzzers/GNUmakefile new file mode 100644 index 00000000..0384d1a9 --- /dev/null +++ b/tests/fuzzers/GNUmakefile @@ -0,0 +1,12 @@ +default: dummyfuzzers + +clean: + $(RM) -f *.o *.a + +fuzzingengine.o: fuzzingengine.c + $(CC) $(CFLAGS) -c -o $@ $< + +dummyfuzzers: fuzzingengine.o + $(AR) r libFuzzingEngine.a fuzzingengine.o + CXX="${CXX}" CXXFLAGS="-L. ${CXXFLAGS}" SRC=/tmp OUT=/tmp ./build_google_oss_fuzzers.sh + OUT=/tmp ./build_seed_corpus.sh diff --git a/tests/fuzzers/README.TXT b/tests/fuzzers/README.TXT new file mode 100644 index 00000000..da85e899 --- /dev/null +++ b/tests/fuzzers/README.TXT @@ -0,0 +1,52 @@ +This directory contain fuzzer main functions and scripts for the +Google OSS Fuzz project: https://github.com/google/oss-fuzz/ + +The main build scripts are in: +https://github.com/google/oss-fuzz/tree/master/projects/openjpeg +and call scripts in this directory. + +The list of issues is in: +https://bugs.chromium.org/p/oss-fuzz/issues/list?q=openjpeg + + +- Simulate the build of (dummy) fuzzers like OSS Fuzz does: + + Preliminary steps: + $ cd ${ROOT_OF_OPENJPEG} + $ git clone --depth 1 https://github.com/uclouvain/openjpeg-data data + $ mkdir build + $ cd build + $ cmake .. + $ make + $ cd .. + + Actual building of fuzzer and seed corpus: + $ cd tests/fuzzers + $ make + + They are created in /tmp/*_fuzzer as well as with the + /tmp/*_fuzzer_seed_corpus.zip files + + Run one: + $ /tmp/opj_decompress_fuzzer a_file_name + +- Run locally OSS Fuzz: + $ git clone https://github.com/google/oss-fuzz.git + $ cd oss-fuzz + $ python infra/helper.py build_image openjpeg + + Build fuzzers with the address sanitizer (could use undefined, etc...) + $ python infra/helper.py build_fuzzers --sanitizer address openjpeg + + Test a particular fuzzer (replace opj_decompress_fuzzer by other fuzzers + like the ones generated in /tmp by "make dummyfuzzers") + $ python infra/helper.py run_fuzzer openjpeg opj_decompress_fuzzer + + +How to deal with issues reported in https://bugs.chromium.org/p/oss-fuzz/issues/list?q=openjpeg ? + + 1. Leave a comment in (chromium database) bug entry to indicate that you work on it + 2. Work + 3. Commit a bug fix with log including "Credit to OSS-Fuzz" and a link to the bugs.chromium.org ticket + 4. Add in the bugs.chromium.org ticket a link to the github commit implementing the fix. + 5. Check chromium closed the bug (after one or two days typically) diff --git a/tests/fuzzers/build_google_oss_fuzzers.sh b/tests/fuzzers/build_google_oss_fuzzers.sh new file mode 100755 index 00000000..88bda556 --- /dev/null +++ b/tests/fuzzers/build_google_oss_fuzzers.sh @@ -0,0 +1,39 @@ +#!/bin/bash + +set -e + +if [ "$SRC" == "" ]; then + echo "SRC env var not defined" + exit 1 +fi + +if [ "$OUT" == "" ]; then + echo "OUT env var not defined" + exit 1 +fi + +if [ "$CXX" == "" ]; then + echo "CXX env var not defined" + exit 1 +fi + +SRC_DIR=$(dirname $0)/../.. + +build_fuzzer() +{ + fuzzerName=$1 + sourceFilename=$2 + shift + shift + echo "Building fuzzer $fuzzerName" + $CXX $CXXFLAGS -std=c++11 -I$SRC_DIR/src/lib/openjp2 -I$SRC_DIR/build/src/lib/openjp2 \ + $sourceFilename $* -o $OUT/$fuzzerName \ + -lFuzzingEngine $SRC_DIR/build/bin/libopenjp2.a -lm -lpthread +} + +fuzzerFiles=$(dirname $0)/*.cpp +for F in $fuzzerFiles; do + fuzzerName=$(basename $F .cpp) + build_fuzzer $fuzzerName $F +done + diff --git a/tests/fuzzers/build_seed_corpus.sh b/tests/fuzzers/build_seed_corpus.sh new file mode 100755 index 00000000..1dfb0753 --- /dev/null +++ b/tests/fuzzers/build_seed_corpus.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +set -e + +if [ "$OUT" == "" ]; then + echo "OUT env var not defined" + exit 1 +fi + +SRC_DIR=$(dirname $0)/../.. + +cd $SRC_DIR/data/input/conformance +rm -f $OUT/opj_decompress_fuzzer_seed_corpus.zip +zip $OUT/opj_decompress_fuzzer_seed_corpus.zip *.jp2 *.j2k +cd $OLDPWD diff --git a/tests/fuzzers/fuzzingengine.c b/tests/fuzzers/fuzzingengine.c new file mode 100644 index 00000000..512235db --- /dev/null +++ b/tests/fuzzers/fuzzingengine.c @@ -0,0 +1,72 @@ +/* + * The copyright in this software is being made available under the 2-clauses + * BSD License, included below. This software may be subject to other third + * party and contributor rights, including patent rights, and no such rights + * are granted under this license. + * + * Copyright (c) 2017, IntoPix SA + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS `AS IS' + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include +#include + +int LLVMFuzzerTestOneInput(void *buf, size_t len); +int LLVMFuzzerInitialize(int* argc, char*** argv); + +int main(int argc, char* argv[]) +{ + LLVMFuzzerInitialize(&argc, &argv); + if (argc < 2) { + return LLVMFuzzerTestOneInput(" ", 1); + } else { + int nRet = 0; + void* buf = NULL; + int nLen = 0; + FILE* f = fopen(argv[1], "rb"); + if (!f) { + fprintf(stderr, "%s does not exist.\n", argv[1]); + exit(1); + } + fseek(f, 0, SEEK_END); + nLen = (int)ftell(f); + fseek(f, 0, SEEK_SET); + buf = malloc(nLen); + if (!buf) { + fprintf(stderr, "malloc failed.\n"); + fclose(f); + exit(1); + } + if (fread(buf, nLen, 1, f) != 1) { + fprintf(stderr, "fread failed.\n"); + fclose(f); + free(buf); + exit(1); + } + fclose(f); + nRet = LLVMFuzzerTestOneInput(buf, nLen); + free(buf); + return nRet; + } +} diff --git a/tests/fuzzers/opj_decompress_fuzzer.cpp b/tests/fuzzers/opj_decompress_fuzzer.cpp new file mode 100644 index 00000000..82f9ea6a --- /dev/null +++ b/tests/fuzzers/opj_decompress_fuzzer.cpp @@ -0,0 +1,192 @@ +/* + * The copyright in this software is being made available under the 2-clauses + * BSD License, included below. This software may be subject to other third + * party and contributor rights, including patent rights, and no such rights + * are granted under this license. + * + * Copyright (c) 2017, IntoPix SA + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS `AS IS' + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include +#include +#include +#include + +#include "openjpeg.h" + +extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv); +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len); + +typedef struct { + const uint8_t* pabyData; + size_t nCurPos; + size_t nLength; +} MemFile; + + +static void ErrorCallback(const char * msg, void *) +{ + (void)msg; + //fprintf(stderr, "%s\n", msg); +} + + +static void WarningCallback(const char *, void *) +{ +} + +static void InfoCallback(const char *, void *) +{ +} + +static OPJ_SIZE_T ReadCallback(void* pBuffer, OPJ_SIZE_T nBytes, + void *pUserData) +{ + MemFile* memFile = (MemFile*)pUserData; + //printf("want to read %d bytes at %d\n", (int)memFile->nCurPos, (int)nBytes); + if (memFile->nCurPos >= memFile->nLength) { + return -1; + } + if (memFile->nCurPos + nBytes >= memFile->nLength) { + size_t nToRead = memFile->nLength - memFile->nCurPos; + memcpy(pBuffer, memFile->pabyData + memFile->nCurPos, nToRead); + memFile->nCurPos = memFile->nLength; + return nToRead; + } + if (nBytes == 0) { + return -1; + } + memcpy(pBuffer, memFile->pabyData + memFile->nCurPos, nBytes); + memFile->nCurPos += nBytes; + return nBytes; +} + +static OPJ_BOOL SeekCallback(OPJ_OFF_T nBytes, void * pUserData) +{ + MemFile* memFile = (MemFile*)pUserData; + //printf("seek to %d\n", (int)nBytes); + memFile->nCurPos = nBytes; + return OPJ_TRUE; +} + +static OPJ_OFF_T SkipCallback(OPJ_OFF_T nBytes, void * pUserData) +{ + MemFile* memFile = (MemFile*)pUserData; + memFile->nCurPos += nBytes; + return nBytes; +} + + +int LLVMFuzzerInitialize(int* /*argc*/, char*** argv) +{ + return 0; +} + +static const unsigned char jpc_header[] = {0xff, 0x4f}; +static const unsigned char jp2_box_jp[] = {0x6a, 0x50, 0x20, 0x20}; /* 'jP ' */ + +int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) +{ + + OPJ_CODEC_FORMAT eCodecFormat; + if (len >= sizeof(jpc_header) && + memcmp(buf, jpc_header, sizeof(jpc_header)) == 0) { + eCodecFormat = OPJ_CODEC_J2K; + } else if (len >= 4 + sizeof(jp2_box_jp) && + memcmp(buf + 4, jp2_box_jp, sizeof(jp2_box_jp)) == 0) { + eCodecFormat = OPJ_CODEC_JP2; + } else { + return 0; + } + + opj_codec_t* pCodec = opj_create_decompress(eCodecFormat); + opj_set_info_handler(pCodec, InfoCallback, NULL); + opj_set_warning_handler(pCodec, WarningCallback, NULL); + opj_set_error_handler(pCodec, ErrorCallback, NULL); + + opj_dparameters_t parameters; + opj_set_default_decoder_parameters(¶meters); + + opj_setup_decoder(pCodec, ¶meters); + + opj_stream_t *pStream = opj_stream_create(1024, OPJ_TRUE); + MemFile memFile; + memFile.pabyData = buf; + memFile.nLength = len; + memFile.nCurPos = 0; + opj_stream_set_user_data_length(pStream, len); + opj_stream_set_read_function(pStream, ReadCallback); + opj_stream_set_seek_function(pStream, SeekCallback); + opj_stream_set_skip_function(pStream, SkipCallback); + opj_stream_set_user_data(pStream, &memFile, NULL); + + opj_image_t * psImage = NULL; + if (!opj_read_header(pStream, pCodec, &psImage)) { + opj_destroy_codec(pCodec); + opj_stream_destroy(pStream); + opj_image_destroy(psImage); + return 0; + } + + OPJ_UINT32 width = psImage->x1 - psImage->x0; + OPJ_UINT32 height = psImage->y1 - psImage->y0; + + // Reject too big images since that will require allocating a lot of + // memory + if (width != 0 && psImage->numcomps != 0 && + (width > INT_MAX / psImage->numcomps || + height > INT_MAX / (width * psImage->numcomps * sizeof(OPJ_UINT32)))) { + opj_stream_destroy(pStream); + opj_destroy_codec(pCodec); + opj_image_destroy(psImage); + + return 0; + } + + OPJ_UINT32 width_to_read = width; + if (width_to_read > 1024) { + width_to_read = 1024; + } + OPJ_UINT32 height_to_read = height; + if (height_to_read > 1024) { + height_to_read = 1024; + } + + if (opj_set_decode_area(pCodec, psImage, + psImage->x0, psImage->y0, + psImage->x0 + width_to_read, + psImage->y0 + height_to_read)) { + if (opj_decode(pCodec, pStream, psImage)) { + //printf("success\n"); + } + } + + opj_end_decompress(pCodec, pStream); + opj_stream_destroy(pStream); + opj_destroy_codec(pCodec); + opj_image_destroy(psImage); + + return 0; +} diff --git a/tools/travis-ci/run.sh b/tools/travis-ci/run.sh index 5118657b..97f5f712 100755 --- a/tools/travis-ci/run.sh +++ b/tools/travis-ci/run.sh @@ -344,6 +344,12 @@ New/unknown test failure found!!! fi fi +if [ "${OPJ_CI_BUILD_FUZZERS:-}" == "1" ]; then + cd tests/fuzzers + make + cd ../.. +fi + if [ "${OPJ_CI_PERF_TESTS:-}" == "1" ]; then cd tests/performance echo "Running performance tests on current version (dry-run)"