Add tests/fuzzers for OSS Fuzz (#965)
This commit is contained in:
parent
c308de39ed
commit
1a8eac6a90
|
@ -72,7 +72,7 @@ matrix:
|
||||||
# Test with CLang 3.8
|
# Test with CLang 3.8
|
||||||
- os: linux
|
- os: linux
|
||||||
compiler: clang-3.8
|
compiler: clang-3.8
|
||||||
env: OPJ_CI_CC=clang-3.8 OPJ_CI_CXX=clang-3.8 OPJ_CI_ARCH=x86_64 OPJ_CI_BUILD_CONFIGURATION=Release OPJ_CI_PERF_TESTS=1
|
env: OPJ_CI_CC=clang-3.8 OPJ_CI_CXX=clang-3.8 OPJ_CI_ARCH=x86_64 OPJ_CI_BUILD_CONFIGURATION=Release OPJ_CI_PERF_TESTS=1 OPJ_CI_BUILD_FUZZERS=1
|
||||||
addons:
|
addons:
|
||||||
apt:
|
apt:
|
||||||
sources:
|
sources:
|
||||||
|
|
|
@ -0,0 +1,12 @@
|
||||||
|
default: dummyfuzzers
|
||||||
|
|
||||||
|
clean:
|
||||||
|
$(RM) -f *.o *.a
|
||||||
|
|
||||||
|
fuzzingengine.o: fuzzingengine.c
|
||||||
|
$(CC) $(CFLAGS) -c -o $@ $<
|
||||||
|
|
||||||
|
dummyfuzzers: fuzzingengine.o
|
||||||
|
$(AR) r libFuzzingEngine.a fuzzingengine.o
|
||||||
|
CXX="${CXX}" CXXFLAGS="-L. ${CXXFLAGS}" SRC=/tmp OUT=/tmp ./build_google_oss_fuzzers.sh
|
||||||
|
OUT=/tmp ./build_seed_corpus.sh
|
|
@ -0,0 +1,52 @@
|
||||||
|
This directory contain fuzzer main functions and scripts for the
|
||||||
|
Google OSS Fuzz project: https://github.com/google/oss-fuzz/
|
||||||
|
|
||||||
|
The main build scripts are in:
|
||||||
|
https://github.com/google/oss-fuzz/tree/master/projects/openjpeg
|
||||||
|
and call scripts in this directory.
|
||||||
|
|
||||||
|
The list of issues is in:
|
||||||
|
https://bugs.chromium.org/p/oss-fuzz/issues/list?q=openjpeg
|
||||||
|
|
||||||
|
|
||||||
|
- Simulate the build of (dummy) fuzzers like OSS Fuzz does:
|
||||||
|
|
||||||
|
Preliminary steps:
|
||||||
|
$ cd ${ROOT_OF_OPENJPEG}
|
||||||
|
$ git clone --depth 1 https://github.com/uclouvain/openjpeg-data data
|
||||||
|
$ mkdir build
|
||||||
|
$ cd build
|
||||||
|
$ cmake ..
|
||||||
|
$ make
|
||||||
|
$ cd ..
|
||||||
|
|
||||||
|
Actual building of fuzzer and seed corpus:
|
||||||
|
$ cd tests/fuzzers
|
||||||
|
$ make
|
||||||
|
|
||||||
|
They are created in /tmp/*_fuzzer as well as with the
|
||||||
|
/tmp/*_fuzzer_seed_corpus.zip files
|
||||||
|
|
||||||
|
Run one:
|
||||||
|
$ /tmp/opj_decompress_fuzzer a_file_name
|
||||||
|
|
||||||
|
- Run locally OSS Fuzz:
|
||||||
|
$ git clone https://github.com/google/oss-fuzz.git
|
||||||
|
$ cd oss-fuzz
|
||||||
|
$ python infra/helper.py build_image openjpeg
|
||||||
|
|
||||||
|
Build fuzzers with the address sanitizer (could use undefined, etc...)
|
||||||
|
$ python infra/helper.py build_fuzzers --sanitizer address openjpeg
|
||||||
|
|
||||||
|
Test a particular fuzzer (replace opj_decompress_fuzzer by other fuzzers
|
||||||
|
like the ones generated in /tmp by "make dummyfuzzers")
|
||||||
|
$ python infra/helper.py run_fuzzer openjpeg opj_decompress_fuzzer
|
||||||
|
|
||||||
|
|
||||||
|
How to deal with issues reported in https://bugs.chromium.org/p/oss-fuzz/issues/list?q=openjpeg ?
|
||||||
|
|
||||||
|
1. Leave a comment in (chromium database) bug entry to indicate that you work on it
|
||||||
|
2. Work
|
||||||
|
3. Commit a bug fix with log including "Credit to OSS-Fuzz" and a link to the bugs.chromium.org ticket
|
||||||
|
4. Add in the bugs.chromium.org ticket a link to the github commit implementing the fix.
|
||||||
|
5. Check chromium closed the bug (after one or two days typically)
|
|
@ -0,0 +1,39 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
if [ "$SRC" == "" ]; then
|
||||||
|
echo "SRC env var not defined"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$OUT" == "" ]; then
|
||||||
|
echo "OUT env var not defined"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$CXX" == "" ]; then
|
||||||
|
echo "CXX env var not defined"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
SRC_DIR=$(dirname $0)/../..
|
||||||
|
|
||||||
|
build_fuzzer()
|
||||||
|
{
|
||||||
|
fuzzerName=$1
|
||||||
|
sourceFilename=$2
|
||||||
|
shift
|
||||||
|
shift
|
||||||
|
echo "Building fuzzer $fuzzerName"
|
||||||
|
$CXX $CXXFLAGS -std=c++11 -I$SRC_DIR/src/lib/openjp2 -I$SRC_DIR/build/src/lib/openjp2 \
|
||||||
|
$sourceFilename $* -o $OUT/$fuzzerName \
|
||||||
|
-lFuzzingEngine $SRC_DIR/build/bin/libopenjp2.a -lm -lpthread
|
||||||
|
}
|
||||||
|
|
||||||
|
fuzzerFiles=$(dirname $0)/*.cpp
|
||||||
|
for F in $fuzzerFiles; do
|
||||||
|
fuzzerName=$(basename $F .cpp)
|
||||||
|
build_fuzzer $fuzzerName $F
|
||||||
|
done
|
||||||
|
|
|
@ -0,0 +1,15 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
if [ "$OUT" == "" ]; then
|
||||||
|
echo "OUT env var not defined"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
SRC_DIR=$(dirname $0)/../..
|
||||||
|
|
||||||
|
cd $SRC_DIR/data/input/conformance
|
||||||
|
rm -f $OUT/opj_decompress_fuzzer_seed_corpus.zip
|
||||||
|
zip $OUT/opj_decompress_fuzzer_seed_corpus.zip *.jp2 *.j2k
|
||||||
|
cd $OLDPWD
|
|
@ -0,0 +1,72 @@
|
||||||
|
/*
|
||||||
|
* The copyright in this software is being made available under the 2-clauses
|
||||||
|
* BSD License, included below. This software may be subject to other third
|
||||||
|
* party and contributor rights, including patent rights, and no such rights
|
||||||
|
* are granted under this license.
|
||||||
|
*
|
||||||
|
* Copyright (c) 2017, IntoPix SA <contact@intopix.com>
|
||||||
|
* All rights reserved.
|
||||||
|
*
|
||||||
|
* Redistribution and use in source and binary forms, with or without
|
||||||
|
* modification, are permitted provided that the following conditions
|
||||||
|
* are met:
|
||||||
|
* 1. Redistributions of source code must retain the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer.
|
||||||
|
* 2. Redistributions in binary form must reproduce the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer in the
|
||||||
|
* documentation and/or other materials provided with the distribution.
|
||||||
|
*
|
||||||
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS `AS IS'
|
||||||
|
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||||
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||||
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
|
||||||
|
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||||
|
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||||
|
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||||
|
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||||
|
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||||
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||||
|
* POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
|
||||||
|
int LLVMFuzzerTestOneInput(void *buf, size_t len);
|
||||||
|
int LLVMFuzzerInitialize(int* argc, char*** argv);
|
||||||
|
|
||||||
|
int main(int argc, char* argv[])
|
||||||
|
{
|
||||||
|
LLVMFuzzerInitialize(&argc, &argv);
|
||||||
|
if (argc < 2) {
|
||||||
|
return LLVMFuzzerTestOneInput(" ", 1);
|
||||||
|
} else {
|
||||||
|
int nRet = 0;
|
||||||
|
void* buf = NULL;
|
||||||
|
int nLen = 0;
|
||||||
|
FILE* f = fopen(argv[1], "rb");
|
||||||
|
if (!f) {
|
||||||
|
fprintf(stderr, "%s does not exist.\n", argv[1]);
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
fseek(f, 0, SEEK_END);
|
||||||
|
nLen = (int)ftell(f);
|
||||||
|
fseek(f, 0, SEEK_SET);
|
||||||
|
buf = malloc(nLen);
|
||||||
|
if (!buf) {
|
||||||
|
fprintf(stderr, "malloc failed.\n");
|
||||||
|
fclose(f);
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
if (fread(buf, nLen, 1, f) != 1) {
|
||||||
|
fprintf(stderr, "fread failed.\n");
|
||||||
|
fclose(f);
|
||||||
|
free(buf);
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
fclose(f);
|
||||||
|
nRet = LLVMFuzzerTestOneInput(buf, nLen);
|
||||||
|
free(buf);
|
||||||
|
return nRet;
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,192 @@
|
||||||
|
/*
|
||||||
|
* The copyright in this software is being made available under the 2-clauses
|
||||||
|
* BSD License, included below. This software may be subject to other third
|
||||||
|
* party and contributor rights, including patent rights, and no such rights
|
||||||
|
* are granted under this license.
|
||||||
|
*
|
||||||
|
* Copyright (c) 2017, IntoPix SA <contact@intopix.com>
|
||||||
|
* All rights reserved.
|
||||||
|
*
|
||||||
|
* Redistribution and use in source and binary forms, with or without
|
||||||
|
* modification, are permitted provided that the following conditions
|
||||||
|
* are met:
|
||||||
|
* 1. Redistributions of source code must retain the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer.
|
||||||
|
* 2. Redistributions in binary form must reproduce the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer in the
|
||||||
|
* documentation and/or other materials provided with the distribution.
|
||||||
|
*
|
||||||
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS `AS IS'
|
||||||
|
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||||
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||||
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
|
||||||
|
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||||
|
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||||
|
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||||
|
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||||
|
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||||
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||||
|
* POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <stddef.h>
|
||||||
|
#include <stdint.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <limits.h>
|
||||||
|
|
||||||
|
#include "openjpeg.h"
|
||||||
|
|
||||||
|
extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv);
|
||||||
|
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len);
|
||||||
|
|
||||||
|
typedef struct {
|
||||||
|
const uint8_t* pabyData;
|
||||||
|
size_t nCurPos;
|
||||||
|
size_t nLength;
|
||||||
|
} MemFile;
|
||||||
|
|
||||||
|
|
||||||
|
static void ErrorCallback(const char * msg, void *)
|
||||||
|
{
|
||||||
|
(void)msg;
|
||||||
|
//fprintf(stderr, "%s\n", msg);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static void WarningCallback(const char *, void *)
|
||||||
|
{
|
||||||
|
}
|
||||||
|
|
||||||
|
static void InfoCallback(const char *, void *)
|
||||||
|
{
|
||||||
|
}
|
||||||
|
|
||||||
|
static OPJ_SIZE_T ReadCallback(void* pBuffer, OPJ_SIZE_T nBytes,
|
||||||
|
void *pUserData)
|
||||||
|
{
|
||||||
|
MemFile* memFile = (MemFile*)pUserData;
|
||||||
|
//printf("want to read %d bytes at %d\n", (int)memFile->nCurPos, (int)nBytes);
|
||||||
|
if (memFile->nCurPos >= memFile->nLength) {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
if (memFile->nCurPos + nBytes >= memFile->nLength) {
|
||||||
|
size_t nToRead = memFile->nLength - memFile->nCurPos;
|
||||||
|
memcpy(pBuffer, memFile->pabyData + memFile->nCurPos, nToRead);
|
||||||
|
memFile->nCurPos = memFile->nLength;
|
||||||
|
return nToRead;
|
||||||
|
}
|
||||||
|
if (nBytes == 0) {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
memcpy(pBuffer, memFile->pabyData + memFile->nCurPos, nBytes);
|
||||||
|
memFile->nCurPos += nBytes;
|
||||||
|
return nBytes;
|
||||||
|
}
|
||||||
|
|
||||||
|
static OPJ_BOOL SeekCallback(OPJ_OFF_T nBytes, void * pUserData)
|
||||||
|
{
|
||||||
|
MemFile* memFile = (MemFile*)pUserData;
|
||||||
|
//printf("seek to %d\n", (int)nBytes);
|
||||||
|
memFile->nCurPos = nBytes;
|
||||||
|
return OPJ_TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
static OPJ_OFF_T SkipCallback(OPJ_OFF_T nBytes, void * pUserData)
|
||||||
|
{
|
||||||
|
MemFile* memFile = (MemFile*)pUserData;
|
||||||
|
memFile->nCurPos += nBytes;
|
||||||
|
return nBytes;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
int LLVMFuzzerInitialize(int* /*argc*/, char*** argv)
|
||||||
|
{
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
static const unsigned char jpc_header[] = {0xff, 0x4f};
|
||||||
|
static const unsigned char jp2_box_jp[] = {0x6a, 0x50, 0x20, 0x20}; /* 'jP ' */
|
||||||
|
|
||||||
|
int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len)
|
||||||
|
{
|
||||||
|
|
||||||
|
OPJ_CODEC_FORMAT eCodecFormat;
|
||||||
|
if (len >= sizeof(jpc_header) &&
|
||||||
|
memcmp(buf, jpc_header, sizeof(jpc_header)) == 0) {
|
||||||
|
eCodecFormat = OPJ_CODEC_J2K;
|
||||||
|
} else if (len >= 4 + sizeof(jp2_box_jp) &&
|
||||||
|
memcmp(buf + 4, jp2_box_jp, sizeof(jp2_box_jp)) == 0) {
|
||||||
|
eCodecFormat = OPJ_CODEC_JP2;
|
||||||
|
} else {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
opj_codec_t* pCodec = opj_create_decompress(eCodecFormat);
|
||||||
|
opj_set_info_handler(pCodec, InfoCallback, NULL);
|
||||||
|
opj_set_warning_handler(pCodec, WarningCallback, NULL);
|
||||||
|
opj_set_error_handler(pCodec, ErrorCallback, NULL);
|
||||||
|
|
||||||
|
opj_dparameters_t parameters;
|
||||||
|
opj_set_default_decoder_parameters(¶meters);
|
||||||
|
|
||||||
|
opj_setup_decoder(pCodec, ¶meters);
|
||||||
|
|
||||||
|
opj_stream_t *pStream = opj_stream_create(1024, OPJ_TRUE);
|
||||||
|
MemFile memFile;
|
||||||
|
memFile.pabyData = buf;
|
||||||
|
memFile.nLength = len;
|
||||||
|
memFile.nCurPos = 0;
|
||||||
|
opj_stream_set_user_data_length(pStream, len);
|
||||||
|
opj_stream_set_read_function(pStream, ReadCallback);
|
||||||
|
opj_stream_set_seek_function(pStream, SeekCallback);
|
||||||
|
opj_stream_set_skip_function(pStream, SkipCallback);
|
||||||
|
opj_stream_set_user_data(pStream, &memFile, NULL);
|
||||||
|
|
||||||
|
opj_image_t * psImage = NULL;
|
||||||
|
if (!opj_read_header(pStream, pCodec, &psImage)) {
|
||||||
|
opj_destroy_codec(pCodec);
|
||||||
|
opj_stream_destroy(pStream);
|
||||||
|
opj_image_destroy(psImage);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
OPJ_UINT32 width = psImage->x1 - psImage->x0;
|
||||||
|
OPJ_UINT32 height = psImage->y1 - psImage->y0;
|
||||||
|
|
||||||
|
// Reject too big images since that will require allocating a lot of
|
||||||
|
// memory
|
||||||
|
if (width != 0 && psImage->numcomps != 0 &&
|
||||||
|
(width > INT_MAX / psImage->numcomps ||
|
||||||
|
height > INT_MAX / (width * psImage->numcomps * sizeof(OPJ_UINT32)))) {
|
||||||
|
opj_stream_destroy(pStream);
|
||||||
|
opj_destroy_codec(pCodec);
|
||||||
|
opj_image_destroy(psImage);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
OPJ_UINT32 width_to_read = width;
|
||||||
|
if (width_to_read > 1024) {
|
||||||
|
width_to_read = 1024;
|
||||||
|
}
|
||||||
|
OPJ_UINT32 height_to_read = height;
|
||||||
|
if (height_to_read > 1024) {
|
||||||
|
height_to_read = 1024;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (opj_set_decode_area(pCodec, psImage,
|
||||||
|
psImage->x0, psImage->y0,
|
||||||
|
psImage->x0 + width_to_read,
|
||||||
|
psImage->y0 + height_to_read)) {
|
||||||
|
if (opj_decode(pCodec, pStream, psImage)) {
|
||||||
|
//printf("success\n");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
opj_end_decompress(pCodec, pStream);
|
||||||
|
opj_stream_destroy(pStream);
|
||||||
|
opj_destroy_codec(pCodec);
|
||||||
|
opj_image_destroy(psImage);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
|
@ -344,6 +344,12 @@ New/unknown test failure found!!!
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ "${OPJ_CI_BUILD_FUZZERS:-}" == "1" ]; then
|
||||||
|
cd tests/fuzzers
|
||||||
|
make
|
||||||
|
cd ../..
|
||||||
|
fi
|
||||||
|
|
||||||
if [ "${OPJ_CI_PERF_TESTS:-}" == "1" ]; then
|
if [ "${OPJ_CI_PERF_TESTS:-}" == "1" ]; then
|
||||||
cd tests/performance
|
cd tests/performance
|
||||||
echo "Running performance tests on current version (dry-run)"
|
echo "Running performance tests on current version (dry-run)"
|
||||||
|
|
Loading…
Reference in New Issue