/* * Copyright 2020 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include #include #include #ifdef FUZZ_HEIF_FORMAT #include #ifdef __ANDROID__ #include #include #else #include #endif //__ANDROID__ #endif // FUZZ_HEIF_FORMAT #ifdef PNG_MUTATOR_DEFINE_LIBFUZZER_CUSTOM_MUTATOR #include #endif constexpr int32_t kMaxDimension = 5000; constexpr int32_t kMinDimension = 0; struct PixelFreer { void operator()(void* pixels) const { std::free(pixels); } }; using PixelPointer = std::unique_ptr; #ifndef FUZZ_HEIF_FORMAT #define FOURCC(c1, c2, c3, c4) ((c1) << 24 | (c2) << 16 | (c3) << 8 | (c4)) /** Reverse all 4 bytes in a 32bit value. e.g. 0x12345678 -> 0x78563412 */ static uint32_t endianSwap32(uint32_t value) { return ((value & 0xFF) << 24) | ((value & 0xFF00) << 8) | ((value & 0xFF0000) >> 8) | (value >> 24); } static bool isFtyp(const uint8_t* data, size_t size) { constexpr int32_t headerSize = 8; constexpr int32_t chunkTypeOffset = 4; constexpr int32_t ftypFourCCVal = FOURCC('f', 't', 'y', 'p'); if (size >= headerSize) { const uint32_t* chunk = reinterpret_cast(data + chunkTypeOffset); if (endianSwap32(*chunk) == ftypFourCCVal) { return true; } } return false; } #endif AImageDecoder* init(const uint8_t* data, size_t size, bool useFileDescriptor) { AImageDecoder* decoder = nullptr; #ifndef FUZZ_HEIF_FORMAT if (isFtyp(data, size)) { /* We want to ignore HEIF data when fuzzing non-HEIF image decoders. Use 'FTYP' * as a signal to ignore, though note that this excludes more than just HEIF. * But when this code was added, `AImageDecoder` did not support any formats * in 'FTYP' besides HEIF. */ return nullptr; } #endif // FUZZ_HEIF_FORMAT if (useFileDescriptor) { constexpr char testFd[] = "tempFd"; int32_t fileDesc = open(testFd, O_RDWR | O_CREAT | O_TRUNC); write(fileDesc, data, size); AImageDecoder_createFromFd(fileDesc, &decoder); close(fileDesc); } else { AImageDecoder_createFromBuffer(data, size, &decoder); } return decoder; } extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { FuzzedDataProvider dataProvider = FuzzedDataProvider(data, size); #ifdef FUZZ_HEIF_FORMAT /** * For image formats like HEIF, a new metadata object is * created which requires "media.player" service running */ static std::once_flag callOnceHEIF; std::call_once(callOnceHEIF, [&]() { android::sp fakeServiceManager = new android::FakeServiceManager(); setDefaultServiceManager(fakeServiceManager); #ifdef __ANDROID__ android::MediaPlayerService::instantiate(); android::MediaExtractorService::instantiate(); #else auto binderExtractor = android::getRandomBinder(&dataProvider); auto binderPlayer = android::getRandomBinder(&dataProvider); fakeServiceManager->addService(android::String16("media.extractor"), binderExtractor); fakeServiceManager->addService(android::String16("media.player"), binderPlayer); #endif //__ANDROID__ }); #endif // FUZZ_HEIF_FORMAT /** * Use maximum of 80% of buffer for creating decoder and save at least * 20% buffer for fuzzing other APIs */ const int32_t dataSize = dataProvider.ConsumeIntegralInRange(0, (size * 80) / 100); std::vector inputBuffer = dataProvider.ConsumeBytes(dataSize); AImageDecoder* decoder = init(inputBuffer.data(), inputBuffer.size(), dataProvider.ConsumeBool()); if (!decoder) { return 0; } const AImageDecoderHeaderInfo* headerInfo = AImageDecoder_getHeaderInfo(decoder); AImageDecoderFrameInfo* frameInfo = AImageDecoderFrameInfo_create(); int32_t height = AImageDecoderHeaderInfo_getHeight(headerInfo); int32_t width = AImageDecoderHeaderInfo_getWidth(headerInfo); while (dataProvider.remaining_bytes()) { auto invokeImageApi = dataProvider.PickValueInArray>({ [&]() { int32_t testHeight = dataProvider.ConsumeIntegralInRange(kMinDimension, kMaxDimension); int32_t testWidth = dataProvider.ConsumeIntegralInRange(kMinDimension, kMaxDimension); int32_t result = AImageDecoder_setTargetSize(decoder, testHeight, testWidth); if (result == ANDROID_IMAGE_DECODER_SUCCESS) { height = testHeight; width = testWidth; } }, [&]() { const bool required = dataProvider.ConsumeBool(); AImageDecoder_setUnpremultipliedRequired(decoder, required); }, [&]() { AImageDecoder_setAndroidBitmapFormat( decoder, dataProvider.ConsumeIntegralInRange< int32_t>(ANDROID_BITMAP_FORMAT_NONE, ANDROID_BITMAP_FORMAT_RGBA_1010102) /* format */); }, [&]() { AImageDecoder_setDataSpace(decoder, dataProvider .ConsumeIntegral() /* dataspace */); }, [&]() { ARect rect{dataProvider.ConsumeIntegral() /* left */, dataProvider.ConsumeIntegral() /* top */, dataProvider.ConsumeIntegral() /* right */, dataProvider.ConsumeIntegral() /* bottom */}; AImageDecoder_setCrop(decoder, rect); }, [&]() { AImageDecoderHeaderInfo_getWidth(headerInfo); }, [&]() { AImageDecoderHeaderInfo_getMimeType(headerInfo); }, [&]() { AImageDecoderHeaderInfo_getAlphaFlags(headerInfo); }, [&]() { AImageDecoderHeaderInfo_getAndroidBitmapFormat(headerInfo); }, [&]() { int32_t tempHeight; int32_t tempWidth; AImageDecoder_computeSampledSize(decoder, dataProvider.ConsumeIntegral< int>() /* sampleSize */, &tempWidth, &tempHeight); }, [&]() { AImageDecoderHeaderInfo_getDataSpace(headerInfo); }, [&]() { AImageDecoder_getRepeatCount(decoder); }, [&]() { AImageDecoder_getFrameInfo(decoder, frameInfo); }, [&]() { AImageDecoderFrameInfo_getDuration(frameInfo); }, [&]() { AImageDecoderFrameInfo_hasAlphaWithinBounds(frameInfo); }, [&]() { AImageDecoderFrameInfo_getDisposeOp(frameInfo); }, [&]() { AImageDecoderFrameInfo_getBlendOp(frameInfo); }, [&]() { AImageDecoder_setInternallyHandleDisposePrevious( decoder, dataProvider.ConsumeBool() /* handle */); }, [&]() { AImageDecoder_rewind(decoder); }, [&]() { AImageDecoder_advanceFrame(decoder); }, [&]() { size_t stride = AImageDecoder_getMinimumStride(decoder); size_t pixelSize = height * stride; auto pixels = PixelPointer(std::malloc(pixelSize)); if (!pixels.get()) { return; } AImageDecoder_decodeImage(decoder, pixels.get(), stride, pixelSize); }, }); invokeImageApi(); } AImageDecoderFrameInfo_delete(frameInfo); AImageDecoder_delete(decoder); return 0; }