1<html> 2<!-- 3 4 american fuzzy lop++ - <canvas> harness 5 ------------------------------------- 6 7 Originally written by Michal Zalewski 8 9 Copyright 2013, 2014 Google Inc. All rights reserved. 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at: 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 A simple harness for going through afl-generated test cases, rendering them in 18 the browser environment, and discovering the use of uninitialized memory and 19 similar bugs. This code led to the discovery of a fair number of library and 20 browser security bugs! 21 22 The url_list[] array is a placeholder; for this to work properly, it needs to 23 be initialized with web-reachable paths to individual test cases. This can 24 be done manually or with a simple script. 25 26--> 27 28<body onload="set_images()"> 29 30<div id="status"></div> 31 32<div id="image_div"></div> 33 34<canvas height=64 width=64 id=cvs></canvas> 35 36<h2>Results</h2> 37 38<ul id="output"></ul> 39 40<script> 41 42var c = document.getElementById('cvs'); 43var ctx = c.getContext('2d'); 44 45var url_list = [ 46 "images/id:000000,[...].jpg", 47 "images/id:000001,[...].jpg", 48 /* ... */ 49 null 50]; 51 52var USE_IMAGES = 50; 53var cur_image = 0; 54 55if (location.hash) cur_image = parseInt(location.hash.substr(1)); 56 57var loaded = 0; 58var image_obj = []; 59 60var msie_cleanup; 61 62function check_results() { 63 64 var uniques = []; 65 66 clearTimeout(msie_cleanup); 67 68 ctx.clearRect(0, 0, 64, 64); 69 70 uniques.push(image_obj[0].imgdata); 71 72 for (var i = 1; i < USE_IMAGES; i++) { 73 74 if (!image_obj[i].imgdata) continue; 75 76 if (image_obj[0].imgdata != image_obj[i].imgdata) { 77 78 for (var j = 1; j < uniques.length; j++) 79 if (uniques[j] == image_obj[i].imgdata) break; 80 81 if (j == uniques.length) uniques.push(image_obj[i].imgdata); 82 83 84 } 85 86 } 87 88 if (uniques.length > 1) { 89 90 var str = '<li> Image ' + url_list[cur_image] + ' has ' + uniques.length + ' variants: '; 91 92 for (var i = 0; i < uniques.length; i++) 93 str += '<img src="' + uniques[i] + '">'; 94 95 document.getElementById('output').innerHTML += str; 96 97 } 98 99 cur_image++; 100 set_images(); 101} 102 103 104function count_image() { 105 106 if (!this.complete || this.counted) return; 107 108 this.counted = true; 109 110 loaded++; 111 112 ctx.clearRect(0, 0, 64, 64); 113 114 try { 115 ctx.drawImage(this, 0, 0, 64, 64); 116 } catch (e) { } 117 118 this.imgdata = c.toDataURL(); 119 120 if (loaded == USE_IMAGES) check_results(); 121} 122 123 124function set_images() { 125 126 loaded = 0; 127 128 document.getElementById('status').innerHTML = 'Now processing ' + cur_image + '...'; 129 location.hash = '#' + cur_image; 130 131 if (url_list[cur_image] == null) { 132 alert('Done!'); 133 return; 134 } 135 136 restart_images(); 137 138 msie_cleanup = setTimeout(check_results, 5000); 139 140 for (var i = 0; i < USE_IMAGES; i++) 141 image_obj[i].src = url_list[cur_image] + '?' + Math.random(); 142 143} 144 145 146function restart_images() { 147 148 for (var i = 0; i < USE_IMAGES; i++) 149 if (image_obj[i]) image_obj[i].counted = true; 150 151 document.getElementById('image_div').innerHTML = ''; 152 image_obj = []; 153 154 for (var i = 0; i < USE_IMAGES; i++) { 155 156 image_obj[i] = new Image(); 157 image_obj[i].height = 64; 158 image_obj[i].width = 64; 159 image_obj[i].onerror = count_image; 160 image_obj[i].onload = count_image; 161 162 document.getElementById('image_div').appendChild(image_obj[i]); 163 164 } 165 166} 167 168</script> 169 170<iframe src='http://www.cnn.com/'></iframe> 171