1*08b48e0bSAndroid Build Coastguard Worker<html> 2*08b48e0bSAndroid Build Coastguard Worker<!-- 3*08b48e0bSAndroid Build Coastguard Worker 4*08b48e0bSAndroid Build Coastguard Worker american fuzzy lop++ - <canvas> harness 5*08b48e0bSAndroid Build Coastguard Worker ------------------------------------- 6*08b48e0bSAndroid Build Coastguard Worker 7*08b48e0bSAndroid Build Coastguard Worker Originally written by Michal Zalewski 8*08b48e0bSAndroid Build Coastguard Worker 9*08b48e0bSAndroid Build Coastguard Worker Copyright 2013, 2014 Google Inc. All rights reserved. 10*08b48e0bSAndroid Build Coastguard Worker 11*08b48e0bSAndroid Build Coastguard Worker Licensed under the Apache License, Version 2.0 (the "License"); 12*08b48e0bSAndroid Build Coastguard Worker you may not use this file except in compliance with the License. 13*08b48e0bSAndroid Build Coastguard Worker You may obtain a copy of the License at: 14*08b48e0bSAndroid Build Coastguard Worker 15*08b48e0bSAndroid Build Coastguard Worker http://www.apache.org/licenses/LICENSE-2.0 16*08b48e0bSAndroid Build Coastguard Worker 17*08b48e0bSAndroid Build Coastguard Worker A simple harness for going through afl-generated test cases, rendering them in 18*08b48e0bSAndroid Build Coastguard Worker the browser environment, and discovering the use of uninitialized memory and 19*08b48e0bSAndroid Build Coastguard Worker similar bugs. This code led to the discovery of a fair number of library and 20*08b48e0bSAndroid Build Coastguard Worker browser security bugs! 21*08b48e0bSAndroid Build Coastguard Worker 22*08b48e0bSAndroid Build Coastguard Worker The url_list[] array is a placeholder; for this to work properly, it needs to 23*08b48e0bSAndroid Build Coastguard Worker be initialized with web-reachable paths to individual test cases. This can 24*08b48e0bSAndroid Build Coastguard Worker be done manually or with a simple script. 25*08b48e0bSAndroid Build Coastguard Worker 26*08b48e0bSAndroid Build Coastguard Worker--> 27*08b48e0bSAndroid Build Coastguard Worker 28*08b48e0bSAndroid Build Coastguard Worker<body onload="set_images()"> 29*08b48e0bSAndroid Build Coastguard Worker 30*08b48e0bSAndroid Build Coastguard Worker<div id="status"></div> 31*08b48e0bSAndroid Build Coastguard Worker 32*08b48e0bSAndroid Build Coastguard Worker<div id="image_div"></div> 33*08b48e0bSAndroid Build Coastguard Worker 34*08b48e0bSAndroid Build Coastguard Worker<canvas height=64 width=64 id=cvs></canvas> 35*08b48e0bSAndroid Build Coastguard Worker 36*08b48e0bSAndroid Build Coastguard Worker<h2>Results</h2> 37*08b48e0bSAndroid Build Coastguard Worker 38*08b48e0bSAndroid Build Coastguard Worker<ul id="output"></ul> 39*08b48e0bSAndroid Build Coastguard Worker 40*08b48e0bSAndroid Build Coastguard Worker<script> 41*08b48e0bSAndroid Build Coastguard Worker 42*08b48e0bSAndroid Build Coastguard Workervar c = document.getElementById('cvs'); 43*08b48e0bSAndroid Build Coastguard Workervar ctx = c.getContext('2d'); 44*08b48e0bSAndroid Build Coastguard Worker 45*08b48e0bSAndroid Build Coastguard Workervar url_list = [ 46*08b48e0bSAndroid Build Coastguard Worker "images/id:000000,[...].jpg", 47*08b48e0bSAndroid Build Coastguard Worker "images/id:000001,[...].jpg", 48*08b48e0bSAndroid Build Coastguard Worker /* ... */ 49*08b48e0bSAndroid Build Coastguard Worker null 50*08b48e0bSAndroid Build Coastguard Worker]; 51*08b48e0bSAndroid Build Coastguard Worker 52*08b48e0bSAndroid Build Coastguard Workervar USE_IMAGES = 50; 53*08b48e0bSAndroid Build Coastguard Workervar cur_image = 0; 54*08b48e0bSAndroid Build Coastguard Worker 55*08b48e0bSAndroid Build Coastguard Workerif (location.hash) cur_image = parseInt(location.hash.substr(1)); 56*08b48e0bSAndroid Build Coastguard Worker 57*08b48e0bSAndroid Build Coastguard Workervar loaded = 0; 58*08b48e0bSAndroid Build Coastguard Workervar image_obj = []; 59*08b48e0bSAndroid Build Coastguard Worker 60*08b48e0bSAndroid Build Coastguard Workervar msie_cleanup; 61*08b48e0bSAndroid Build Coastguard Worker 62*08b48e0bSAndroid Build Coastguard Workerfunction check_results() { 63*08b48e0bSAndroid Build Coastguard Worker 64*08b48e0bSAndroid Build Coastguard Worker var uniques = []; 65*08b48e0bSAndroid Build Coastguard Worker 66*08b48e0bSAndroid Build Coastguard Worker clearTimeout(msie_cleanup); 67*08b48e0bSAndroid Build Coastguard Worker 68*08b48e0bSAndroid Build Coastguard Worker ctx.clearRect(0, 0, 64, 64); 69*08b48e0bSAndroid Build Coastguard Worker 70*08b48e0bSAndroid Build Coastguard Worker uniques.push(image_obj[0].imgdata); 71*08b48e0bSAndroid Build Coastguard Worker 72*08b48e0bSAndroid Build Coastguard Worker for (var i = 1; i < USE_IMAGES; i++) { 73*08b48e0bSAndroid Build Coastguard Worker 74*08b48e0bSAndroid Build Coastguard Worker if (!image_obj[i].imgdata) continue; 75*08b48e0bSAndroid Build Coastguard Worker 76*08b48e0bSAndroid Build Coastguard Worker if (image_obj[0].imgdata != image_obj[i].imgdata) { 77*08b48e0bSAndroid Build Coastguard Worker 78*08b48e0bSAndroid Build Coastguard Worker for (var j = 1; j < uniques.length; j++) 79*08b48e0bSAndroid Build Coastguard Worker if (uniques[j] == image_obj[i].imgdata) break; 80*08b48e0bSAndroid Build Coastguard Worker 81*08b48e0bSAndroid Build Coastguard Worker if (j == uniques.length) uniques.push(image_obj[i].imgdata); 82*08b48e0bSAndroid Build Coastguard Worker 83*08b48e0bSAndroid Build Coastguard Worker 84*08b48e0bSAndroid Build Coastguard Worker } 85*08b48e0bSAndroid Build Coastguard Worker 86*08b48e0bSAndroid Build Coastguard Worker } 87*08b48e0bSAndroid Build Coastguard Worker 88*08b48e0bSAndroid Build Coastguard Worker if (uniques.length > 1) { 89*08b48e0bSAndroid Build Coastguard Worker 90*08b48e0bSAndroid Build Coastguard Worker var str = '<li> Image ' + url_list[cur_image] + ' has ' + uniques.length + ' variants: '; 91*08b48e0bSAndroid Build Coastguard Worker 92*08b48e0bSAndroid Build Coastguard Worker for (var i = 0; i < uniques.length; i++) 93*08b48e0bSAndroid Build Coastguard Worker str += '<img src="' + uniques[i] + '">'; 94*08b48e0bSAndroid Build Coastguard Worker 95*08b48e0bSAndroid Build Coastguard Worker document.getElementById('output').innerHTML += str; 96*08b48e0bSAndroid Build Coastguard Worker 97*08b48e0bSAndroid Build Coastguard Worker } 98*08b48e0bSAndroid Build Coastguard Worker 99*08b48e0bSAndroid Build Coastguard Worker cur_image++; 100*08b48e0bSAndroid Build Coastguard Worker set_images(); 101*08b48e0bSAndroid Build Coastguard Worker} 102*08b48e0bSAndroid Build Coastguard Worker 103*08b48e0bSAndroid Build Coastguard Worker 104*08b48e0bSAndroid Build Coastguard Workerfunction count_image() { 105*08b48e0bSAndroid Build Coastguard Worker 106*08b48e0bSAndroid Build Coastguard Worker if (!this.complete || this.counted) return; 107*08b48e0bSAndroid Build Coastguard Worker 108*08b48e0bSAndroid Build Coastguard Worker this.counted = true; 109*08b48e0bSAndroid Build Coastguard Worker 110*08b48e0bSAndroid Build Coastguard Worker loaded++; 111*08b48e0bSAndroid Build Coastguard Worker 112*08b48e0bSAndroid Build Coastguard Worker ctx.clearRect(0, 0, 64, 64); 113*08b48e0bSAndroid Build Coastguard Worker 114*08b48e0bSAndroid Build Coastguard Worker try { 115*08b48e0bSAndroid Build Coastguard Worker ctx.drawImage(this, 0, 0, 64, 64); 116*08b48e0bSAndroid Build Coastguard Worker } catch (e) { } 117*08b48e0bSAndroid Build Coastguard Worker 118*08b48e0bSAndroid Build Coastguard Worker this.imgdata = c.toDataURL(); 119*08b48e0bSAndroid Build Coastguard Worker 120*08b48e0bSAndroid Build Coastguard Worker if (loaded == USE_IMAGES) check_results(); 121*08b48e0bSAndroid Build Coastguard Worker} 122*08b48e0bSAndroid Build Coastguard Worker 123*08b48e0bSAndroid Build Coastguard Worker 124*08b48e0bSAndroid Build Coastguard Workerfunction set_images() { 125*08b48e0bSAndroid Build Coastguard Worker 126*08b48e0bSAndroid Build Coastguard Worker loaded = 0; 127*08b48e0bSAndroid Build Coastguard Worker 128*08b48e0bSAndroid Build Coastguard Worker document.getElementById('status').innerHTML = 'Now processing ' + cur_image + '...'; 129*08b48e0bSAndroid Build Coastguard Worker location.hash = '#' + cur_image; 130*08b48e0bSAndroid Build Coastguard Worker 131*08b48e0bSAndroid Build Coastguard Worker if (url_list[cur_image] == null) { 132*08b48e0bSAndroid Build Coastguard Worker alert('Done!'); 133*08b48e0bSAndroid Build Coastguard Worker return; 134*08b48e0bSAndroid Build Coastguard Worker } 135*08b48e0bSAndroid Build Coastguard Worker 136*08b48e0bSAndroid Build Coastguard Worker restart_images(); 137*08b48e0bSAndroid Build Coastguard Worker 138*08b48e0bSAndroid Build Coastguard Worker msie_cleanup = setTimeout(check_results, 5000); 139*08b48e0bSAndroid Build Coastguard Worker 140*08b48e0bSAndroid Build Coastguard Worker for (var i = 0; i < USE_IMAGES; i++) 141*08b48e0bSAndroid Build Coastguard Worker image_obj[i].src = url_list[cur_image] + '?' + Math.random(); 142*08b48e0bSAndroid Build Coastguard Worker 143*08b48e0bSAndroid Build Coastguard Worker} 144*08b48e0bSAndroid Build Coastguard Worker 145*08b48e0bSAndroid Build Coastguard Worker 146*08b48e0bSAndroid Build Coastguard Workerfunction restart_images() { 147*08b48e0bSAndroid Build Coastguard Worker 148*08b48e0bSAndroid Build Coastguard Worker for (var i = 0; i < USE_IMAGES; i++) 149*08b48e0bSAndroid Build Coastguard Worker if (image_obj[i]) image_obj[i].counted = true; 150*08b48e0bSAndroid Build Coastguard Worker 151*08b48e0bSAndroid Build Coastguard Worker document.getElementById('image_div').innerHTML = ''; 152*08b48e0bSAndroid Build Coastguard Worker image_obj = []; 153*08b48e0bSAndroid Build Coastguard Worker 154*08b48e0bSAndroid Build Coastguard Worker for (var i = 0; i < USE_IMAGES; i++) { 155*08b48e0bSAndroid Build Coastguard Worker 156*08b48e0bSAndroid Build Coastguard Worker image_obj[i] = new Image(); 157*08b48e0bSAndroid Build Coastguard Worker image_obj[i].height = 64; 158*08b48e0bSAndroid Build Coastguard Worker image_obj[i].width = 64; 159*08b48e0bSAndroid Build Coastguard Worker image_obj[i].onerror = count_image; 160*08b48e0bSAndroid Build Coastguard Worker image_obj[i].onload = count_image; 161*08b48e0bSAndroid Build Coastguard Worker 162*08b48e0bSAndroid Build Coastguard Worker document.getElementById('image_div').appendChild(image_obj[i]); 163*08b48e0bSAndroid Build Coastguard Worker 164*08b48e0bSAndroid Build Coastguard Worker } 165*08b48e0bSAndroid Build Coastguard Worker 166*08b48e0bSAndroid Build Coastguard Worker} 167*08b48e0bSAndroid Build Coastguard Worker 168*08b48e0bSAndroid Build Coastguard Worker</script> 169*08b48e0bSAndroid Build Coastguard Worker 170*08b48e0bSAndroid Build Coastguard Worker<iframe src='http://www.cnn.com/'></iframe> 171