xref: /aosp_15_r20/external/pdfium/testing/fuzzers/pdf_jpx_fuzzer.cc (revision 3ac0a46f773bac49fa9476ec2b1cf3f8da5ec3a4) 
1*3ac0a46fSAndroid Build Coastguard Worker // Copyright 2016 The PDFium Authors
2*3ac0a46fSAndroid Build Coastguard Worker // Use of this source code is governed by a BSD-style license that can be
3*3ac0a46fSAndroid Build Coastguard Worker // found in the LICENSE file.
4*3ac0a46fSAndroid Build Coastguard Worker 
5*3ac0a46fSAndroid Build Coastguard Worker #include <cstdint>
6*3ac0a46fSAndroid Build Coastguard Worker #include <memory>
7*3ac0a46fSAndroid Build Coastguard Worker 
8*3ac0a46fSAndroid Build Coastguard Worker #include "core/fpdfapi/page/cpdf_colorspace.h"
9*3ac0a46fSAndroid Build Coastguard Worker #include "core/fxcodec/jpx/cjpx_decoder.h"
10*3ac0a46fSAndroid Build Coastguard Worker #include "core/fxcrt/fx_safe_types.h"
11*3ac0a46fSAndroid Build Coastguard Worker #include "core/fxge/dib/cfx_dibitmap.h"
12*3ac0a46fSAndroid Build Coastguard Worker #include "core/fxge/dib/fx_dib.h"
13*3ac0a46fSAndroid Build Coastguard Worker 
14*3ac0a46fSAndroid Build Coastguard Worker namespace {
15*3ac0a46fSAndroid Build Coastguard Worker 
16*3ac0a46fSAndroid Build Coastguard Worker const uint32_t kMaxJPXFuzzSize = 100 * 1024 * 1024;  // 100 MB
17*3ac0a46fSAndroid Build Coastguard Worker 
CheckImageSize(const CJPX_Decoder::JpxImageInfo & image_info)18*3ac0a46fSAndroid Build Coastguard Worker bool CheckImageSize(const CJPX_Decoder::JpxImageInfo& image_info) {
19*3ac0a46fSAndroid Build Coastguard Worker   static constexpr uint32_t kMemLimitBytes = 1024 * 1024 * 1024;  // 1 GB.
20*3ac0a46fSAndroid Build Coastguard Worker   FX_SAFE_UINT32 mem = image_info.width;
21*3ac0a46fSAndroid Build Coastguard Worker   mem *= image_info.height;
22*3ac0a46fSAndroid Build Coastguard Worker   mem *= image_info.channels;
23*3ac0a46fSAndroid Build Coastguard Worker   return mem.IsValid() && mem.ValueOrDie() <= kMemLimitBytes;
24*3ac0a46fSAndroid Build Coastguard Worker }
25*3ac0a46fSAndroid Build Coastguard Worker 
26*3ac0a46fSAndroid Build Coastguard Worker }  // namespace
27*3ac0a46fSAndroid Build Coastguard Worker 
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)28*3ac0a46fSAndroid Build Coastguard Worker extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
29*3ac0a46fSAndroid Build Coastguard Worker   if (size < 2)
30*3ac0a46fSAndroid Build Coastguard Worker     return 0;
31*3ac0a46fSAndroid Build Coastguard Worker 
32*3ac0a46fSAndroid Build Coastguard Worker   std::unique_ptr<CJPX_Decoder> decoder = CJPX_Decoder::Create(
33*3ac0a46fSAndroid Build Coastguard Worker       {data + 2, size - 2},
34*3ac0a46fSAndroid Build Coastguard Worker       static_cast<CJPX_Decoder::ColorSpaceOption>(data[0] % 3), data[1]);
35*3ac0a46fSAndroid Build Coastguard Worker   if (!decoder)
36*3ac0a46fSAndroid Build Coastguard Worker     return 0;
37*3ac0a46fSAndroid Build Coastguard Worker 
38*3ac0a46fSAndroid Build Coastguard Worker   // A call to StartDecode could be too expensive if image size is very big, so
39*3ac0a46fSAndroid Build Coastguard Worker   // check size before calling StartDecode().
40*3ac0a46fSAndroid Build Coastguard Worker   CJPX_Decoder::JpxImageInfo image_info = decoder->GetInfo();
41*3ac0a46fSAndroid Build Coastguard Worker   if (!CheckImageSize(image_info))
42*3ac0a46fSAndroid Build Coastguard Worker     return 0;
43*3ac0a46fSAndroid Build Coastguard Worker 
44*3ac0a46fSAndroid Build Coastguard Worker   if (!decoder->StartDecode())
45*3ac0a46fSAndroid Build Coastguard Worker     return 0;
46*3ac0a46fSAndroid Build Coastguard Worker 
47*3ac0a46fSAndroid Build Coastguard Worker   // StartDecode() could change image size, so check again.
48*3ac0a46fSAndroid Build Coastguard Worker   image_info = decoder->GetInfo();
49*3ac0a46fSAndroid Build Coastguard Worker   if (!CheckImageSize(image_info))
50*3ac0a46fSAndroid Build Coastguard Worker     return 0;
51*3ac0a46fSAndroid Build Coastguard Worker 
52*3ac0a46fSAndroid Build Coastguard Worker   FXDIB_Format format;
53*3ac0a46fSAndroid Build Coastguard Worker   if (image_info.channels == 1) {
54*3ac0a46fSAndroid Build Coastguard Worker     format = FXDIB_Format::k8bppRgb;
55*3ac0a46fSAndroid Build Coastguard Worker   } else if (image_info.channels <= 3) {
56*3ac0a46fSAndroid Build Coastguard Worker     format = FXDIB_Format::kRgb;
57*3ac0a46fSAndroid Build Coastguard Worker   } else if (image_info.channels == 4) {
58*3ac0a46fSAndroid Build Coastguard Worker     format = FXDIB_Format::kRgb32;
59*3ac0a46fSAndroid Build Coastguard Worker   } else {
60*3ac0a46fSAndroid Build Coastguard Worker     image_info.width = (image_info.width * image_info.channels + 2) / 3;
61*3ac0a46fSAndroid Build Coastguard Worker     format = FXDIB_Format::kRgb;
62*3ac0a46fSAndroid Build Coastguard Worker   }
63*3ac0a46fSAndroid Build Coastguard Worker   auto bitmap = pdfium::MakeRetain<CFX_DIBitmap>();
64*3ac0a46fSAndroid Build Coastguard Worker   if (!bitmap->Create(image_info.width, image_info.height, format))
65*3ac0a46fSAndroid Build Coastguard Worker     return 0;
66*3ac0a46fSAndroid Build Coastguard Worker 
67*3ac0a46fSAndroid Build Coastguard Worker   if (bitmap->GetHeight() <= 0 ||
68*3ac0a46fSAndroid Build Coastguard Worker       kMaxJPXFuzzSize / bitmap->GetPitch() <
69*3ac0a46fSAndroid Build Coastguard Worker           static_cast<uint32_t>(bitmap->GetHeight()))
70*3ac0a46fSAndroid Build Coastguard Worker     return 0;
71*3ac0a46fSAndroid Build Coastguard Worker 
72*3ac0a46fSAndroid Build Coastguard Worker   decoder->Decode(bitmap->GetWritableBuffer(), bitmap->GetPitch(),
73*3ac0a46fSAndroid Build Coastguard Worker                   /*swap_rgb=*/false, GetCompsFromFormat(format));
74*3ac0a46fSAndroid Build Coastguard Worker 
75*3ac0a46fSAndroid Build Coastguard Worker   return 0;
76*3ac0a46fSAndroid Build Coastguard Worker }
77