1 /*
2 * Copyright 2018 Google LLC
3 *
4 * Use of this source code is governed by a BSD-style license that can be
5 * found in the LICENSE file.
6 */
7
8 #include "fuzz/Fuzz.h"
9 #include "include/core/SkBitmap.h"
10 #include "include/core/SkImage.h"
11 #include "include/core/SkImageInfo.h"
12 #include "include/core/SkPixmap.h"
13 #include "include/core/SkStream.h"
14 #include "include/encode/SkJpegEncoder.h"
15 #include "include/encode/SkPngEncoder.h"
16 #include "include/encode/SkWebpEncoder.h"
17 #include "src/base/SkRandom.h"
18 #include "src/core/SkOSFile.h"
19
20 #include <vector>
21
22 // These values were picked arbitrarily to hopefully limit the size of the
23 // serialized SkPixmaps.
24 constexpr int MAX_WIDTH = 512;
25 constexpr int MAX_HEIGHT = 512;
26
make_fuzzed_bitmap(Fuzz * fuzz)27 static SkBitmap make_fuzzed_bitmap(Fuzz* fuzz) {
28 SkBitmap bm;
29 uint32_t w, h;
30 fuzz->nextRange(&w, 1, MAX_WIDTH);
31 fuzz->nextRange(&h, 1, MAX_HEIGHT);
32 if (!bm.tryAllocPixels(SkImageInfo::MakeN32Premul(w, h))) {
33 return bm;
34 }
35 uint32_t n = w * h;
36 fuzz->nextN((SkPMColor*)bm.getPixels(), n);
37 return bm;
38 }
39
DEF_FUZZ(PNGEncoder,fuzz)40 DEF_FUZZ(PNGEncoder, fuzz) {
41 auto bm = make_fuzzed_bitmap(fuzz);
42
43 auto opts = SkPngEncoder::Options{};
44 fuzz->nextRange(&opts.fZLibLevel, 0, 9);
45
46 SkDynamicMemoryWStream dest;
47 SkPngEncoder::Encode(&dest, bm.pixmap(), opts);
48 }
49
DEF_FUZZ(JPEGEncoder,fuzz)50 DEF_FUZZ(JPEGEncoder, fuzz) {
51 auto bm = make_fuzzed_bitmap(fuzz);
52
53 auto opts = SkJpegEncoder::Options{};
54 fuzz->nextRange(&opts.fQuality, 0, 100);
55
56 SkDynamicMemoryWStream dest;
57 (void)SkJpegEncoder::Encode(&dest, bm.pixmap(), opts);
58 }
59
DEF_FUZZ(WEBPEncoder,fuzz)60 DEF_FUZZ(WEBPEncoder, fuzz) {
61 auto bm = make_fuzzed_bitmap(fuzz);
62
63 auto opts = SkWebpEncoder::Options{};
64 fuzz->nextRange(&opts.fQuality, 0.0f, 100.0f);
65 bool lossy;
66 fuzz->next(&lossy);
67 if (lossy) {
68 opts.fCompression = SkWebpEncoder::Compression::kLossy;
69 } else {
70 opts.fCompression = SkWebpEncoder::Compression::kLossless;
71 }
72
73 SkDynamicMemoryWStream dest;
74 (void)SkWebpEncoder::Encode(&dest, bm.pixmap(), opts);
75 }
76
77 // Not a real fuzz endpoint, but a helper to take in real, good images
78 // and dump out a corpus for this fuzzer.
DEF_FUZZ(_MakeEncoderCorpus,fuzz)79 DEF_FUZZ(_MakeEncoderCorpus, fuzz) {
80 sk_sp<SkData> bytes = SkData::MakeWithoutCopy(fuzz->fData, fuzz->fSize);
81 SkDebugf("bytes %zu\n", bytes->size());
82 auto img = SkImages::DeferredFromEncodedData(bytes);
83 if (nullptr == img.get()) {
84 SkDebugf("invalid image, could not decode\n");
85 return;
86 }
87 if (img->width() > MAX_WIDTH || img->height() > MAX_HEIGHT) {
88 SkDebugf("Too big (%d x %d)\n", img->width(), img->height());
89 return;
90 }
91 std::vector<int32_t> dstPixels;
92 int rowBytes = img->width() * 4;
93 dstPixels.resize(img->height() * rowBytes);
94 SkPixmap pm(SkImageInfo::MakeN32Premul(img->width(), img->height()),
95 &dstPixels.front(), rowBytes);
96 if (!img->readPixels(nullptr, pm, 0, 0)) {
97 SkDebugf("Could not read pixmap\n");
98 return;
99 }
100
101 SkString s("./encoded_corpus/enc_");
102 static SkRandom rand;
103 s.appendU32(rand.nextU());
104 auto file = sk_fopen(s.c_str(), SkFILE_Flags::kWrite_SkFILE_Flag);
105 if (!file) {
106 SkDebugf("Can't initialize file\n");
107 return;
108 }
109 auto total = pm.info().bytesPerPixel() * pm.width() * pm.height();
110 SkDebugf("Writing %d (%d x %d) bytes\n", total, pm.width(), pm.height());
111 // Write out the size in two bytes since that's what the fuzzer will
112 // read first.
113 uint32_t w = pm.width();
114 sk_fwrite(&w, sizeof(uint32_t), file);
115 uint32_t h = pm.height();
116 sk_fwrite(&h, sizeof(uint32_t), file);
117 sk_fwrite(pm.addr(), total, file);
118 sk_fclose(file);
119 }
120