xref: /aosp_15_r20/external/webp/tests/fuzzer/animdecoder_fuzzer.cc (revision b2055c353e87c8814eb2b6b1b11112a1562253bd) 
1 // Copyright 2020 Google Inc.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //      http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ////////////////////////////////////////////////////////////////////////////////
16 
17 #include <cstddef>
18 #include <cstdint>
19 
20 #include "imageio/imageio_util.h"
21 #include "src/webp/decode.h"
22 #include "src/webp/demux.h"
23 #include "src/webp/mux_types.h"
24 
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)25 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
26   // WebPAnimDecoderGetInfo() is too late to check the canvas size as
27   // WebPAnimDecoderNew() will handle the allocations.
28   const size_t kMaxNumBytes = 2684354560;  // RSS (resident set size) limit.
29   const size_t kMaxNumPixels = kMaxNumBytes / 4;       // At most ARGB.
30   const size_t kMaxNumPixelsSafe = kMaxNumPixels / 2;  // Allow one buffer copy.
31   WebPBitstreamFeatures features;
32   if (WebPGetFeatures(data, size, &features) == VP8_STATUS_OK) {
33     if (!ImgIoUtilCheckSizeArgumentsOverflow(features.width * 4,
34                                              features.height) ||
35         static_cast<size_t>(features.width) * features.height >
36             kMaxNumPixelsSafe) {
37       return 0;
38     }
39   }
40 
41   // decode everything as an animation
42   WebPData webp_data = {data, size};
43   WebPAnimDecoder* const dec = WebPAnimDecoderNew(&webp_data, nullptr);
44   if (dec == nullptr) return 0;
45 
46   WebPAnimInfo info;
47   if (!WebPAnimDecoderGetInfo(dec, &info)) goto End;
48   if (!ImgIoUtilCheckSizeArgumentsOverflow(info.canvas_width * 4,
49                                            info.canvas_height)) {
50     goto End;
51   }
52 
53   while (WebPAnimDecoderHasMoreFrames(dec)) {
54     uint8_t* buf;
55     int timestamp;
56     if (!WebPAnimDecoderGetNext(dec, &buf, &timestamp)) break;
57   }
58 End:
59   WebPAnimDecoderDelete(dec);
60   return 0;
61 }
62