#ifdef __cplusplus
extern "C" {
#endif
#include <fcntl.h>
#include <inttypes.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#include <libhfuzz/libhfuzz.h>
#include "png.h"
#include "pngpriv.h"
#include "pngstruct.h"
#if defined(__clang__)
#if __has_feature(memory_sanitizer)
#include <sanitizer/msan_interface.h>
#endif /* __has_feature(memory_sanitizer) */
#endif /* defined(__clang__) */
void fatal(const char* s, ...)
{
va_list args;
va_start(args, s);
vfprintf(stderr, s, args);
fprintf(stderr, "\n");
va_end(args);
_exit(EXIT_FAILURE);
}
typedef struct {
const uint8_t* ptr;
size_t len;
size_t off;
} user_file_t;
size_t total_alloc = 0ULL;
int null_fd = -1;
void png_user_read_data(png_structp png_ptr, png_bytep data, png_size_t length)
{
#if defined(__clang__)
#if __has_feature(memory_sanitizer)
__msan_poison(data, length);
#endif /* __has_feature(memory_sanitizer) */
#endif /* defined(__clang__) */
user_file_t* f = (user_file_t*)png_ptr->io_ptr;
if (length > f->len) {
png_error(png_ptr, "Read Error");
return;
}
memcpy(data, &f->ptr[f->off], length);
f->len -= length;
f->off += length;
}
int LLVMFuzzerInitialize(int* argc, char*** argv)
{
null_fd = open("/dev/null", O_WRONLY);
return 0;
}
int LLVMFuzzerTestOneInput(const uint8_t* buf, size_t len)
{
png_structp png_ptr = NULL;
png_infop info_ptr = NULL;
total_alloc = 0ULL;
png_ptr = png_create_read_struct(PNG_LIBPNG_VER_STRING, NULL, NULL, NULL);
if (!png_ptr) {
fatal("png_create_read_struct");
}
info_ptr = png_create_info_struct(png_ptr);
if (!info_ptr) {
png_destroy_read_struct(&png_ptr, (png_infopp)NULL, (png_infopp)NULL);
fatal("png_create_info_struct()");
}
if (setjmp(png_jmpbuf(png_ptr))) {
png_destroy_read_struct(&png_ptr, &info_ptr, NULL);
return 0;
}
png_set_crc_action(png_ptr, PNG_CRC_QUIET_USE, PNG_CRC_QUIET_USE);
png_set_user_limits(png_ptr, 10000U, 10000U);
png_set_chunk_cache_max(png_ptr, 1024ULL * 1024ULL * 64ULL);
png_set_chunk_malloc_max(png_ptr, 1024ULL * 1024ULL * 128ULL);
user_file_t f = {
.ptr = buf,
.len = len,
.off = 0UL,
};
png_set_read_fn(png_ptr, (void*)&f, png_user_read_data);
png_read_png(png_ptr, info_ptr, ~(0), NULL);
png_bytepp row_pointers = png_get_rows(png_ptr, info_ptr);
png_uint_32 row_bytes = png_get_rowbytes(png_ptr, info_ptr);
png_uint_32 height = png_get_image_height(png_ptr, info_ptr);
for (png_uint_32 i = 0; i < height; i++) {
write(null_fd, row_pointers[i], row_bytes);
}
/* Addtional API calls */
png_uint_32 width, ret, res_x, res_y;
double file_gamma;
png_uint_16p hist;
int bit_depth, color_type, interlace_method, compression_method, filter_method, unit_type, num_palette, num_text;
png_textp text_ptr;
png_colorp palette;
png_timep mod_time;
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, &interlace_method,
&compression_method, &filter_method);
ret = png_get_gAMA(png_ptr, info_ptr, &file_gamma);
ret = png_get_hIST(png_ptr, info_ptr, &hist);
ret = png_get_pHYs(png_ptr, info_ptr, &res_x, &res_y, &unit_type);
ret = png_get_PLTE(png_ptr, info_ptr, &palette, &num_palette);
ret = png_get_text(png_ptr, info_ptr, &text_ptr, &num_text);
ret = png_get_tIME(png_ptr, info_ptr, &mod_time);
png_voidp vp = png_get_progressive_ptr(png_ptr);
png_destroy_read_struct(&png_ptr, &info_ptr, NULL);
return 0;
}
#ifdef __cplusplus
}
#endif