180 lines
5.3 KiB
C++
180 lines
5.3 KiB
C++
/* Copyright (c) 1988-1997 Sam Leffler
|
|
* Copyright (c) 1991-1997 Silicon Graphics, Inc.
|
|
*
|
|
* Permission to use, copy, modify, distribute, and sell this software and
|
|
* its documentation for any purpose is hereby granted without fee, provided
|
|
* that (i) the above copyright notices and this permission notice appear in
|
|
* all copies of the software and related documentation, and (ii) the names of
|
|
* Sam Leffler and Silicon Graphics may not be used in any advertising or
|
|
* publicity relating to the software without the specific, prior written
|
|
* permission of Sam Leffler and Silicon Graphics.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND,
|
|
* EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY
|
|
* WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
|
*
|
|
* IN NO EVENT SHALL SAM LEFFLER OR SILICON GRAPHICS BE LIABLE FOR
|
|
* ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND,
|
|
* OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
|
|
* WHETHER OR NOT ADVISED OF THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF
|
|
* LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
|
|
* OF THIS SOFTWARE.
|
|
*/
|
|
|
|
#include <cstdint>
|
|
#include <cstdlib>
|
|
#include <cstring>
|
|
#include <sstream>
|
|
#include <tiffio.h>
|
|
#include <tiffio.hxx>
|
|
|
|
|
|
/* stolen from tiffiop.h, which is a private header so we can't just include it */
|
|
/* safe multiply returns either the multiplied value or 0 if it overflowed */
|
|
#define __TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0)
|
|
|
|
const uint64 MAX_SIZE = 500000000;
|
|
|
|
extern "C" void handle_error(const char *unused, const char *unused2, va_list unused3) {
|
|
return;
|
|
}
|
|
|
|
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
|
|
#ifndef STANDALONE
|
|
TIFFSetErrorHandler(handle_error);
|
|
TIFFSetWarningHandler(handle_error);
|
|
#endif
|
|
#if defined(__has_feature)
|
|
# if __has_feature(memory_sanitizer)
|
|
// libjpeg-turbo has issues with MSAN and SIMD code
|
|
// See https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7547
|
|
// and https://github.com/libjpeg-turbo/libjpeg-turbo/pull/365
|
|
setenv("JSIMD_FORCENONE" ,"1", 1);
|
|
# endif
|
|
#endif
|
|
std::istringstream s(std::string(Data,Data+Size));
|
|
TIFF* tif = TIFFStreamOpen("MemTIFF", &s);
|
|
if (!tif) {
|
|
return 0;
|
|
}
|
|
uint32 w, h;
|
|
uint32* raster;
|
|
|
|
TIFFGetField(tif, TIFFTAG_IMAGEWIDTH, &w);
|
|
TIFFGetField(tif, TIFFTAG_IMAGELENGTH, &h);
|
|
/* don't continue if file size is ludicrous */
|
|
if (TIFFTileSize64(tif) > MAX_SIZE) {
|
|
TIFFClose(tif);
|
|
return 0;
|
|
}
|
|
uint64 bufsize = TIFFTileSize64(tif);
|
|
/* don't continue if the buffer size greater than the max allowed by the fuzzer */
|
|
if (bufsize > MAX_SIZE || bufsize == 0) {
|
|
TIFFClose(tif);
|
|
return 0;
|
|
}
|
|
/* another hack to work around an OOM in tif_fax3.c */
|
|
uint32 tilewidth = 0;
|
|
uint32 imagewidth = 0;
|
|
TIFFGetField(tif, TIFFTAG_TILEWIDTH, &tilewidth);
|
|
TIFFGetField(tif, TIFFTAG_IMAGEWIDTH, &imagewidth);
|
|
tilewidth = __TIFFSafeMultiply(uint32, tilewidth, 2);
|
|
imagewidth = __TIFFSafeMultiply(uint32, imagewidth, 2);
|
|
if (tilewidth * 2 > MAX_SIZE || imagewidth * 2 > MAX_SIZE || tilewidth == 0 || imagewidth == 0) {
|
|
TIFFClose(tif);
|
|
return 0;
|
|
}
|
|
uint32 size = __TIFFSafeMultiply(uint32, w, h);
|
|
if (size > MAX_SIZE || size == 0) {
|
|
TIFFClose(tif);
|
|
return 0;
|
|
}
|
|
raster = (uint32*) _TIFFmalloc(size * sizeof (uint32));
|
|
if (raster != NULL) {
|
|
TIFFReadRGBAImage(tif, w, h, raster, 0);
|
|
_TIFFfree(raster);
|
|
}
|
|
TIFFClose(tif);
|
|
|
|
return 0;
|
|
}
|
|
|
|
#ifdef STANDALONE
|
|
|
|
template<class T> static void CPL_IGNORE_RET_VAL(T) {}
|
|
|
|
static void Usage(int, char* argv[])
|
|
{
|
|
fprintf(stderr, "%s [--help] [-repeat N] filename.\n", argv[0]);
|
|
exit(1);
|
|
}
|
|
|
|
int main(int argc, char* argv[])
|
|
{
|
|
int nRet = 0;
|
|
void* buf = NULL;
|
|
int nLen = 0;
|
|
int nLoops = 1;
|
|
const char* pszFilename = NULL;
|
|
|
|
for(int i = 1; i < argc; i++ )
|
|
{
|
|
if( i + 1 < argc && strcmp(argv[i], "-repeat") == 0 )
|
|
{
|
|
nLoops = atoi(argv[i+1]);
|
|
i++;
|
|
}
|
|
else if( strcmp(argv[i], "-dummy") == 0 )
|
|
{
|
|
uint8_t dummy = ' ';
|
|
return LLVMFuzzerTestOneInput(&dummy, 1);
|
|
}
|
|
else if( strcmp(argv[i], "--help") == 0 )
|
|
{
|
|
Usage(argc, argv);
|
|
}
|
|
else if( argv[i][0] == '-' )
|
|
{
|
|
fprintf(stderr, "Unrecognized option: %s", argv[i]);
|
|
Usage(argc, argv);
|
|
}
|
|
else
|
|
{
|
|
pszFilename = argv[i];
|
|
}
|
|
}
|
|
if( pszFilename == nullptr )
|
|
{
|
|
fprintf(stderr, "No filename specified\n");
|
|
Usage(argc, argv);
|
|
}
|
|
FILE* f = fopen(pszFilename, "rb");
|
|
if( !f )
|
|
{
|
|
fprintf(stderr, "%s does not exist.\n", pszFilename);
|
|
exit(1);
|
|
}
|
|
fseek(f, 0, SEEK_END);
|
|
nLen = (int)ftell(f);
|
|
fseek(f, 0, SEEK_SET);
|
|
buf = malloc(nLen);
|
|
if( !buf )
|
|
{
|
|
fprintf(stderr, "malloc failed.\n");
|
|
fclose(f);
|
|
exit(1);
|
|
}
|
|
CPL_IGNORE_RET_VAL(fread(buf, nLen, 1, f));
|
|
fclose(f);
|
|
for( int i = 0; i < nLoops; i++ )
|
|
{
|
|
nRet = LLVMFuzzerTestOneInput(static_cast<const uint8_t*>(buf), nLen);
|
|
if( nRet != 0 )
|
|
break;
|
|
}
|
|
free(buf);
|
|
return nRet;
|
|
}
|
|
|
|
#endif
|