aboutsummaryrefslogtreecommitdiffstats
path: root/fuzz
diff options
context:
space:
mode:
authorJay Berkenbilt <ejb@ql.org>2019-06-23 20:31:35 +0200
committerJay Berkenbilt <ejb@ql.org>2019-06-23 21:37:21 +0200
commit0ae344d002755d1f218fe4fbd818a814bc3ebdbc (patch)
treea4a9205045c43caaf51e7ceccd5edb222c8af657 /fuzz
parent43ff34b49c55f03d8613e3cefd405d3c64dc354a (diff)
downloadqpdf-0ae344d002755d1f218fe4fbd818a814bc3ebdbc.tar.zst
Add fuzzers to exercise specific pipeline classes
Diffstat (limited to 'fuzz')
-rw-r--r--fuzz/ascii85_fuzzer.cc52
-rw-r--r--fuzz/ascii85_fuzzer_seed_corpus/a0113b6bc9b18c0d120bdf79f10a4928dc6fc90843
-rw-r--r--fuzz/build.mk16
-rw-r--r--fuzz/dct_fuzzer.cc52
-rw-r--r--fuzz/dct_fuzzer_seed_corpus/4255e4e69733376eb7681d1aad44d39252ae4a75bin0 -> 2951 bytes
-rw-r--r--fuzz/flate_fuzzer.cc52
-rw-r--r--fuzz/flate_fuzzer_seed_corpus/de72db41219fa2fc5113b4634a7c2bb437d48938bin0 -> 147 bytes
-rw-r--r--fuzz/hex_fuzzer.cc52
-rw-r--r--fuzz/hex_fuzzer_seed_corpus/1c43fc2a41e55a9e1cecce2013254b632f5afac470
-rw-r--r--fuzz/lzw_fuzzer.cc52
-rw-r--r--fuzz/lzw_fuzzer_seed_corpus/d95e70dee47eb085060d6e01534f7c3c17e3ae56bin0 -> 38344 bytes
-rw-r--r--fuzz/pngpredictor_fuzzer.cc52
-rw-r--r--fuzz/pngpredictor_fuzzer_seed_corpus/70ade8c4239563ca806d2d297a4e48099156c450bin0 -> 1056 bytes
-rw-r--r--fuzz/qtest/fuzz.test61
-rw-r--r--fuzz/runlength_fuzzer.cc52
-rw-r--r--fuzz/runlength_fuzzer_seed_corpus/075cf1366a47754ffc0f59797ecd60eb221c8a0dbin0 -> 275 bytes
-rw-r--r--fuzz/runlength_fuzzer_seed_corpus/0928451e068252ef8f3d1878a5c1f81b86dc9eb81
-rw-r--r--fuzz/runlength_fuzzer_seed_corpus/4354588bbf0979da3b05eb7cadd13b74141ad49c1
-rw-r--r--fuzz/runlength_fuzzer_seed_corpus/4ffb8ea47113554fbac0d5ba533838e3dd7aa23a1
-rw-r--r--fuzz/runlength_fuzzer_seed_corpus/b307a53d7d354fe2dbd4b13dca43ddacfaea91e11
-rw-r--r--fuzz/runlength_fuzzer_seed_corpus/c78ebd3c85a39a596d9f5cfd2b8d240bc1b9c1251
-rw-r--r--fuzz/tiffpredictor_fuzzer.cc53
-rw-r--r--fuzz/tiffpredictor_fuzzer_seed_corpus/9c848d2c383eb26a026d0b4428421c5e43c2d7b9bin0 -> 48 bytes
23 files changed, 594 insertions, 18 deletions
diff --git a/fuzz/ascii85_fuzzer.cc b/fuzz/ascii85_fuzzer.cc
new file mode 100644
index 00000000..40422e5b
--- /dev/null
+++ b/fuzz/ascii85_fuzzer.cc
@@ -0,0 +1,52 @@
+#include <qpdf/Pl_Discard.hh>
+#include <qpdf/Pl_ASCII85Decoder.hh>
+#include <iostream>
+#include <stdexcept>
+
+class FuzzHelper
+{
+ public:
+ FuzzHelper(unsigned char const* data, size_t size);
+ void run();
+
+ private:
+ void doChecks();
+
+ unsigned char const* data;
+ size_t size;
+};
+
+FuzzHelper::FuzzHelper(unsigned char const* data, size_t size) :
+ data(data),
+ size(size)
+{
+}
+
+void
+FuzzHelper::doChecks()
+{
+ Pl_Discard discard;
+ Pl_ASCII85Decoder p("decode", &discard);
+ p.write(const_cast<unsigned char*>(data), size);
+ p.finish();
+}
+
+void
+FuzzHelper::run()
+{
+ try
+ {
+ doChecks();
+ }
+ catch (std::runtime_error const& e)
+ {
+ std::cerr << "runtime_error: " << e.what() << std::endl;
+ }
+}
+
+extern "C" int LLVMFuzzerTestOneInput(unsigned char const* data, size_t size)
+{
+ FuzzHelper f(data, size);
+ f.run();
+ return 0;
+}
diff --git a/fuzz/ascii85_fuzzer_seed_corpus/a0113b6bc9b18c0d120bdf79f10a4928dc6fc908 b/fuzz/ascii85_fuzzer_seed_corpus/a0113b6bc9b18c0d120bdf79f10a4928dc6fc908
new file mode 100644
index 00000000..0237ac51
--- /dev/null
+++ b/fuzz/ascii85_fuzzer_seed_corpus/a0113b6bc9b18c0d120bdf79f10a4928dc6fc908
@@ -0,0 +1,43 @@
+70!<9iWTSm7K<E>iWTSm7fWNCiWTSm8,rWHiWTSm8H8`MiWTSm8cSiRiWTSm
+9)nrWiWTSm9E5&\iWTSm9`P/aiWTSm:&k8fiWTSm:B1AkiWTSm:]LJpiWTSm
+;#gSuiWTSm;?-]%iWTSm;ZHf*iWTSm;uco/iWTSm<<*#4iWTSm<WE,9iWTSm
+<r`5>iWTSm=9&>CiWTSm=TAGHiWTSm=o\P&M<.ZglicMP!!!"'J]"ig!<A%A
+q#CBoL!k&HkhZ:>!9c9E!!)4J#6=g,>KOe_2$i.E#lc1Zi<9Je!!!$!,nT#=
+#\X2<!!)9As8W-!,o#;A#\XJD!!)91s8W-!,oGSE#\XbL!!)9!s8W-!,okkI
+#\Y%T!!)8fs8W-!,p;.M#\Y=\!!)8Vs8W-!,p_FQ#\YUd!!)8Fs8W-!,q.^U
+#\Yml!!)86s8W-!,qS!Y#\Z0t!!)8&s8W-!,r"9]#\ZI'!!)7ks8W-!,rFQa
+#\Za/!!)7[s8W-!,rjie#\[$7!!)7Ks8W-!,s:,i#\[<?!!)7;s8W-!,s^Dm
+#\[TG!!)7+s8W-!,t-\q#\[lO!!)6ps8W-!,tQtu#\\/W!!)6`s8W-!,u!8$
+#\\G_!!)9Qrr<#u,uEP(#\\_g!!)9Arr<#u,uih,#\]"o!!)91rr<#u-!9+0
+#\];"!!)9!rr<#u-!]C4#\]S*!!)8frr<#u-",[8#\]k2!!)8Vrr<#u-"Ps<
+#\^.:!!)8Frr<#u-"u6@#\^FB!!)86rr<#u-#DND#\^^J!!)8&rr<#u-#hfH
+#\_!R!!)7krr<#u-$8)L#\_9Z!!)7[rr<#u-$\AP#\_Qb!!)7Krr<#u-%+YT
+#\_ij!!)7;rr<#u-%OqX#\`,r!!)7+rr<#u-%t4\#\`E%!!)6prr<#u-&CL`
+#\`]-!!)6`rr<#u-&gdd#\`u5!!)9QrVuot-'7'h#\X2=!!)9ArVuot-'[?l
+#\XJE!!)91rVuot-(*Wp#\XbM!!)9!rVuot-(Not#\Y%U!!)8frVuot-(s3#
+#\Y=]!!)8VrVuot-)BK'#\YUe!!)8FrVuot-)fc+#\Ymm!!)86rVuot-*6&/
+#\Z0u!!)8&rVuot-*Z>3#\ZI(!!)7krVuot-+)V7#\Za0!!)7[rVuot-+Mn;
+#\[$8!!)7KrVuot-+r1?#\[<@!!)7;rVuot-,AIC#\[TH!!)7+rVuot-,eaG
+#\[lP!!)6prVuot--5$K#\\/X!!)6`rVuot--Y<O#\\G`!!)9Qr;Zfs-.(TS
+#\\_h!!)9Ar;Zfs-.LlW#\]"p!!)91r;Zfs-.q/[#\];#!!)9!r;Zfs-/@G_
+#\]S+!!)8fr;Zfs-/d_c#\]k3!!)8Vr;Zfs-04"g#\^.;!!)8Fr;Zfs-0X:k
+#\^FC!!)86r;Zfs-1'Ro#\^^K!!)8&r;Zfs-1Kjs#\_!S!!)7kr;Zfs-1p."
+#\_9[!!)7[r;Zfs-2?F&#\_Qc!!)7Kr;Zfs-2c^*#\_ik!!)7;r;Zfs,llp.
+#\`,s!!)7+r;Zfs,m<32#\`E&!!)6pr;Zfs,m`K6#\`].!!)6`r;Zfs,n/c:
+#\`u6!!)9Qqu?]r,nT&>#\X2>!!)9Aqu?]r,o#>B#\XJF!!)91qu?]r,oGVF
+#\XbN!!)9!qu?]r,oknJ#\Y%V!!)8fqu?]r,p;1N#\Y=^!!)8Vqu?]r,p_IR
+#\YUf!!)8Fqu?]r,q.aV#\Ymn!!)86qu?]r,qS$Z#\Z1!!!)8&qu?]r,r"<^
+#\ZI)!!)7kqu?]r,rFTb#\Za1!!)7[qu?]r,rjlf#\[$9!!)7Kqu?]r,s:/j
+#\[<A!!)7;qu?]r,s^Gn#\[TI!!)7+qu?]r,t-_r#\[lQ!!)6pqu?]r,tR#!
+#\\/Y!!)6`qu?]r,u!;%#\\Ga!!)9QqZ$Tq,uES)#\\_i!!)9AqZ$Tq,uik-
+#\]"q!!)91qZ$Tq-!9.1#\];$!!)9!qZ$Tq-!]F5#\]S,!!)8fqZ$Tq-",^9
+#\]k4!!)8VqZ$Tq-"Q!=#\^.<!!)8FqZ$Tq-"u9A#\^FD!!)86qZ$Tq-#DQE
+#\^^L!!)8&qZ$Tq-#hiI#\_!T!!)7kqZ$Tq-$8,M#\_9\!!)7[qZ$Tq-$\DQ
+#\_Qd!!)7KqZ$Qqzz!!!!Rm9YY.KB2Mu<)RB0Rfs(2&=Wh/;-%B"jobtRPPb
+C[oT5/rOH>QcOH>QcOH>Q(M<0BV#_5(Ziro\gF:@ITK>7VbLuJRDs3dTsiWT
+UG&;APTlc'+Liro\hahs3?M<0BV#b_gf"UKgtF:u(`!!!"Q^iTn'"=+Q:"UP
+.Tahs4%OH>QcOH>QcOH>Q(M<0BV(lLfgMbOV<:]u[VM+f0#a$_0]zM,Y`'M$
+,*fQi6sbahs4"F=$ufM<0BV#`0NHMd6aJF<h!IFU3mu"H-:`MZts>1!q`($,
+La&Mb=>67L4oV%#\-p0uu*'$.'3I^kop\iW4rW,`0m+F<h!Gls7MgF=%!]+Q
+Wb4<Jfgk^i]p@70oY2jTPoq_i8g>NP$V=!!!"m+QWb4<Jfgk^i^*[,io18K>
+7M_,io18?,Mb`F=$ufKYWH+F:?1n~>trailing garbage
diff --git a/fuzz/build.mk b/fuzz/build.mk
index 43b65906..44db5326 100644
--- a/fuzz/build.mk
+++ b/fuzz/build.mk
@@ -1,7 +1,16 @@
# This directory contains support for Google's oss-fuzz project. See
# https://github.com/google/oss-fuzz/tree/master/projects/qpdf
-FUZZERS = qpdf_fuzzer
+FUZZERS = \
+ qpdf_fuzzer \
+ ascii85_fuzzer \
+ dct_fuzzer \
+ flate_fuzzer \
+ hex_fuzzer \
+ lzw_fuzzer \
+ pngpredictor_fuzzer \
+ runlength_fuzzer \
+ tiffpredictor_fuzzer
DEFAULT_FUZZ_RUNNER := standalone_fuzz_target_runner
OBJ_DEFAULT_FUZZ := fuzz/$(OUTPUT_DIR)/$(DEFAULT_FUZZ_RUNNER).$(OBJ)
@@ -9,7 +18,8 @@ OBJ_DEFAULT_FUZZ := fuzz/$(OUTPUT_DIR)/$(DEFAULT_FUZZ_RUNNER).$(OBJ)
BINS_fuzz = $(foreach B,$(FUZZERS),fuzz/$(OUTPUT_DIR)/$(call binname,$(B)))
TARGETS_fuzz = $(OBJ_DEFAULT_FUZZ) $(BINS_fuzz) fuzz_corpus
-INCLUDES_fuzz = include
+# Fuzzers test private classes too, so we need libqpdf in the include path
+INCLUDES_fuzz = include libqpdf
# LIB_FUZZING_ENGINE is overridden by oss-fuzz
LIB_FUZZING_ENGINE ?= $(OBJ_DEFAULT_FUZZ)
@@ -129,6 +139,8 @@ install_fuzz: $(STATIC_BINS_fuzz)
fi; \
if test -d fuzz/$(OUTPUT_DIR)/$${B}_seed_corpus; then \
(cd fuzz/$(OUTPUT_DIR)/$${B}_seed_corpus; zip -q -r $(OUT)/$${B}_seed_corpus.zip .); \
+ elif test -d fuzz/$${B}_seed_corpus; then \
+ (cd fuzz/$${B}_seed_corpus; zip -q -r $(OUT)/$${B}_seed_corpus.zip .); \
fi; \
done
diff --git a/fuzz/dct_fuzzer.cc b/fuzz/dct_fuzzer.cc
new file mode 100644
index 00000000..450b4df2
--- /dev/null
+++ b/fuzz/dct_fuzzer.cc
@@ -0,0 +1,52 @@
+#include <qpdf/Pl_Discard.hh>
+#include <qpdf/Pl_DCT.hh>
+#include <iostream>
+#include <stdexcept>
+
+class FuzzHelper
+{
+ public:
+ FuzzHelper(unsigned char const* data, size_t size);
+ void run();
+
+ private:
+ void doChecks();
+
+ unsigned char const* data;
+ size_t size;
+};
+
+FuzzHelper::FuzzHelper(unsigned char const* data, size_t size) :
+ data(data),
+ size(size)
+{
+}
+
+void
+FuzzHelper::doChecks()
+{
+ Pl_Discard discard;
+ Pl_DCT p("decode", &discard);
+ p.write(const_cast<unsigned char*>(data), size);
+ p.finish();
+}
+
+void
+FuzzHelper::run()
+{
+ try
+ {
+ doChecks();
+ }
+ catch (std::runtime_error const& e)
+ {
+ std::cerr << "runtime_error: " << e.what() << std::endl;
+ }
+}
+
+extern "C" int LLVMFuzzerTestOneInput(unsigned char const* data, size_t size)
+{
+ FuzzHelper f(data, size);
+ f.run();
+ return 0;
+}
diff --git a/fuzz/dct_fuzzer_seed_corpus/4255e4e69733376eb7681d1aad44d39252ae4a75 b/fuzz/dct_fuzzer_seed_corpus/4255e4e69733376eb7681d1aad44d39252ae4a75
new file mode 100644
index 00000000..3e76ddcf
--- /dev/null
+++ b/fuzz/dct_fuzzer_seed_corpus/4255e4e69733376eb7681d1aad44d39252ae4a75
Binary files differ
diff --git a/fuzz/flate_fuzzer.cc b/fuzz/flate_fuzzer.cc
new file mode 100644
index 00000000..700f7cd7
--- /dev/null
+++ b/fuzz/flate_fuzzer.cc
@@ -0,0 +1,52 @@
+#include <qpdf/Pl_Discard.hh>
+#include <qpdf/Pl_Flate.hh>
+#include <iostream>
+#include <stdexcept>
+
+class FuzzHelper
+{
+ public:
+ FuzzHelper(unsigned char const* data, size_t size);
+ void run();
+
+ private:
+ void doChecks();
+
+ unsigned char const* data;
+ size_t size;
+};
+
+FuzzHelper::FuzzHelper(unsigned char const* data, size_t size) :
+ data(data),
+ size(size)
+{
+}
+
+void
+FuzzHelper::doChecks()
+{
+ Pl_Discard discard;
+ Pl_Flate p("decode", &discard, Pl_Flate::a_deflate);
+ p.write(const_cast<unsigned char*>(data), size);
+ p.finish();
+}
+
+void
+FuzzHelper::run()
+{
+ try
+ {
+ doChecks();
+ }
+ catch (std::runtime_error const& e)
+ {
+ std::cerr << "runtime_error: " << e.what() << std::endl;
+ }
+}
+
+extern "C" int LLVMFuzzerTestOneInput(unsigned char const* data, size_t size)
+{
+ FuzzHelper f(data, size);
+ f.run();
+ return 0;
+}
diff --git a/fuzz/flate_fuzzer_seed_corpus/de72db41219fa2fc5113b4634a7c2bb437d48938 b/fuzz/flate_fuzzer_seed_corpus/de72db41219fa2fc5113b4634a7c2bb437d48938
new file mode 100644
index 00000000..79b2da1b
--- /dev/null
+++ b/fuzz/flate_fuzzer_seed_corpus/de72db41219fa2fc5113b4634a7c2bb437d48938
Binary files differ
diff --git a/fuzz/hex_fuzzer.cc b/fuzz/hex_fuzzer.cc
new file mode 100644
index 00000000..b1ad2199
--- /dev/null
+++ b/fuzz/hex_fuzzer.cc
@@ -0,0 +1,52 @@
+#include <qpdf/Pl_Discard.hh>
+#include <qpdf/Pl_ASCIIHexDecoder.hh>
+#include <iostream>
+#include <stdexcept>
+
+class FuzzHelper
+{
+ public:
+ FuzzHelper(unsigned char const* data, size_t size);
+ void run();
+
+ private:
+ void doChecks();
+
+ unsigned char const* data;
+ size_t size;
+};
+
+FuzzHelper::FuzzHelper(unsigned char const* data, size_t size) :
+ data(data),
+ size(size)
+{
+}
+
+void
+FuzzHelper::doChecks()
+{
+ Pl_Discard discard;
+ Pl_ASCIIHexDecoder p("decode", &discard);
+ p.write(const_cast<unsigned char*>(data), size);
+ p.finish();
+}
+
+void
+FuzzHelper::run()
+{
+ try
+ {
+ doChecks();
+ }
+ catch (std::runtime_error const& e)
+ {
+ std::cerr << "runtime_error: " << e.what() << std::endl;
+ }
+}
+
+extern "C" int LLVMFuzzerTestOneInput(unsigned char const* data, size_t size)
+{
+ FuzzHelper f(data, size);
+ f.run();
+ return 0;
+}
diff --git a/fuzz/hex_fuzzer_seed_corpus/1c43fc2a41e55a9e1cecce2013254b632f5afac4 b/fuzz/hex_fuzzer_seed_corpus/1c43fc2a41e55a9e1cecce2013254b632f5afac4
new file mode 100644
index 00000000..9721a35a
--- /dev/null
+++ b/fuzz/hex_fuzzer_seed_corpus/1c43fc2a41e55a9e1cecce2013254b632f5afac4
@@ -0,0 +1,70 @@
+45000028e20508074600002ce205080747000030e205080748000034e20
+5080749000038e20508074a00003ce20508074b000040e20508074c0000
+44e20508074d000048e20508074e00004ce20508074f000050e20508075
+0000054e205080751000058e20508075200005ce205080753000060e205
+080754000064e205080755000068e20508075600006ce20508075700007
+0e205080758000074e205080759000078e20508075a00005589e55383ec
+04e8000000005b81c3b44c01008b93f8ffffff85d27405e8de000000e83
+5060000e840070100585bc9c3ff3508e10508ff250ce1050800000000ff
+2510e105086800000000e9e0ffffffff2514e105086808000000e9d0fff
+fffff2518e105086810000000e9c0ffffffff251ce105086818000000e9
+b0ffffffff2520e105086820000000e9a0ffffffff2524e105086828000
+000e990ffffffff2528e105086830000000e980ffffffff252ce1050868
+38000000e970ffffffff2530e105086840000000e960ffffffff2534e10
+5086848000000e950ffffffff2538e105086850000000e940ffffffff25
+3ce105086858000000e930ffffffff2540e105086860000000e920fffff
+fff2544e105086868000000e910ffffffff2548e105086870000000e900
+ffffffff254ce105086878000000e9f0feffffff2550e10508688000000
+0e9e0feffffff2554e105086888000000e9d0feffffff2558e105086890
+000000e9c0feffffff255ce105086898000000e9b0feffffff2560e1050
+868a0000000e9a0feffffff2564e1050868a8000000e990feffffff2568
+e1050868b0000000e980feffffff256ce1050868b8000000e970fefffff
+f2570e1050868c0000000e960feffffff2574e1050868c8000000e950fe
+ffffff2578e1050868d0000000e940feffffff257ce1050868d8000000e
+930feffffff2580e1050868e0000000e920feffffff2584e1050868e800
+0000e910feffffff2588e1050868f0000000e900feffffff258ce105086
+8f8000000e9f0fdffffff2590e105086800010000e9e0fdffffff2594e1
+05086808010000e9d0fdffffff2598e105086810010000e9c0fdffffff2
+59ce105086818010000e9b0fdffffff25a0e105086820010000e9a0fdff
+ffff25a4e105086828010000e990fdffffff25a8e105086830010000e98
+0fdffffff25ace105086838010000e970fdffffff25b0e1050868400100
+00e960fdffffff25b4e105086848010000e950fdffffff25b8e10508685
+0010000e940fdffffff25bce105086858010000e930fdffffff25c0e105
+086860010000e920fdffffff25c4e105086868010000e910fdffffff25c
+8e105086870010000e900fdffffff25cce105086878010000e9f0fcffff
+FF25D0E105086880010000E9E0FCFFFFFF25D4E105086888010000E9D0F
+CFFFFFF25D8E105086890010000E9C0FCFFFFFF25DCE105086898010000
+E9B0FCFFFFFF25E0E1050868A0010000E9A0FCFFFFFF25E4E1050868A80
+10000E990FCFFFFFF25E8E1050868B0010000E980FCFFFFFF25ECE10508
+68B8010000E970FCFFFFFF25F0E1050868C0010000E960FCFFFFFF25F4E
+1050868C8010000E950FCFFFFFF25F8E1050868D0010000E940FCFFFFFF
+25FCE1050868D801 0000E930FCFFFFFF2500E2050868E0010000E920FCF
+FFFFF2504E2050868E8010000E910FCFFFFFF2508E2050868F0010000E9
+00FCFFFFFF250CE2050868F8010000E9F0FBFFFFFF2510E205086800020
+000E9E0FBFFFFFF2514E205086808020000E9D0FBFFFFFF2518E2050868
+10020000E9C0FBFFFFFF251CE205086818020000E9B0FBFFFFFF2520E20
+5086820020000E9A0FBFFFFFF2524E205086828020000E990FBFFFFFF25
+28E2050 8683 0020000E980FBFFFFFF252CE205086838020000E970FBFFF
+FFF2530E205086840020000E960FBFFFFFF2534E205086848020000E950
+FBFFFFFF2538E205086850020000E940FBFFFFFF253CE20508685802000
+0E930FBFFFFFF2540E205086860020000E920FBFFFFFF2544E205086868
+020000E910FBFFFFFF2548E205086870020000E900FBFFFFFF254CE2050
+86878020000E9F0FAFFFFFF2550E205086880020000E9E0FAFFFFFF2554
+e205086888020000e9d0faffffff2558e205086890020000e9c0fafffff
+f255ce205086898020000e9b0faffffff2560e2050868a0020000e9a0fa
+ffffff2564e2050868a8020000e990faffffff2568e2050868b0020000e
+980faffffff256ce2050868b8020000e970faffffff2570e2050868c002
+0000e960faffffff2574e2050868c8020000e950faffffff2578e205086
+8d0020000e940faffff00000000000000000000000031ed5e89e183e4f0
+50545268009b050868109b0508515668f0e60408e893fbfffff49090909
+0909090909090909090905589e583ec08803dc8e3050800740ceb1c83c0
+04a388e20508ffd2a188e205088b1085d275ebc605c8e3050801c9c3905
+589e583ec08a110e0050885c07412b80000000085c07409c7042410e005
+08ffd0c9c3909090909090909090909090905589e583ec188b45088b4d0
+c8b50048b00894c2408c744240c0000000089542404890424e897fe0000
+c9c3908d7426005589e583ec08891c248b5d0c897424048b75088b4b048
+b56048b06330331d131d209c1751a8b4b088b46088b5b0c8b560c31c831
+da09d00f94c089c283e2018b1c2489d08b74240489ec5dc38d742600a12
+0e505085589e585c075088b4508a320e505085dc38d76008dbc27000000
+00a120e505085589e585c0750da124e5050883c001a324e505085dc3908
+d7426005584c089e5740cc705>trailing farbage
diff --git a/fuzz/lzw_fuzzer.cc b/fuzz/lzw_fuzzer.cc
new file mode 100644
index 00000000..da31f41b
--- /dev/null
+++ b/fuzz/lzw_fuzzer.cc
@@ -0,0 +1,52 @@
+#include <qpdf/Pl_Discard.hh>
+#include <qpdf/Pl_LZWDecoder.hh>
+#include <iostream>
+#include <stdexcept>
+
+class FuzzHelper
+{
+ public:
+ FuzzHelper(unsigned char const* data, size_t size);
+ void run();
+
+ private:
+ void doChecks();
+
+ unsigned char const* data;
+ size_t size;
+};
+
+FuzzHelper::FuzzHelper(unsigned char const* data, size_t size) :
+ data(data),
+ size(size)
+{
+}
+
+void
+FuzzHelper::doChecks()
+{
+ Pl_Discard discard;
+ Pl_LZWDecoder p("decode", &discard, false);
+ p.write(const_cast<unsigned char*>(data), size);
+ p.finish();
+}
+
+void
+FuzzHelper::run()
+{
+ try
+ {
+ doChecks();
+ }
+ catch (std::runtime_error const& e)
+ {
+ std::cerr << "runtime_error: " << e.what() << std::endl;
+ }
+}
+
+extern "C" int LLVMFuzzerTestOneInput(unsigned char const* data, size_t size)
+{
+ FuzzHelper f(data, size);
+ f.run();
+ return 0;
+}
diff --git a/fuzz/lzw_fuzzer_seed_corpus/d95e70dee47eb085060d6e01534f7c3c17e3ae56 b/fuzz/lzw_fuzzer_seed_corpus/d95e70dee47eb085060d6e01534f7c3c17e3ae56
new file mode 100644
index 00000000..5109c45a
--- /dev/null
+++ b/fuzz/lzw_fuzzer_seed_corpus/d95e70dee47eb085060d6e01534f7c3c17e3ae56
Binary files differ
diff --git a/fuzz/pngpredictor_fuzzer.cc b/fuzz/pngpredictor_fuzzer.cc
new file mode 100644
index 00000000..8a8c5d7d
--- /dev/null
+++ b/fuzz/pngpredictor_fuzzer.cc
@@ -0,0 +1,52 @@
+#include <qpdf/Pl_Discard.hh>
+#include <qpdf/Pl_PNGFilter.hh>
+#include <iostream>
+#include <stdexcept>
+
+class FuzzHelper
+{
+ public:
+ FuzzHelper(unsigned char const* data, size_t size);
+ void run();
+
+ private:
+ void doChecks();
+
+ unsigned char const* data;
+ size_t size;
+};
+
+FuzzHelper::FuzzHelper(unsigned char const* data, size_t size) :
+ data(data),
+ size(size)
+{
+}
+
+void
+FuzzHelper::doChecks()
+{
+ Pl_Discard discard;
+ Pl_PNGFilter p("decode", &discard, Pl_PNGFilter::a_decode, 32, 1, 8);
+ p.write(const_cast<unsigned char*>(data), size);
+ p.finish();
+}
+
+void
+FuzzHelper::run()
+{
+ try
+ {
+ doChecks();
+ }
+ catch (std::runtime_error const& e)
+ {
+ std::cerr << "runtime_error: " << e.what() << std::endl;
+ }
+}
+
+extern "C" int LLVMFuzzerTestOneInput(unsigned char const* data, size_t size)
+{
+ FuzzHelper f(data, size);
+ f.run();
+ return 0;
+}
diff --git a/fuzz/pngpredictor_fuzzer_seed_corpus/70ade8c4239563ca806d2d297a4e48099156c450 b/fuzz/pngpredictor_fuzzer_seed_corpus/70ade8c4239563ca806d2d297a4e48099156c450
new file mode 100644
index 00000000..ad8c632b
--- /dev/null
+++ b/fuzz/pngpredictor_fuzzer_seed_corpus/70ade8c4239563ca806d2d297a4e48099156c450
Binary files differ
diff --git a/fuzz/qtest/fuzz.test b/fuzz/qtest/fuzz.test
index 9b824306..dcc68270 100644
--- a/fuzz/qtest/fuzz.test
+++ b/fuzz/qtest/fuzz.test
@@ -9,30 +9,59 @@ require TestDriver;
my $td = new TestDriver('fuzz');
-my @files = glob("../build/qpdf_fuzzer_seed_corpus/*");
-my $n_test_files = 29;
-my $n_orig_files = 2559;
-my $n_files = $n_test_files + $n_orig_files;
+my $qpdf_n_test_files = 29;
+my $qpdf_n_orig_files = 2559;
+my $qpdf_n_files = $qpdf_n_test_files + $qpdf_n_orig_files;
-if (scalar(@files) != $n_files)
+my @fuzzers = (
+ ['qpdf' => $qpdf_n_files],
+ ['ascii85' => 1],
+ ['dct' => 1],
+ ['flate' => 1],
+ ['hex' => 1],
+ ['lzw' => 1],
+ ['pngpredictor' => 1],
+ ['runlength' => 6],
+ ['tiffpredictor' => 1],
+ );
+
+my $n_tests = 0;
+# One test for each directory for file count, two tests for each file
+# in each directory
+foreach my $d (@fuzzers)
{
- die "wrong number of files seen in fuzz.test";
+ $n_tests += 1 + (2 * $d->[1]);
}
-foreach my $f (@files)
+foreach my $d (@fuzzers)
{
- my $sum = basename($f);
- $td->runtest("checksum $sum",
- {$td->STRING => get_sha1_checksum($f)},
- {$td->STRING => $sum});
- $td->runtest("fuzz check $sum",
- {$td->COMMAND => "qpdf_fuzzer $f"},
- {$td->REGEXP => ".*$f successful\n",
- $td->EXIT_STATUS => 0},
+ my $k = $d->[0];
+ my $dir = "../${k}_fuzzer_seed_corpus";
+ if (! -d $dir)
+ {
+ $dir = "../build/${k}_fuzzer_seed_corpus";
+ }
+ my @files = glob("$dir/*");
+ $td->runtest("file count for $dir",
+ {$td->STRING => scalar(@files) . "\n"},
+ {$td->STRING => $d->[1] . "\n"},
$td->NORMALIZE_NEWLINES);
+
+ foreach my $f (@files)
+ {
+ my $sum = basename($f);
+ $td->runtest("$k checksum $sum",
+ {$td->STRING => get_sha1_checksum($f)},
+ {$td->STRING => $sum});
+ $td->runtest("$k fuzz check $sum",
+ {$td->COMMAND => "${k}_fuzzer $f"},
+ {$td->REGEXP => ".*$f successful\n",
+ $td->EXIT_STATUS => 0},
+ $td->NORMALIZE_NEWLINES);
+ }
}
-$td->report(2 * $n_files);
+$td->report($n_tests);
sub get_sha1_checksum
{
diff --git a/fuzz/runlength_fuzzer.cc b/fuzz/runlength_fuzzer.cc
new file mode 100644
index 00000000..bacd3dd8
--- /dev/null
+++ b/fuzz/runlength_fuzzer.cc
@@ -0,0 +1,52 @@
+#include <qpdf/Pl_Discard.hh>
+#include <qpdf/Pl_RunLength.hh>
+#include <iostream>
+#include <stdexcept>
+
+class FuzzHelper
+{
+ public:
+ FuzzHelper(unsigned char const* data, size_t size);
+ void run();
+
+ private:
+ void doChecks();
+
+ unsigned char const* data;
+ size_t size;
+};
+
+FuzzHelper::FuzzHelper(unsigned char const* data, size_t size) :
+ data(data),
+ size(size)
+{
+}
+
+void
+FuzzHelper::doChecks()
+{
+ Pl_Discard discard;
+ Pl_RunLength p("decode", &discard, Pl_RunLength::a_decode);
+ p.write(const_cast<unsigned char*>(data), size);
+ p.finish();
+}
+
+void
+FuzzHelper::run()
+{
+ try
+ {
+ doChecks();
+ }
+ catch (std::runtime_error const& e)
+ {
+ std::cerr << "runtime_error: " << e.what() << std::endl;
+ }
+}
+
+extern "C" int LLVMFuzzerTestOneInput(unsigned char const* data, size_t size)
+{
+ FuzzHelper f(data, size);
+ f.run();
+ return 0;
+}
diff --git a/fuzz/runlength_fuzzer_seed_corpus/075cf1366a47754ffc0f59797ecd60eb221c8a0d b/fuzz/runlength_fuzzer_seed_corpus/075cf1366a47754ffc0f59797ecd60eb221c8a0d
new file mode 100644
index 00000000..0fac6b58
--- /dev/null
+++ b/fuzz/runlength_fuzzer_seed_corpus/075cf1366a47754ffc0f59797ecd60eb221c8a0d
Binary files differ
diff --git a/fuzz/runlength_fuzzer_seed_corpus/0928451e068252ef8f3d1878a5c1f81b86dc9eb8 b/fuzz/runlength_fuzzer_seed_corpus/0928451e068252ef8f3d1878a5c1f81b86dc9eb8
new file mode 100644
index 00000000..fc26c6f6
--- /dev/null
+++ b/fuzz/runlength_fuzzer_seed_corpus/0928451e068252ef8f3d1878a5c1f81b86dc9eb8
@@ -0,0 +1 @@
+čwüqrstv€ \ No newline at end of file
diff --git a/fuzz/runlength_fuzzer_seed_corpus/4354588bbf0979da3b05eb7cadd13b74141ad49c b/fuzz/runlength_fuzzer_seed_corpus/4354588bbf0979da3b05eb7cadd13b74141ad49c
new file mode 100644
index 00000000..0c97dde2
--- /dev/null
+++ b/fuzz/runlength_fuzzer_seed_corpus/4354588bbf0979da3b05eb7cadd13b74141ad49c
@@ -0,0 +1 @@
+wabababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababab€ \ No newline at end of file
diff --git a/fuzz/runlength_fuzzer_seed_corpus/4ffb8ea47113554fbac0d5ba533838e3dd7aa23a b/fuzz/runlength_fuzzer_seed_corpus/4ffb8ea47113554fbac0d5ba533838e3dd7aa23a
new file mode 100644
index 00000000..2a645eef
--- /dev/null
+++ b/fuzz/runlength_fuzzer_seed_corpus/4ffb8ea47113554fbac0d5ba533838e3dd7aa23a
@@ -0,0 +1 @@
+~abababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababaűb€ \ No newline at end of file
diff --git a/fuzz/runlength_fuzzer_seed_corpus/b307a53d7d354fe2dbd4b13dca43ddacfaea91e1 b/fuzz/runlength_fuzzer_seed_corpus/b307a53d7d354fe2dbd4b13dca43ddacfaea91e1
new file mode 100644
index 00000000..85bb323e
--- /dev/null
+++ b/fuzz/runlength_fuzzer_seed_corpus/b307a53d7d354fe2dbd4b13dca43ddacfaea91e1
@@ -0,0 +1 @@
+čwüqrstvęx€ \ No newline at end of file
diff --git a/fuzz/runlength_fuzzer_seed_corpus/c78ebd3c85a39a596d9f5cfd2b8d240bc1b9c125 b/fuzz/runlength_fuzzer_seed_corpus/c78ebd3c85a39a596d9f5cfd2b8d240bc1b9c125
new file mode 100644
index 00000000..5416677b
--- /dev/null
+++ b/fuzz/runlength_fuzzer_seed_corpus/c78ebd3c85a39a596d9f5cfd2b8d240bc1b9c125
@@ -0,0 +1 @@
+€ \ No newline at end of file
diff --git a/fuzz/tiffpredictor_fuzzer.cc b/fuzz/tiffpredictor_fuzzer.cc
new file mode 100644
index 00000000..35d2f415
--- /dev/null
+++ b/fuzz/tiffpredictor_fuzzer.cc
@@ -0,0 +1,53 @@
+#include <qpdf/Pl_Discard.hh>
+#include <qpdf/Pl_TIFFPredictor.hh>
+#include <iostream>
+#include <stdexcept>
+
+class FuzzHelper
+{
+ public:
+ FuzzHelper(unsigned char const* data, size_t size);
+ void run();
+
+ private:
+ void doChecks();
+
+ unsigned char const* data;
+ size_t size;
+};
+
+FuzzHelper::FuzzHelper(unsigned char const* data, size_t size) :
+ data(data),
+ size(size)
+{
+}
+
+void
+FuzzHelper::doChecks()
+{
+ Pl_Discard discard;
+ Pl_TIFFPredictor p("decoder", &discard,
+ Pl_TIFFPredictor::a_decode, 16, 1, 8);
+ p.write(const_cast<unsigned char*>(data), size);
+ p.finish();
+}
+
+void
+FuzzHelper::run()
+{
+ try
+ {
+ doChecks();
+ }
+ catch (std::runtime_error const& e)
+ {
+ std::cerr << "runtime_error: " << e.what() << std::endl;
+ }
+}
+
+extern "C" int LLVMFuzzerTestOneInput(unsigned char const* data, size_t size)
+{
+ FuzzHelper f(data, size);
+ f.run();
+ return 0;
+}
diff --git a/fuzz/tiffpredictor_fuzzer_seed_corpus/9c848d2c383eb26a026d0b4428421c5e43c2d7b9 b/fuzz/tiffpredictor_fuzzer_seed_corpus/9c848d2c383eb26a026d0b4428421c5e43c2d7b9
new file mode 100644
index 00000000..30ba8de7
--- /dev/null
+++ b/fuzz/tiffpredictor_fuzzer_seed_corpus/9c848d2c383eb26a026d0b4428421c5e43c2d7b9
Binary files differ
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-26 20:04:49 +0200