1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
#include <qpdf/Pl_DCT.hh>
#include <qpdf/Pl_Discard.hh>
#include <cstdlib>
#include <iostream>
#include <stdexcept>
class FuzzHelper
{
public:
FuzzHelper(unsigned char const* data, size_t size);
void run();
private:
void doChecks();
unsigned char const* data;
size_t size;
};
FuzzHelper::FuzzHelper(unsigned char const* data, size_t size) :
data(data),
size(size)
{
}
void
FuzzHelper::doChecks()
{
// Limit the memory used to decompress JPEG files during fuzzing. Excessive memory use during
// fuzzing is due to corrupt JPEG data which sometimes cannot be detected before
// jpeg_start_decompress is called. During normal use of qpdf very large JPEGs can occasionally
// occur legitimately and therefore must be allowed during normal operations.
Pl_DCT::setMemoryLimit(200'000'000);
Pl_DCT::setScanLimit(50);
// Do not decompress corrupt data. This may cause extended runtime within jpeglib without
// exercising additional code paths in qpdf.
Pl_DCT::setThrowOnCorruptData(true);
Pl_Discard discard;
Pl_DCT p("decode", &discard);
p.write(const_cast<unsigned char*>(data), size);
p.finish();
}
void
FuzzHelper::run()
{
try {
doChecks();
} catch (std::runtime_error const& e) {
std::cerr << "runtime_error: " << e.what() << std::endl;
}
}
extern "C" int
LLVMFuzzerTestOneInput(unsigned char const* data, size_t size)
{
#ifndef _WIN32
// Used by jpeg library to work around false positives in memory
// sanitizer.
setenv("JSIMD_FORCENONE", "1", 1);
#endif
FuzzHelper f(data, size);
f.run();
return 0;
}
|
