1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
|
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "gtest/gtest.h"
#include "Common.h"
#include "imgIContainer.h"
#include "imgITools.h"
#include "ImageOps.h"
#include "mozilla/gfx/2D.h"
#include "mozilla/Preferences.h"
#include "nsComponentManagerUtils.h"
#include "nsCOMPtr.h"
#include "nsIInputStream.h"
#include "nsIRunnable.h"
#include "nsIThread.h"
#include "mozilla/RefPtr.h"
#include "nsString.h"
#include "nsThreadUtils.h"
#include "FuzzingInterfaceStream.h"
using namespace mozilla;
using namespace mozilla::gfx;
using namespace mozilla::image;
// Prevents x being optimized away if it has no side-effects.
// If optimized away, tools like ASan wouldn't be able to detect
// faulty memory accesses.
#define DUMMY_IF(x) \
if (x) { \
volatile int v; \
v = 0; \
(void)v; \
}
class DecodeToSurfaceRunnableFuzzing : public Runnable {
public:
DecodeToSurfaceRunnableFuzzing(RefPtr<SourceSurface>& aSurface,
nsIInputStream* aInputStream,
const char* mimeType)
: mozilla::Runnable("DecodeToSurfaceRunnableFuzzing"),
mSurface(aSurface),
mInputStream(aInputStream),
mMimeType(mimeType) {}
NS_IMETHOD Run() override {
Go();
return NS_OK;
}
void Go() {
mSurface = ImageOps::DecodeToSurface(mInputStream.forget(), mMimeType,
imgIContainer::DECODE_FLAGS_DEFAULT);
if (!mSurface) return;
if (mSurface->GetType() == SurfaceType::DATA) {
if (mSurface->GetFormat() == SurfaceFormat::OS_RGBX ||
mSurface->GetFormat() == SurfaceFormat::OS_RGBA) {
DUMMY_IF(IntSize(1, 1) == mSurface->GetSize());
DUMMY_IF(IsSolidColor(mSurface, BGRAColor::Green(), 1));
}
}
}
private:
RefPtr<SourceSurface>& mSurface;
nsCOMPtr<nsIInputStream> mInputStream;
nsAutoCString mMimeType;
};
static int RunDecodeToSurfaceFuzzing(nsCOMPtr<nsIInputStream> inputStream,
const char* mimeType) {
uint64_t len;
inputStream->Available(&len);
if (len <= 0) {
return 0;
}
// Ensure CMS state is initialized on the main thread.
gfxPlatform::GetCMSMode();
nsCOMPtr<nsIThread> thread;
nsresult rv =
NS_NewNamedThread("Decoder Test", getter_AddRefs(thread), nullptr);
MOZ_RELEASE_ASSERT(NS_SUCCEEDED(rv));
// We run the DecodeToSurface tests off-main-thread to ensure that
// DecodeToSurface doesn't require any other main-thread-only code.
RefPtr<SourceSurface> surface;
nsCOMPtr<nsIRunnable> runnable =
new DecodeToSurfaceRunnableFuzzing(surface, inputStream, mimeType);
NS_DispatchAndSpinEventLoopUntilComplete("RunDecodeToSurfaceFuzzing"_ns,
thread, runnable.forget());
thread->Shutdown();
// Explicitly release the SourceSurface on the main thread.
surface = nullptr;
return 0;
}
static int RunDecodeToSurfaceFuzzingJPEG(nsCOMPtr<nsIInputStream> inputStream) {
return RunDecodeToSurfaceFuzzing(inputStream, "image/jpeg");
}
static int RunDecodeToSurfaceFuzzingGIF(nsCOMPtr<nsIInputStream> inputStream) {
return RunDecodeToSurfaceFuzzing(inputStream, "image/gif");
}
static int RunDecodeToSurfaceFuzzingICO(nsCOMPtr<nsIInputStream> inputStream) {
return RunDecodeToSurfaceFuzzing(inputStream, "image/ico");
}
static int RunDecodeToSurfaceFuzzingBMP(nsCOMPtr<nsIInputStream> inputStream) {
return RunDecodeToSurfaceFuzzing(inputStream, "image/bmp");
}
static int RunDecodeToSurfaceFuzzingPNG(nsCOMPtr<nsIInputStream> inputStream) {
return RunDecodeToSurfaceFuzzing(inputStream, "image/png");
}
static int RunDecodeToSurfaceFuzzingWebP(nsCOMPtr<nsIInputStream> inputStream) {
return RunDecodeToSurfaceFuzzing(inputStream, "image/webp");
}
static int RunDecodeToSurfaceFuzzingAVIF(nsCOMPtr<nsIInputStream> inputStream) {
return RunDecodeToSurfaceFuzzing(inputStream, "image/avif");
}
#ifdef MOZ_JXL
static int RunDecodeToSurfaceFuzzingJXL(nsCOMPtr<nsIInputStream> inputStream) {
return RunDecodeToSurfaceFuzzing(inputStream, "image/jxl");
}
#endif
int FuzzingInitImage(int* argc, char*** argv) {
Preferences::SetBool("image.avif.sequence.enabled", true);
Preferences::SetBool("image.mem.max_legal_imgframe_size_kb", 65536);
#ifdef MOZ_JXL
Preferences::SetBool("image.jxl.enabled", true);
#endif
nsCOMPtr<imgITools> imgTools =
do_CreateInstance("@mozilla.org/image/tools;1");
if (imgTools == nullptr) {
std::cerr << "Initializing image tools failed" << std::endl;
return 1;
}
return 0;
}
MOZ_FUZZING_INTERFACE_STREAM(FuzzingInitImage, RunDecodeToSurfaceFuzzingJPEG,
ImageJPEG);
MOZ_FUZZING_INTERFACE_STREAM(FuzzingInitImage, RunDecodeToSurfaceFuzzingGIF,
ImageGIF);
MOZ_FUZZING_INTERFACE_STREAM(FuzzingInitImage, RunDecodeToSurfaceFuzzingICO,
ImageICO);
MOZ_FUZZING_INTERFACE_STREAM(FuzzingInitImage, RunDecodeToSurfaceFuzzingBMP,
ImageBMP);
MOZ_FUZZING_INTERFACE_STREAM(FuzzingInitImage, RunDecodeToSurfaceFuzzingPNG,
ImagePNG);
MOZ_FUZZING_INTERFACE_STREAM(FuzzingInitImage, RunDecodeToSurfaceFuzzingWebP,
ImageWebP);
MOZ_FUZZING_INTERFACE_STREAM(FuzzingInitImage, RunDecodeToSurfaceFuzzingAVIF,
ImageAVIF);
#ifdef MOZ_JXL
MOZ_FUZZING_INTERFACE_STREAM(FuzzingInitImage, RunDecodeToSurfaceFuzzingJXL,
ImageJXL);
#endif
|