From edaf3020bf5369a010a5fcce8ec96d689201724b Mon Sep 17 00:00:00 2001 From: Zepeng Hu Date: Fri, 12 Jun 2020 12:20:59 +0000 Subject: [PATCH] add svg fuzzer Change-Id: I5c4c978c35462e41379939e92fb354dbb40606f8 Reviewed-on: https://skia-review.googlesource.com/c/skia/+/295218 Reviewed-by: Kevin Lubick Commit-Queue: Zepeng Hu --- BUILD.gn | 1 + fuzz/FuzzMain.cpp | 13 +++++++++++++ fuzz/oss_fuzz/FuzzSVG.cpp | 40 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 54 insertions(+) create mode 100644 fuzz/oss_fuzz/FuzzSVG.cpp diff --git a/BUILD.gn b/BUILD.gn index e9ee8980e8..143ce5a0ba 100644 --- a/BUILD.gn +++ b/BUILD.gn @@ -2006,6 +2006,7 @@ if (skia_enable_tools) { "fuzz/oss_fuzz/FuzzSKSL2Metal.cpp", "fuzz/oss_fuzz/FuzzSKSL2Pipeline.cpp", "fuzz/oss_fuzz/FuzzSKSL2SPIRV.cpp", + "fuzz/oss_fuzz/FuzzSVG.cpp", "fuzz/oss_fuzz/FuzzSkDescriptorDeserialize.cpp", "fuzz/oss_fuzz/FuzzTextBlobDeserialize.cpp", "tools/UrlDataManager.cpp", diff --git a/fuzz/FuzzMain.cpp b/fuzz/FuzzMain.cpp index 2dbeb581ae..2a3a349bfa 100644 --- a/fuzz/FuzzMain.cpp +++ b/fuzz/FuzzMain.cpp @@ -58,6 +58,7 @@ static constexpr char g_type_message[] = "How to interpret --bytes, one of:\n" "skdescriptor_deserialize\n" "skp\n" "sksl2glsl\n" + "svg_dom\n" "sksl2metal\n" "sksl2pipeline\n" "sksl2spirv\n" @@ -90,6 +91,7 @@ static void fuzz_sksl2glsl(sk_sp); static void fuzz_sksl2metal(sk_sp); static void fuzz_sksl2pipeline(sk_sp); static void fuzz_sksl2spirv(sk_sp); +static void fuzz_svg_dom(sk_sp); static void fuzz_textblob_deserialize(sk_sp); static void print_api_names(); @@ -231,6 +233,10 @@ static int fuzz_file(SkString path, SkString type) { fuzz_sksl2pipeline(bytes); return 0; } + if (type.equals("svg_dom")) { + fuzz_svg_dom(bytes); + return 0; + } if (type.equals("textblob")) { fuzz_textblob_deserialize(bytes); return 0; @@ -277,6 +283,7 @@ static std::map cf_map = { #if defined(SK_ENABLE_SKOTTIE) {"skottie_json", "skottie_json"}, #endif + {"svg_dom", "svg_dom"}, {"textblob_deserialize", "textblob"} }; @@ -327,6 +334,12 @@ static void fuzz_skottie_json(sk_sp bytes){ } #endif +void FuzzSVG(sk_sp bytes); +static void fuzz_svg_dom(sk_sp bytes){ + FuzzSVG(bytes); + SkDebugf("[terminated] Done DOM!\n"); +} + // This adds up the first 1024 bytes and returns it as an 8 bit integer. This allows afl-fuzz to // deterministically excercise different paths, or *options* (such as different scaling sizes or // different image modes) without needing to introduce a parameter. This way we don't need a diff --git a/fuzz/oss_fuzz/FuzzSVG.cpp b/fuzz/oss_fuzz/FuzzSVG.cpp new file mode 100644 index 0000000000..df8cfa2ada --- /dev/null +++ b/fuzz/oss_fuzz/FuzzSVG.cpp @@ -0,0 +1,40 @@ +/* + * Copyright 2020 Google, LLC + * + * Use of this source code is governed by a BSD-style license that can be + * found in the LICENSE file. + */ + +#include "experimental/svg/model/SkSVGDOM.h" +#include "include/core/SkData.h" +#include "include/core/SkStream.h" +#include "include/core/SkSurface.h" + +void FuzzSVG(sk_sp bytes) { + uint8_t w = 100; + uint8_t h = 200; + + SkMemoryStream stream(bytes); + sk_sp dom = SkSVGDOM::MakeFromStream(stream); + if (!dom) { + return; + } + + auto s = SkSurface::MakeRasterN32Premul(128, 128); + if (!s) { + return; + } + SkSize winSize = SkSize::Make(w, h); + dom->setContainerSize(winSize); + dom->containerSize(); + dom->render(s->getCanvas()); + +} + +#if defined(IS_FUZZING_WITH_LIBFUZZER) +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + auto bytes = SkData::MakeWithoutCopy(data, size); + FuzzSVG(bytes); + return 0; +} +#endif