diff --git a/BUILD.gn b/BUILD.gn index 47f8d84f4f..12c6bad9b8 100644 --- a/BUILD.gn +++ b/BUILD.gn @@ -1728,8 +1728,11 @@ if (skia_enable_tools) { "fuzz/FuzzPathop.cpp", "fuzz/FuzzScaleToSides.cpp", "fuzz/fuzz.cpp", + "fuzz/oss_fuzz/FuzzImageFilterDeserialize.cpp", + "fuzz/oss_fuzz/FuzzPathDeserialize.cpp", "fuzz/oss_fuzz/FuzzRegionDeserialize.cpp", "fuzz/oss_fuzz/FuzzRegionSetPath.cpp", + "fuzz/oss_fuzz/FuzzTextBlobDeserialize.cpp", "tools/UrlDataManager.cpp", "tools/debugger/SkDebugCanvas.cpp", "tools/debugger/SkDrawCommand.cpp", diff --git a/fuzz/fuzz.cpp b/fuzz/fuzz.cpp index 37029949ed..945518a3c3 100644 --- a/fuzz/fuzz.cpp +++ b/fuzz/fuzz.cpp @@ -12,7 +12,6 @@ #include "SkData.h" #include "SkImage.h" #include "SkImageEncoder.h" -#include "SkImageFilter.h" #include "SkMallocPixelRef.h" #include "SkOSFile.h" #include "SkOSPath.h" @@ -21,7 +20,6 @@ #include "SkPicture.h" #include "SkPipe.h" #include "SkReadBuffer.h" -#include "SkRegion.h" #include "SkStream.h" #include "SkSurface.h" #include "SkTextBlob.h" @@ -513,18 +511,12 @@ static void fuzz_color_deserialize(sk_sp bytes) { SkDebugf("[terminated] Success! deserialized Colorspace.\n"); } -static void fuzz_path_deserialize(sk_sp bytes) { - SkPath path; - SkReadBuffer buf(bytes->data(), bytes->size()); - buf.readPath(&path); - if (!buf.isValid()) { - SkDebugf("[terminated] Couldn't deserialize SkPath.\n"); - return; - } +void FuzzPathDeserialize(SkReadBuffer& buf); - auto s = SkSurface::MakeRasterN32Premul(1024, 1024); - s->getCanvas()->drawPath(path, SkPaint()); - SkDebugf("[terminated] Success! Initialized SkPath.\n"); +static void fuzz_path_deserialize(sk_sp bytes) { + SkReadBuffer buf(bytes->data(), bytes->size()); + FuzzPathDeserialize(buf); + SkDebugf("[terminated] path_deserialize didn't crash!\n"); } bool FuzzRegionDeserialize(sk_sp bytes); @@ -537,17 +529,12 @@ static void fuzz_region_deserialize(sk_sp bytes) { SkDebugf("[terminated] Success! Initialized SkRegion.\n"); } +void FuzzTextBlobDeserialize(SkReadBuffer& buf); + static void fuzz_textblob_deserialize(sk_sp bytes) { SkReadBuffer buf(bytes->data(), bytes->size()); - auto tb = SkTextBlob::MakeFromBuffer(buf); - if (!buf.isValid()) { - SkDebugf("[terminated] Couldn't deserialize SkTextBlob.\n"); - return; - } - - auto s = SkSurface::MakeRasterN32Premul(512, 512); - s->getCanvas()->drawTextBlob(tb, 200, 200, SkPaint()); - SkDebugf("[terminated] Success! Initialized SkTextBlob.\n"); + FuzzTextBlobDeserialize(buf); + SkDebugf("[terminated] textblob didn't crash!\n"); } void FuzzRegionSetPath(Fuzz* fuzz); @@ -558,36 +545,11 @@ static void fuzz_region_set_path(sk_sp bytes) { SkDebugf("[terminated] region_set_path didn't crash!\n"); } +void FuzzImageFilterDeserialize(sk_sp bytes); + static void fuzz_filter_fuzz(sk_sp bytes) { - const int BitmapSize = 24; - SkBitmap bitmap; - bitmap.allocN32Pixels(BitmapSize, BitmapSize); - SkCanvas canvas(bitmap); - canvas.clear(0x00000000); - - auto flattenable = SkImageFilter::Deserialize(bytes->data(), bytes->size()); - - // Adding some info, but the test passed if we got here without any trouble - if (flattenable != nullptr) { - SkDebugf("Valid stream detected.\n"); - // Let's see if using the filters can cause any trouble... - SkPaint paint; - paint.setImageFilter(flattenable); - canvas.save(); - canvas.clipRect(SkRect::MakeXYWH( - 0, 0, SkIntToScalar(BitmapSize), SkIntToScalar(BitmapSize))); - - // This call shouldn't crash or cause ASAN to flag any memory issues - // If nothing bad happens within this call, everything is fine - canvas.drawBitmap(bitmap, 0, 0, &paint); - - SkDebugf("Filter DAG rendered successfully\n"); - canvas.restore(); - } else { - SkDebugf("Invalid stream detected.\n"); - } - - SkDebugf("[terminated] Done\n"); + FuzzImageFilterDeserialize(bytes); + SkDebugf("[terminated] filter_fuzz didn't crash!\n"); } #if SK_SUPPORT_GPU diff --git a/fuzz/oss_fuzz/FuzzImageFilterDeserialize.cpp b/fuzz/oss_fuzz/FuzzImageFilterDeserialize.cpp new file mode 100644 index 0000000000..f9d9598892 --- /dev/null +++ b/fuzz/oss_fuzz/FuzzImageFilterDeserialize.cpp @@ -0,0 +1,46 @@ +/* + * Copyright 2018 Google Inc. + * + * Use of this source code is governed by a BSD-style license that can be + * found in the LICENSE file. + */ + + +#include "SkBitmap.h" +#include "SkCanvas.h" +#include "SkData.h" +#include "SkImageFilter.h" +#include "SkPaint.h" + +void FuzzImageFilterDeserialize(sk_sp bytes) { + const int BitmapSize = 24; + SkBitmap bitmap; + bitmap.allocN32Pixels(BitmapSize, BitmapSize); + SkCanvas canvas(bitmap); + canvas.clear(0x00000000); + + auto flattenable = SkImageFilter::Deserialize(bytes->data(), bytes->size()); + + if (flattenable != nullptr) { + // Let's see if using the filters can cause any trouble... + SkPaint paint; + paint.setImageFilter(flattenable); + canvas.save(); + canvas.clipRect(SkRect::MakeXYWH( + 0, 0, SkIntToScalar(BitmapSize), SkIntToScalar(BitmapSize))); + + // This call shouldn't crash or cause ASAN to flag any memory issues + // If nothing bad happens within this call, everything is fine + canvas.drawBitmap(bitmap, 0, 0, &paint); + + canvas.restore(); + } +} + +#if defined(IS_FUZZING_WITH_LIBFUZZER) +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + auto bytes = SkData::MakeWithoutCopy(data, size); + FuzzImageFilterDeserialize(bytes); + return 0; +} +#endif diff --git a/fuzz/oss_fuzz/FuzzPathDeserialize.cpp b/fuzz/oss_fuzz/FuzzPathDeserialize.cpp new file mode 100644 index 0000000000..b18f719f4f --- /dev/null +++ b/fuzz/oss_fuzz/FuzzPathDeserialize.cpp @@ -0,0 +1,35 @@ +/* + * Copyright 2018 Google Inc. + * + * Use of this source code is governed by a BSD-style license that can be + * found in the LICENSE file. + */ + +#include "SkCanvas.h" +#include "SkPaint.h" +#include "SkPath.h" +#include "SkReadBuffer.h" +#include "SkSurface.h" + +void FuzzPathDeserialize(SkReadBuffer& buf) { + SkPath path; + buf.readPath(&path); + if (!buf.isValid()) { + return; + } + + auto s = SkSurface::MakeRasterN32Premul(128, 128); + if (!s) { + // May return nullptr in memory-constrained fuzzing environments + return; + } + s->getCanvas()->drawPath(path, SkPaint()); +} + +#if defined(IS_FUZZING_WITH_LIBFUZZER) +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + SkReadBuffer buf(data, size); + FuzzPathDeserialize(buf); + return 0; +} +#endif diff --git a/fuzz/oss_fuzz/FuzzTextBlobDeserialize.cpp b/fuzz/oss_fuzz/FuzzTextBlobDeserialize.cpp new file mode 100644 index 0000000000..36c7057dbc --- /dev/null +++ b/fuzz/oss_fuzz/FuzzTextBlobDeserialize.cpp @@ -0,0 +1,34 @@ +/* + * Copyright 2018 Google Inc. + * + * Use of this source code is governed by a BSD-style license that can be + * found in the LICENSE file. + */ + +#include "SkCanvas.h" +#include "SkPaint.h" +#include "SkReadBuffer.h" +#include "SkSurface.h" +#include "SkTextBlob.h" + +void FuzzTextBlobDeserialize(SkReadBuffer& buf) { + auto tb = SkTextBlob::MakeFromBuffer(buf); + if (!buf.isValid()) { + return; + } + + auto s = SkSurface::MakeRasterN32Premul(128, 128); + if (!s) { + // May return nullptr in memory-constrained fuzzing environments + return; + } + s->getCanvas()->drawTextBlob(tb, 200, 200, SkPaint()); +} + +#if defined(IS_FUZZING_WITH_LIBFUZZER) +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + SkReadBuffer buf(data, size); + FuzzTextBlobDeserialize(buf); + return 0; +} +#endif