Update the fuzzing harness to pnm

HeroicKatora · Feb 12, 2019 · a6ae674 · a6ae674
1 parent c3c7d5c
commit a6ae674
Show file tree

Hide file tree

Showing 5 changed files with 72 additions and 37 deletions.
diff --git a/fuzz/Cargo.toml b/fuzz/Cargo.toml
@@ -10,53 +10,56 @@ cargo-fuzz = true
 
 [dependencies.image]
 path = ".."
-[dependencies.libfuzzer-sys]
-git = "https://github.com/rust-fuzz/libfuzzer-sys.git"
+
+[dependencies.afl]
+version = "0.4.3"
 
 # Prevent this from interfering with workspaces
 [workspace]
 members = ["."]
 
-[[bin]]
-name = "fuzzer_script_guess"
-path = "fuzzers/fuzzer_script_guess.rs"
+# FIXME: port and reenable all these script with the `afl` crate
+# They come originally from https://github.com/rust-fuzz/libfuzzer-sys.
+# [[bin]]
+# name = "fuzzer_script_guess"
+# path = "fuzzers/fuzzer_script_guess.rs"
 
-[[bin]]
-name = "fuzzer_script_png"
-path = "fuzzers/fuzzer_script_png.rs"
+# [[bin]]
+# name = "fuzzer_script_png"
+# path = "fuzzers/fuzzer_script_png.rs"
 
-[[bin]]
-name = "fuzzer_script_jpeg"
-path = "fuzzers/fuzzer_script_jpeg.rs"
+# [[bin]]
+# name = "fuzzer_script_jpeg"
+# path = "fuzzers/fuzzer_script_jpeg.rs"
 
-[[bin]]
-name = "fuzzer_script_gif"
-path = "fuzzers/fuzzer_script_gif.rs"
+# [[bin]]
+# name = "fuzzer_script_gif"
+# path = "fuzzers/fuzzer_script_gif.rs"
 
-[[bin]]
-name = "fuzzer_script_webp"
-path = "fuzzers/fuzzer_script_webp.rs"
+# [[bin]]
+# name = "fuzzer_script_webp"
+# path = "fuzzers/fuzzer_script_webp.rs"
 
 [[bin]]
 name = "fuzzer_script_pnm"
 path = "fuzzers/fuzzer_script_pnm.rs"
 
-[[bin]]
-name = "fuzzer_script_tiff"
-path = "fuzzers/fuzzer_script_tiff.rs"
+# [[bin]]
+# name = "fuzzer_script_tiff"
+# path = "fuzzers/fuzzer_script_tiff.rs"
 
-[[bin]]
-name = "fuzzer_script_tga"
-path = "fuzzers/fuzzer_script_tga.rs"
+# [[bin]]
+# name = "fuzzer_script_tga"
+# path = "fuzzers/fuzzer_script_tga.rs"
 
-[[bin]]
-name = "fuzzer_script_bmp"
-path = "fuzzers/fuzzer_script_bmp.rs"
+# [[bin]]
+# name = "fuzzer_script_bmp"
+# path = "fuzzers/fuzzer_script_bmp.rs"
 
-[[bin]]
-name = "fuzzer_script_ico"
-path = "fuzzers/fuzzer_script_ico.rs"
+# [[bin]]
+# name = "fuzzer_script_ico"
+# path = "fuzzers/fuzzer_script_ico.rs"
 
-[[bin]]
-name = "fuzzer_script_hdr"
-path = "fuzzers/fuzzer_script_hdr.rs"
+# [[bin]]
+# name = "fuzzer_script_hdr"
+# path = "fuzzers/fuzzer_script_hdr.rs"
diff --git a/fuzz/README.md b/fuzz/README.md
@@ -0,0 +1,11 @@
+# Fuzzing harnesses
+
+This is intended for integration fuzzing and those decoders that do not yet
+live in their own crate. `image-png` for example has their own fuzzing targets.
+
+## Using the fuzzer
+
+> $ cargo install afl
+> $ cargo afl build
+> $ cargo afl fuzz -i ./in/<format> -o ./out/<format> ./target/release/fuzzer_script_<format>
+
diff --git a/fuzz/fuzzers/fuzzer_script_pnm.rs b/fuzz/fuzzers/fuzzer_script_pnm.rs
@@ -1,7 +1,22 @@
-#![no_main]
-#[macro_use] extern crate libfuzzer_sys;
+extern crate afl;
 extern crate image;
 
-fuzz_target!(|data: &[u8]| {
-    let _ = image::load_from_memory_with_format(data, image::ImageFormat::PNM);
-});
+use image::ImageDecoder;
+
+#[inline(always)]
+fn pnm_decode(data: &[u8]) -> image::ImageResult<Vec<u8>> {
+    let decoder = image::pnm::PNMDecoder::new(data)?;
+    let (width, height) = decoder.dimensions();
+
+    if width.saturating_mul(height) > 4_000_000 {
+        return Err(image::ImageError::DimensionError);
+    }
+
+    decoder.read_image()
+}
+
+fn main() {
+    afl::fuzz(|data| {
+        let _ = pnm_decode(data);
+    });
+}
diff --git a/fuzz/in/pnm/issue-794.pbm b/fuzz/in/pnm/issue-794.pbm
diff --git a/fuzz/in/pnm/single.pnm b/fuzz/in/pnm/single.pnm
@@ -0,0 +1,6 @@
+P7
+WIDTH 1
+HEIGHT 1
+TUPLTYPE GRAYSCALE
+ENDHDR
+H