Improve coverage of file fuzzer (metadata, filetype checks).

strukturag · Nov 20, 2019 · bea3c3b · bea3c3b
1 parent 9856bcc
commit bea3c3b
Showing 1 changed file with 32 additions and 4 deletions.
diff --git a/libheif/file_fuzzer.cc b/libheif/file_fuzzer.cc
@@ -19,6 +19,7 @@
  */
 
 #include <assert.h>
+#include <limits.h>
 #include <stdlib.h>
 
 #include "heif.h"
@@ -27,7 +28,7 @@ static const enum heif_colorspace kFuzzColorSpace = heif_colorspace_YCbCr;
 static const enum heif_chroma kFuzzChroma = heif_chroma_420;
 
 static void TestDecodeImage(struct heif_context* ctx,
-    const struct heif_image_handle* handle) {
+    const struct heif_image_handle* handle, size_t filesize) {
   struct heif_image* image;
   struct heif_error err;
 
@@ -36,6 +37,25 @@ static void TestDecodeImage(struct heif_context* ctx,
   int height = heif_image_handle_get_height(handle);
   assert(width >= 0);
   assert(height >= 0);
+  int metadata_count = heif_image_handle_get_number_of_metadata_blocks(handle, nullptr);
+  assert(metadata_count >= 0);
+  assert(static_cast<size_t>(metadata_count) < filesize / sizeof(heif_item_id));
+  heif_item_id* metadata_ids = static_cast<heif_item_id*>(malloc(metadata_count * sizeof(heif_item_id)));
+  assert(metadata_ids);
+  int metadata_ids_count = heif_image_handle_get_list_of_metadata_block_IDs(handle, nullptr, metadata_ids, metadata_count);
+  assert(metadata_count == metadata_ids_count);
+  for (int i = 0; i < metadata_count; i++) {
+    heif_image_handle_get_metadata_type(handle, metadata_ids[i]);
+    heif_image_handle_get_metadata_content_type(handle, metadata_ids[i]);
+    size_t metadata_size = heif_image_handle_get_metadata_size(handle, metadata_ids[i]);
+    assert(metadata_size < filesize);
+    uint8_t* metadata_data = static_cast<uint8_t*>(malloc(metadata_size));
+    assert(metadata_data);
+    heif_image_handle_get_metadata(handle, metadata_ids[i], metadata_data);
+    free(metadata_data);
+  }
+  free(metadata_ids);
+
   err = heif_decode_image(handle, &image, kFuzzColorSpace, kFuzzChroma, nullptr);
   if (err.code != heif_error_Ok) {
     return;
@@ -49,13 +69,21 @@ static void TestDecodeImage(struct heif_context* ctx,
   heif_image_release(image);
 }
 
+static int clip_int(size_t size) {
+  return size > INT_MAX ? INT_MAX : static_cast<int>(size);
+}
+
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   struct heif_context* ctx;
   struct heif_error err;
   struct heif_image_handle* primary_handle;
   int images_count;
   heif_item_id* image_IDs = NULL;
 
+  heif_check_filetype(data, clip_int(size));
+  heif_main_brand(data, clip_int(size));
+  heif_get_file_mime_type(data, clip_int(size));
+
   ctx = heif_context_alloc();
   assert(ctx);
   err = heif_context_read_from_memory(ctx, data, size, nullptr);
@@ -67,7 +95,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   err = heif_context_get_primary_image_handle(ctx, &primary_handle);
   if (err.code == heif_error_Ok) {
     assert(heif_image_handle_is_primary_image(primary_handle));
-    TestDecodeImage(ctx, primary_handle);
+    TestDecodeImage(ctx, primary_handle, size);
     heif_image_handle_release(primary_handle);
   }
 
@@ -93,14 +121,14 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
       continue;
     }
 
-    TestDecodeImage(ctx, image_handle);
+    TestDecodeImage(ctx, image_handle, size);
 
     int num_thumbnails = heif_image_handle_get_number_of_thumbnails(image_handle);
     for (int t = 0; t < num_thumbnails; ++t) {
       struct heif_image_handle* thumbnail_handle = nullptr;
       heif_image_handle_get_thumbnail(image_handle, t, &thumbnail_handle);
       if (thumbnail_handle) {
-        TestDecodeImage(ctx, thumbnail_handle);
+        TestDecodeImage(ctx, thumbnail_handle, size);
         heif_image_handle_release(thumbnail_handle);
       }
     }