Fuzzers for cairo

[WIP] Updates to fuzzers Cleaning up old fuzzers + raster fuzzer added clean up meson.build file minor julien fixes fixing fuzzers Fuzzers for cairo
2026-05-16 06:08:06 +02:00 · 2020-10-05 08:03:04 +00:00 · 2020-10-05 08:03:04 +00:00 · bc846b39a8
commit bc846b39a8
parent 75f6e0cacf
7 changed files with 263 additions and 0 deletions
--- a/fuzzing/fuzzer_temp_file.h
+++ b/fuzzing/fuzzer_temp_file.h
@ -0,0 +1,81 @@
+// Copyright 2018 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Adapter utility from fuzzer input to a temporary file, for fuzzing APIs that
+// require a file instead of an input buffer.
+
+#ifndef FUZZER_TEMP_FILE_H_
+#define FUZZER_TEMP_FILE_H_
+
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+// Pure-C interface for creating and cleaning up temporary files.
+
+static char* fuzzer_get_tmpfile(const uint8_t* data, size_t size) {
+    char* filename_buffer = strdup("/tmp/generate_temporary_file.XXXXXX");
+    if (!filename_buffer) {
+        perror("Failed to allocate file name buffer.");
+        abort();
+    }
+    const int file_descriptor = mkstemp(filename_buffer);
+    if (file_descriptor < 0) {
+        perror("Failed to make temporary file.");
+        abort();
+    }
+    FILE* file = fdopen(file_descriptor, "wb");
+    if (!file) {
+        perror("Failed to open file descriptor.");
+        close(file_descriptor);
+        abort();
+    }
+    const size_t bytes_written = fwrite(data, sizeof(uint8_t), size, file);
+    if (bytes_written < size) {
+        close(file_descriptor);
+        fprintf(stderr, "Failed to write all bytes to file (%zu out of %zu)",
+                bytes_written, size);
+        abort();
+    }
+    fclose(file);
+    return filename_buffer;
+}
+
+static void fuzzer_release_tmpfile(char* filename) {
+    if (unlink(filename) != 0) {
+        perror("WARNING: Failed to delete temporary file.");
+    }
+    free(filename);
+}
+
+// C++ RAII object for creating temporary files.
+
+#ifdef __cplusplus
+class FuzzerTemporaryFile {
+    public:
+        FuzzerTemporaryFile(const uint8_t* data, size_t size)
+            : filename_(fuzzer_get_tmpfile(data, size)) {}
+
+        ~FuzzerTemporaryFile() { fuzzer_release_tmpfile(filename_); }
+
+        const char* filename() const { return filename_; }
+
+    private:
+        char* filename_;
+};
+#endif
+
+#endif  // FUZZER_TEMP_FILE_H_
--- a/fuzzing/meson.build
+++ b/fuzzing/meson.build
@ -0,0 +1,18 @@
+fuzz_targets = [
+  'raster_fuzzer',
+  'pdf_surface_fuzzer',
+  'text_glyphs_fuzzer',
+  'surface_write_png_fuzzer',
+]
+
+fuzz_args = ['-fsanitize=fuzzer,address']
+
+foreach target_name : fuzz_targets
+  exe = executable(target_name, [target_name + '.c'],
+  include_directories: [incbase, incsrc, incboilerplate, incpdiff, inccairoscript, inccairomissing],
+  c_args: [fuzz_args, '-DHAVE_CONFIG_H'],
+  link_with: [libcairo, libcairoboilerplate, libpdiff],
+  link_args: [fuzz_args, extra_link_args],
+  dependencies: [deps, test_deps],
+  )
+endforeach
--- a/fuzzing/pdf_surface_fuzzer.c
+++ b/fuzzing/pdf_surface_fuzzer.c
@ -0,0 +1,34 @@
+#include <cairo-pdf.h>
+#include "cairo-boilerplate.h"
+#include "fuzzer_temp_file.h"
+
+#define WIDTH_IN_INCHES  3
+#define HEIGHT_IN_INCHES 3
+#define WIDTH_IN_POINTS  (WIDTH_IN_INCHES  * 72.0)
+#define HEIGHT_IN_POINTS (HEIGHT_IN_INCHES * 72.0)
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    cairo_t *cr;
+    cairo_surface_t *surface;
+    cairo_status_t status;
+    int flags;
+
+    char *tmpfile = fuzzer_get_tmpfile(data, size);
+    surface = cairo_pdf_surface_create(tmpfile, WIDTH_IN_POINTS, HEIGHT_IN_POINTS);
+    status = cairo_surface_status(surface);
+    if (status != CAIRO_STATUS_SUCCESS) {
+        fuzzer_release_tmpfile(tmpfile);
+        return 0;
+    }
+
+    flags = CAIRO_PDF_OUTLINE_FLAG_BOLD | CAIRO_PDF_OUTLINE_FLAG_OPEN;
+    cairo_pdf_surface_set_page_label(surface, data);
+    cairo_pdf_surface_set_metadata(surface, CAIRO_PDF_METADATA_TITLE, data);
+    cairo_tag_begin(cr, data, NULL);
+    cairo_tag_end(cr, data);
+
+    cairo_surface_destroy(surface);
+    cairo_destroy(cr);
+    fuzzer_release_tmpfile(tmpfile);
+    return 0;
+}
--- a/fuzzing/raster_fuzzer.c
+++ b/fuzzing/raster_fuzzer.c
@ -0,0 +1,52 @@
+#include "cairo-boilerplate.h"
+#include "fuzzer_temp_file.h"
+
+#define WIDTH 200
+#define HEIGHT 80
+
+static cairo_surface_t *
+acquire (cairo_pattern_t *pattern, void *closure,
+	     cairo_surface_t *target,
+	     const cairo_rectangle_int_t *extents)
+{
+    return cairo_image_surface_create_from_png(closure);
+}
+
+static void
+release (cairo_pattern_t *pattern, void *closure, cairo_surface_t *surface)
+{
+    cairo_surface_destroy(surface);
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    cairo_t *cr;
+    cairo_surface_t *surface;
+    cairo_pattern_t *pattern;
+    cairo_content_t content;
+    cairo_status_t status;
+    int w, h;
+
+    char *tmpfile = fuzzer_get_tmpfile(data, size);
+    surface = cairo_image_surface_create_from_png(tmpfile);
+    status = cairo_surface_status (surface);
+    if (status != CAIRO_STATUS_SUCCESS) {
+        fuzzer_release_tmpfile(tmpfile);
+        return 0;
+    }
+
+    cr = cairo_create(surface);
+    content = cairo_surface_get_content(surface);
+    w = cairo_image_surface_get_width(surface);
+    h = cairo_image_surface_get_height(surface);
+
+    pattern = cairo_pattern_create_raster_source(data, content, w, h);
+    cairo_raster_source_pattern_set_acquire (pattern, acquire, release);
+    cairo_set_source(cr, pattern);
+    cairo_paint(cr);
+
+    cairo_destroy(cr);
+    cairo_pattern_destroy(pattern);
+    cairo_surface_destroy(surface);
+    fuzzer_release_tmpfile(tmpfile);
+    return 0;
+}
--- a/fuzzing/surface_write_png_fuzzer.c
+++ b/fuzzing/surface_write_png_fuzzer.c
@ -0,0 +1,32 @@
+#include "cairo-boilerplate.h"
+#include "fuzzer_temp_file.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    cairo_surface_t *image;
+    cairo_surface_t *surface;
+    cairo_status_t status;
+    cairo_format_t format;
+
+    char *tmpfile = fuzzer_get_tmpfile(data, size);
+    image = cairo_image_surface_create_from_png(tmpfile);
+    status = cairo_surface_status (image);
+    if (status != CAIRO_STATUS_SUCCESS) {
+        fuzzer_release_tmpfile(tmpfile);
+        return 0;
+    }
+
+    format = cairo_image_surface_get_format(image);
+    surface = cairo_image_surface_create_for_data((unsigned char*)data, format, 1, 1, size);
+    status = cairo_surface_status (surface);
+    if (status != CAIRO_STATUS_SUCCESS) {
+        cairo_surface_destroy(image);
+        fuzzer_release_tmpfile(tmpfile);
+        return 0;
+    }
+    cairo_surface_write_to_png(surface, tmpfile);
+
+    cairo_surface_destroy(surface);
+    cairo_surface_destroy(image);
+    fuzzer_release_tmpfile(tmpfile);
+    return 0;
+}
--- a/fuzzing/text_glyphs_fuzzer.c
+++ b/fuzzing/text_glyphs_fuzzer.c
@ -0,0 +1,44 @@
+#include "cairo-boilerplate.h"
+#include "fuzzer_temp_file.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    cairo_t *cr;
+    cairo_surface_t *surface;
+    cairo_status_t status;
+    cairo_text_extents_t extents;
+    cairo_text_cluster_t cluster;
+
+    // Taken from test/text-glyph-range.c
+    long int index[] = {
+        0, /* 'no matching glyph' */
+        0xffff, /* kATSDeletedGlyphCode */
+        0x1ffff, /* out of range */
+        -1L, /* out of range */
+        70, 68, 76, 85, 82 /* 'cairo' */
+    };
+
+    char *tmpfile = fuzzer_get_tmpfile(data, size);
+    surface = cairo_image_surface_create_from_png(tmpfile);
+    status = cairo_surface_status(surface);
+    if (status != CAIRO_STATUS_SUCCESS) {
+        fuzzer_release_tmpfile(tmpfile);
+        return 0;
+    }
+
+    cr = cairo_create(surface);
+    cairo_text_extents(cr, data, &extents);
+    cluster.num_bytes = size;
+    cluster.num_glyphs = 1;
+    for (int i = 0; i < 9; i++) {
+        // Taken from test/text-glyph-range.c
+        cairo_glyph_t glyph = {
+            index[i], 10 * i, 25
+        };
+        cairo_show_text_glyphs(cr, data, size, &glyph, 1, &cluster, 1, 0);
+    }
+
+    cairo_destroy(cr);
+    cairo_surface_destroy(surface);
+    fuzzer_release_tmpfile(tmpfile);
+    return 0;
+}
--- a/meson.build
+++ b/meson.build
@ -908,6 +908,8 @@ if not get_option('tests').disabled() and feature_conf.get('CAIRO_HAS_PNG_FUNCTI
  subdir('test')
 endif

+subdir('fuzzing')
+
 configure_file(output: 'config.h', configuration: conf)

 foreach feature: built_features