1 /*
2  * Copyright 2020 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <android/imagedecoder.h>
18 
19 #include <binder/IPCThreadState.h>
20 #include <stddef.h>
21 #include <stdint.h>
22 #include <cstdlib>
23 #include <memory>
24 
25 #ifdef PNG_MUTATOR_DEFINE_LIBFUZZER_CUSTOM_MUTATOR
26 #include <fuzz/png_mutator.h>
27 #endif
28 
29 struct DecoderDeleter {
operator ()DecoderDeleter30     void operator()(AImageDecoder* decoder) const { AImageDecoder_delete(decoder); }
31 };
32 
33 using DecoderPointer = std::unique_ptr<AImageDecoder, DecoderDeleter>;
34 
makeDecoder(const uint8_t * data,size_t size)35 static DecoderPointer makeDecoder(const uint8_t* data, size_t size) {
36     AImageDecoder* decoder = nullptr;
37     int result = AImageDecoder_createFromBuffer(data, size, &decoder);
38     if (result != ANDROID_IMAGE_DECODER_SUCCESS) {
39         // This was not a valid image.
40         return nullptr;
41     }
42     return DecoderPointer(decoder);
43 }
44 
45 struct PixelFreer {
operator ()PixelFreer46     void operator()(void* pixels) const { std::free(pixels); }
47 };
48 
49 using PixelPointer = std::unique_ptr<void, PixelFreer>;
50 
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)51 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
52     // Without this call, decoding HEIF may time out on binder IPC calls.
53     android::ProcessState::self()->startThreadPool();
54 
55     DecoderPointer decoder = makeDecoder(data, size);
56     if (!decoder) {
57         return 0;
58     }
59 
60     const AImageDecoderHeaderInfo* info = AImageDecoder_getHeaderInfo(decoder.get());
61     int32_t width = AImageDecoderHeaderInfo_getWidth(info);
62     int32_t height = AImageDecoderHeaderInfo_getHeight(info);
63 
64     // Set an arbitrary limit on the size of an image. The fuzzer runs with a
65     // limited amount of memory, and keeping this allocation small allows the
66     // fuzzer to continue running to try to find more serious problems. This
67     // size is large enough to hold a photo taken by a current gen phone.
68     constexpr int32_t kMaxDimension = 5000;
69     if (width > kMaxDimension || height > kMaxDimension) {
70         return 0;
71     }
72 
73     size_t stride = AImageDecoder_getMinimumStride(decoder.get());
74     size_t pixelSize = height * stride;
75     auto pixels = PixelPointer(std::malloc(pixelSize));
76     if (!pixels.get()) {
77         return 0;
78     }
79 
80     while (true) {
81         int result = AImageDecoder_decodeImage(decoder.get(), pixels.get(), stride, pixelSize);
82         if (result != ANDROID_IMAGE_DECODER_SUCCESS) break;
83 
84         result = AImageDecoder_advanceFrame(decoder.get());
85         if (result != ANDROID_IMAGE_DECODER_SUCCESS) break;
86     }
87     return 0;
88 }
89