LCMS benchmark

google · Jun 23, 2017 · 79247e2 · 79247e2
1 parent 10f03d0
commit 79247e2
Show file tree

Hide file tree

Showing 5 changed files with 102 additions and 0 deletions.
diff --git a/lcms-2017-03-21/README.md b/lcms-2017-03-21/README.md
@@ -0,0 +1,36 @@
+This is a benchmark for finding a
+[heap-buffer-overflow bug](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=925) in
+[Little-CMS](https://github.com/mm2/Little-CMS).
+
+Note that, in OSS-Fuzz, this bug was first found with [AFL](http://lcamtuf.coredump.cx/afl/).
+
+The following error can be found within 30 minutes of fuzzing, from the provided seed.
+
+```
+==27232==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800011b68c at pc 0x00000057c11a bp 0x7ffd7544b130 sp 0x7ffd7544b128
+READ of size 4 at 0x60800011b68c thread T0
+    #0 0x57c119 in TetrahedralInterpFloat BUILD/src/cmsintrp.c:642:22
+    #1 0x599c56 in _LUTeval16 BUILD/src/cmslut.c:1330:14
+    #2 0x51a13a in CachedXFORM BUILD/src/cmsxform.c:525:17
+    #3 0x512b8d in cmsDoTransform BUILD/src/cmsxform.c:189:5
+    #4 0x4ea37c in LLVMFuzzerTestOneInput cms_transform_fuzzer.c
+```
+
+Generally, the above error is found. However, the [following error](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=931) is also present.
+
+```
+==96256==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000048c at pc 0x00000057bfea bp 0x7ffd1790c010 sp 0x7ffd1790c008
+READ of size 4 at 0x60800000048c thread T0
+    #0 0x57bfe9 in TetrahedralInterpFloat BUILD/src/cmsintrp.c:642:22
+    #1 0x59a1f1 in _LUTevalFloat /usr/local BUILD/src/cmslut.c:1356:15
+    #2 0x54e591 in XFormSampler16 BUILD/src/cmsopt.c:423:5
+    #3 0x593e77 in cmsStageSampleCLut16bit BUILD/src/cmslut.c:797:14
+    #4 0x54cdbf in OptimizeByResampling BUILD/src/cmsopt.c:734:10
+    #5 0x54a74f in _cmsOptimizePipeline BUILD/src/cmsopt.c:1942:17
+    #6 0x51521f in AllocEmptyTransform BUILD/src/cmsxform.c:819:15
+    #7 0x5140a0 in cmsCreateExtendedTransform BUILD/src/cmsxform.c:1075:13
+    #8 0x516ce2 in cmsCreateMultiprofileTransformTHR BUILD/src/cmsxform.c:1175:12
+    #9 0x516ce2 in cmsCreateTransformTHR BUILD/src/cmsxform.c:1216
+    #10 0x516ce2 in cmsCreateTransform BUILD/src/cmsxform.c:1226
+    #11 0x4ea02c in LLVMFuzzerTestOneInput cms_transform_fuzzer.c:31:30
+```
diff --git a/lcms-2017-03-21/build.sh b/lcms-2017-03-21/build.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+# Copyright 2016 Google Inc. All Rights Reserved.
+# Licensed under the Apache License, Version 2.0 (the "License");
+. $(dirname $0)/../common.sh
+
+build_lib() {
+  rm -rf BUILD
+  cp -rf SRC BUILD
+  (cd BUILD && ./autogen.sh && CXX="clang++ $FUZZ_CXXFLAGS" CC="clang $FUZZ_CXXFLAGS" CCLD="clang++ $FUZZ_CXXFLAGS"  ./configure && make -j $JOBS)
+}
+
+get_git_revision https://github.com/mm2/Little-CMS.git f9d75ccef0b54c9f4167d95088d4727985133c52 SRC
+build_lib
+build_libfuzzer
+set -x
+clang++ $SCRIPT_DIR/cms_transform_fuzzer.c -I BUILD/include/ $FUZZ_CXXFLAGS BUILD/src/.libs/liblcms2.a libFuzzer.a -o $EXECUTABLE_NAME_BASE
diff --git a/lcms-2017-03-21/cms_transform_fuzzer.c b/lcms-2017-03-21/cms_transform_fuzzer.c
@@ -0,0 +1,50 @@
+// Copyright 2016 The PDFium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#include <stdint.h>
+
+#include "lcms2.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  cmsHPROFILE srcProfile = cmsOpenProfileFromMem(data, size);
+  if (!srcProfile) return 0;
+
+  cmsHPROFILE dstProfile = cmsCreate_sRGBProfile();
+  if (!dstProfile) {
+    cmsCloseProfile(srcProfile);
+    return 0;
+  }
+
+  cmsColorSpaceSignature srcCS = cmsGetColorSpace(srcProfile);
+  cmsUInt32Number nSrcComponents = cmsChannelsOf(srcCS);
+  cmsUInt32Number srcFormat;
+  if (srcCS == cmsSigLabData) {
+    srcFormat =
+        COLORSPACE_SH(PT_Lab) | CHANNELS_SH(nSrcComponents) | BYTES_SH(0);
+  } else {
+    srcFormat =
+        COLORSPACE_SH(PT_ANY) | CHANNELS_SH(nSrcComponents) | BYTES_SH(1);
+  }
+
+  cmsUInt32Number intent = 0;
+  cmsUInt32Number flags = 0;
+  cmsHTRANSFORM hTransform = cmsCreateTransform(
+      srcProfile, srcFormat, dstProfile, TYPE_BGR_8, intent, flags);
+  cmsCloseProfile(srcProfile);
+  cmsCloseProfile(dstProfile);
+  if (!hTransform) return 0;
+
+  uint8_t output[4];
+  if (T_BYTES(srcFormat) == 0) {  // 0 means double
+    double input[nSrcComponents];
+    for (uint32_t i = 0; i < nSrcComponents; i++) input[i] = 0.5f;
+    cmsDoTransform(hTransform, input, output, 1);
+  } else {
+    uint8_t input[nSrcComponents];
+    for (uint32_t i = 0; i < nSrcComponents; i++) input[i] = 128;
+    cmsDoTransform(hTransform, input, output, 1);
+  }
+  cmsDeleteTransform(hTransform);
+
+  return 0;
+}
diff --git a/lcms-2017-03-21/crash-6a7f7b35fc6de5b19080b1c32588c727caf5d396 b/lcms-2017-03-21/crash-6a7f7b35fc6de5b19080b1c32588c727caf5d396
diff --git a/lcms-2017-03-21/seed b/lcms-2017-03-21/seed