diff options
| author | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2017-09-28 09:18:47 -0500 |
|---|---|---|
| committer | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2017-09-28 09:20:20 -0500 |
| commit | 414de980470708241bb464c2eccc29bd75343139 (patch) | |
| tree | c0ccf51120ea3ab040a53fc7814e32c22843a8fa | |
| parent | 0512c63533d20634bad25f133f3094abbae7cda3 (diff) | |
| download | libpng-414de980470708241bb464c2eccc29bd75343139.tar.gz | |
[libpng16] Add end_info structure to libpng fuzzer; add row_ptr to CLEANUP
| -rw-r--r-- | contrib/oss-fuzz/libpng_read_fuzzer.cc | 50 |
1 files changed, 38 insertions, 12 deletions
diff --git a/contrib/oss-fuzz/libpng_read_fuzzer.cc b/contrib/oss-fuzz/libpng_read_fuzzer.cc index c1b16249d..78c7c9ff0 100644 --- a/contrib/oss-fuzz/libpng_read_fuzzer.cc +++ b/contrib/oss-fuzz/libpng_read_fuzzer.cc @@ -12,6 +12,7 @@ // 2. setting the option to ignore ADLER32 checksums, // 3. adding "#include <string.h>" which is needed on some platforms // to provide memcpy(). +// 4. adding read_end_info() and creating an end_info structure. #include <stddef.h> #include <stdint.h> @@ -23,14 +24,23 @@ #include "png.h" #define PNG_CLEANUP \ - if(png_handler.png_ptr) \ - { \ - if (png_handler.info_ptr) \ - png_destroy_read_struct(&png_handler.png_ptr, &png_handler.info_ptr,\ - nullptr); \ - else \ - png_destroy_read_struct(&png_handler.png_ptr, nullptr, nullptr); \ - } + if(png_handler.png_ptr) \ + { \ + if (png_handler.row_ptr) \ + png_free(png_handler.png_ptr, png_handler.row_ptr); \ + if (png_handler.end_info_ptr) \ + png_destroy_read_struct(&png_handler.png_ptr, &png_handler.info_ptr,\ + &png_handler.end_info_ptr); \ + else if (png_handler.info_ptr) \ + png_destroy_read_struct(&png_handler.png_ptr, &png_handler.info_ptr,\ + nullptr); \ + else \ + png_destroy_read_struct(&png_handler.png_ptr, nullptr, nullptr); \ + png_handler.png_ptr = nullptr; \ + png_handler.row_ptr = nullptr; \ + png_handler.info_ptr = nullptr; \ + png_handler.end_info_ptr = nullptr; \ + } struct BufState { const uint8_t* data; @@ -40,16 +50,19 @@ struct BufState { struct PngObjectHandler { png_infop info_ptr = nullptr; png_structp png_ptr = nullptr; + png_infop end_info_ptr = nullptr; png_voidp row_ptr = nullptr; BufState* buf_state = nullptr; ~PngObjectHandler() { - if (row_ptr && png_ptr) { + if (row_ptr) png_free(png_ptr, row_ptr); - } - if (png_ptr && info_ptr) { + if (end_info_ptr) + png_destroy_read_struct(&png_ptr, &info_ptr, &end_info_ptr); + else if (info_ptr) png_destroy_read_struct(&png_ptr, &info_ptr, nullptr); - } + else + png_destroy_read_struct(&png_ptr, nullptr, nullptr); delete buf_state; } }; @@ -81,6 +94,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { } PngObjectHandler png_handler; + png_handler.png_ptr = nullptr; + png_handler.row_ptr = nullptr; + png_handler.info_ptr = nullptr; + png_handler.end_info_ptr = nullptr; + png_handler.png_ptr = png_create_read_struct (PNG_LIBPNG_VER_STRING, nullptr, nullptr, nullptr); if (!png_handler.png_ptr) { @@ -93,6 +111,12 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { return 0; } + png_handler.end_info_ptr = png_create_info_struct(png_handler.png_ptr); + if (!png_handler.end_info_ptr) { + PNG_CLEANUP + return 0; + } + png_set_crc_action(png_handler.png_ptr, PNG_CRC_QUIET_USE, PNG_CRC_QUIET_USE); #ifdef PNG_IGNORE_ADLER32 png_set_option(png_handler.png_ptr, PNG_IGNORE_ADLER32, PNG_OPTION_ON); @@ -149,6 +173,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { } } + png_read_end(png_handler.png_ptr, png_handler.end_info_ptr); + PNG_CLEANUP return 0; } |