util/fuzz-tests: Add fuzzer for jpeg decoder

Mostly a proof of concept for adding fuzzing to our tree. Change-Id: I10e5ef3a426b9c74c288d7232a6d11a1ca59833b Signed-off-by: Patrick Georgi <patrick@georgi-clan.de> Reviewed-on: http://review.coreboot.org/12183 Tested-by: build bot (Jenkins) Reviewed-by: Martin Roth <martinroth@google.com>
2015-08-09 18:30:44 +02:00 · 2015-08-09 18:30:44 +02:00 · 8f5053c626
parent 5907eb8f5a
commit 8f5053c626
5 changed files with 69 additions and 0 deletions
--- a/util/fuzz-tests/Makefile
+++ b/util/fuzz-tests/Makefile
@ -0,0 +1,5 @@
+all:
+	afl-gcc -g -m32 -I ../../src/lib -o jpeg-test jpeg-test.c ../../src/lib/jpeg.c
+
+run:
+	afl-fuzz -i jpeg-test-cases -o jpeg-results ./jpeg-test @@
--- a/util/fuzz-tests/README
+++ b/util/fuzz-tests/README
@ -0,0 +1,11 @@
+Fuzz tests
+==========
+make run (with afl-fuzz installed) takes a real long time and creates test
+cases in jpeg-results/ that crash the jpeg code.
+
+These test cases can then be used to gdb the test app and dig into the
+decoder to fix the issues.
+
+This is mostly a proof of concept because the jpeg code isn't used very often
+(only for splash screens). However there are other regions in coreboot that
+could benefit from similar treatment.
--- a/util/fuzz-tests/jpeg-test-cases/coreboot.jpg
+++ b/util/fuzz-tests/jpeg-test-cases/coreboot.jpg
--- a/util/fuzz-tests/jpeg-test-cases/coreboot_2.jpg
+++ b/util/fuzz-tests/jpeg-test-cases/coreboot_2.jpg
--- a/util/fuzz-tests/jpeg-test.c
+++ b/util/fuzz-tests/jpeg-test.c
@ -0,0 +1,53 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ * Copyright 2015 Google Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc.
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include "jpeg.h"
+
+const int depth = 16;
+
+int main(int argc, char **argv)
+{
+	FILE *f = fopen(argv[1], "rb");
+	unsigned long len;
+
+	if (!f)
+		return 1;
+	if (fseek(f, 0, SEEK_END) != 0)
+		return 1;
+	len = ftell(f);
+	if (fseek(f, 0, SEEK_SET) != 0)
+		return 1;
+
+	char *buf = malloc(len);
+	struct jpeg_decdata *decdata = malloc(sizeof(*decdata));
+	if (fread(buf, len, 1, f) != 1)
+		return 1;
+	fclose(f);
+
+	int width;
+	int height;
+	jpeg_fetch_size(buf, &width, &height);
+	//printf("width: %d, height: %d\n", width, height);
+	char *pic = malloc(depth / 8 * width * height);
+	int ret = jpeg_decode(buf, pic, width, height, depth, decdata);
+	//printf("ret: %x\n", ret);
+	return ret;
+}