media: Add a fuzzertest for the the WebP Parser.

This CL adds a fuzzertest to uncover vulnerabilities in media/parsers/webp_parser. It uses media/test/data as a seed corpus and media/test/webp.dict as a dictionary. webp.dict is a copy of https://github.com/mirrorer/afl/blob/master/dictionaries/webp.dict Bug: 963697 Test: compiles and passes gn checks Change-Id: I9f5a044fbdaabcb90667ab4c23a782b72b9e5c2b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1632923Reviewed-by: Dan Sanders <sandersd@chromium.org> Reviewed-by: Miguel Casas <mcasas@chromium.org> Reviewed-by: Andres Calderon Jaramillo <andrescj@chromium.org> Commit-Queue: Gil Dekel <gildekel@chromium.org> Cr-Commit-Position: refs/heads/master@{#664416}

media: Add a fuzzertest for the the WebP Parser.
This CL adds a fuzzertest to uncover vulnerabilities in media/parsers/webp_parser. It uses media/test/data as a seed corpus and media/test/webp.dict as a dictionary. webp.dict is a copy of https://github.com/mirrorer/afl/blob/master/dictionaries/webp.dict Bug: 963697 Test: compiles and passes gn checks Change-Id: I9f5a044fbdaabcb90667ab4c23a782b72b9e5c2b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1632923Reviewed-by: Dan Sanders <sandersd@chromium.org> Reviewed-by: Miguel Casas <mcasas@chromium.org> Reviewed-by: Andres Calderon Jaramillo <andrescj@chromium.org> Commit-Queue: Gil Dekel <gildekel@chromium.org> Cr-Commit-Position: refs/heads/master@{#664416}
6393b622 · Gil Dekel · Commit Bot · 135c9731 · 6393b622 · 6393b622
Commit 6393b622 authored May 29, 2019 by Gil Dekel Committed by Commit Bot May 29, 2019
Showing with 58 additions and 0 deletions

media/parsers/BUILD.gn media/parsers/BUILD.gn +12 -0

media/parsers/webp_parser_fuzzertest.cc media/parsers/webp_parser_fuzzertest.cc +24 -0

media/test/webp.dict media/test/webp.dict +22 -0

No files found.
--- a/media/parsers/BUILD.gn
+++ b/media/parsers/BUILD.gn
@@ -68,3 +68,15 @@ fuzzer_test("media_vp8_parser_fuzzer") {
  libfuzzer_options = [ "max_len = 400000" ]
  dict = "//media/test/vp8.dict"
 }
+
+fuzzer_test("media_webp_parser_fuzzer") {
+  sources = [
+    "webp_parser_fuzzertest.cc",
+  ]
+  deps = [
+    ":parsers",
+    "//base",
+  ]
+  seed_corpus = "//media/test/data"
+  dict = "//media/test/webp.dict"
+}
--- a/media/parsers/webp_parser_fuzzertest.cc
+++ b/media/parsers/webp_parser_fuzzertest.cc
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "base/containers/span.h"
+#include "base/logging.h"
+#include "media/parsers/vp8_parser.h"
+#include "media/parsers/webp_parser.h"
+
+struct Environment {
+  Environment() { logging::SetMinLogLevel(logging::LOG_FATAL); }
+};
+
+Environment* env = new Environment();
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  base::span<const uint8_t> encoded_data(data, size);
+  media::ParseWebPImage(encoded_data);
+  return 0;
+}
--- a/media/test/webp.dict
+++ b/media/test/webp.dict
+# This file is copied as is from:
+# https://github.com/mirrorer/afl/blob/master/dictionaries/webp.dict
+#
+# AFL dictionary for WebP images
+# ------------------------------
+#
+# Created by Michal Zalewski <lcamtuf@google.com>
+#
+
+header_RIFF="RIFF"
+header_WEBP="WEBP"
+
+section_ALPH="ALPH"
+section_ANIM="ANIM"
+section_ANMF="ANMF"
+section_EXIF="EXIF"
+section_FRGM="FRGM"
+section_ICCP="ICCP"
+section_VP8="VP8 "
+section_VP8L="VP8L"
+section_VP8X="VP8X"
+section_XMP="XMP "