Skip to content

Add buffer with args fuzzer #4103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Aug 25, 2024
Merged

Add buffer with args fuzzer #4103

merged 6 commits into from
Aug 25, 2024

Conversation

dloebl
Copy link
Contributor

@dloebl dloebl commented Aug 21, 2024
edited
Loading

For reference: #4095
Allows the fuzzer to vary option_string and suffix.
option_string and suffix are appended at the beginning. For example:

[n=-1]
.jpg[Q=85]
<image-data>

I started to add new inputs to the seed corpus, but some loaders/savers are still missing

@dloebl dloebl mentioned this pull request Aug 21, 2024
Closed
@kleisauke
Copy link
Member

Great idea! I made an attempt to simplify this with commit kleisauke@0c80427.

@dloebl
Copy link
Contributor Author

dloebl commented Aug 23, 2024

Thanks Kleis! I've added your commit to this PR

@dloebl
Copy link
Contributor Author

dloebl commented Aug 23, 2024
edited
Loading

The new fuzzer is still crashing within a couple of seconds when fuzzing locally (with ASAN):

$ python3 infra/helper.py run_fuzzer libvips generic_buffer_with_args
[..]
==14==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 1296 byte(s) in 1 object(s) allocated from:
    #0 0x56296b629ad8 in calloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:77:3
    #1 0x56296c1fa633 in WebPAnimEncoderNewInternal /src/libwebp/src/mux/anim_encode.c:250:27
    #2 0x56296b79958a in WebPAnimEncoderNew /work/include/webp/mux.h:481:10
    #3 0x56296b79958a in vips_foreign_save_webp_init_anim_enc /src/libvips/build/../libvips/foreign/webpsave.c:658:14
    #4 0x56296b798c63 in vips_foreign_save_webp_build /src/libvips/build/../libvips/foreign/webpsave.c:780:7
    #5 0x56296b79c5c1 in vips_foreign_save_webp_target_build /src/libvips/build/../libvips/foreign/webpsave.c:979:6

Looks like there is a leak in webpsave. I'll prepare a PR

@dloebl dloebl mentioned this pull request Aug 23, 2024
Merged
1 task
@kleisauke
Copy link
Member

FWIW, here are instructions for testing this locally using OSS-Fuzz's Docker images:

Details

Apply this patch:

--- a/projects/libvips/Dockerfile
+++ b/projects/libvips/Dockerfile
@@ -34,7 +34,7 @@ RUN mkdir afl-testcases
 RUN curl https://lcamtuf.coredump.cx/afl/demo/afl_testcases.tgz | tar xzC afl-testcases
 RUN mkdir pdfium-latest
 RUN curl -L https://github.com/bblanchon/pdfium-binaries/releases/latest/download/pdfium-linux-x64.tgz | tar xzC pdfium-latest
-RUN git clone --depth 1 https://github.com/libvips/libvips.git
+RUN git clone -b add-generic-args-fuzzer --depth 1 https://github.com/dloebl/libvips.git
 RUN git clone --depth 1 https://github.com/madler/zlib.git
 RUN git clone --depth 1 https://github.com/libexif/libexif.git
 RUN git clone --depth 1 https://github.com/mm2/Little-CMS.git lcms

Run the fuzzer for a maximum of 30 minutes:

$ python infra/helper.py build_fuzzers libvips > build_log.txt
$ mkdir -p tmp
$ python infra/helper.py run_fuzzer --corpus-dir=$PWD/tmp/ libvips generic_buffer_with_args_fuzzer -- -max_total_time=1800

@dloebl dloebl marked this pull request as ready for review August 23, 2024 20:28
@dloebl
Copy link
Contributor Author

dloebl commented Aug 23, 2024

Ready for review as soon as #4105 and #4107 have been merged into master

@dloebl
Copy link
Contributor Author

dloebl commented Aug 24, 2024

Oh.. another leak:

==13==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 1552 byte(s) in 2 object(s) allocated from:
    #0 0x55d12b7bb8ee in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x55d12c876154 in aom_memalign /src/aom/aom_mem/aom_mem.c:59:22
    #2 0x55d12c8743f9 in img_alloc_helper /src/aom/aom/src/aom_image.c:155:34
    #3 0x55d12c873b46 in aom_img_alloc /src/aom/aom/src/aom_image.c:198:10
    #4 0x55d12c7fe4f2 in aom_encode_image(void*, heif_image const*, heif_image_input_class) /src/libheif/libheif/plugins/encoder_aom.cc:802:8
    #5 0x55d12c7bf889 in ImageItem_AVIF::encode(std::__1::shared_ptr<HeifPixelImage> const&, heif_encoder*, heif_encoding_options const&, heif_image_input_class) /src/libheif/libheif/codecs/avif.cc:580:27
    #6 0x55d12c5cc9b3 in ImageItem::encode_to_bitstream_and_boxes(std::__1::shared_ptr<HeifPixelImage> const&, heif_encoder*, heif_encoding_options const&, heif_image_input_class) /src/libheif/libheif/codecs/image_item.cc:187:52
    #7 0x55d12c5d2bc8 in ImageItem::encode_to_item(HeifContext*, std::__1::shared_ptr<HeifPixelImage> const&, heif_encoder*, heif_encoding_options const&, heif_image_input_class) /src/libheif/libheif/codecs/image_item.cc:333:41
    #8 0x55d12c72ca38 in HeifContext::encode_image(std::__1::shared_ptr<HeifPixelImage> const&, heif_encoder*, heif_encoding_options const&, heif_image_input_class, std::__1::shared_ptr<ImageItem>&) /src/libheif/libheif/context.cc:1081:27
    #9 0x55d12c5a93d4 in heif_context_encode_image /src/libheif/libheif/api/libheif/heif.cc:3148:25
    #10 0x55d12b938464 in vips_foreign_save_heif_write_page /src/libvips/build/../libvips/foreign/heifsave.c:318:11
    #11 0x55d12b938464 in vips_foreign_save_heif_write_block /src/libvips/build/../libvips/foreign/heifsave.c:470:8
    #12 0x55d12b815999 in wbuffer_write /src/libvips/build/../libvips/iofuncs/sinkdisc.c:174:25
    #13 0x55d12b815999 in wbuffer_write_thread /src/libvips/build/../libvips/iofuncs/sinkdisc.c:199:3
    #14 0x55d12bbe56e3 in vips_threadset_work /src/libvips/build/../libvips/iofuncs/threadset.c:134:3
    #15 0x55d12b7fb1d0 in vips_thread_run /src/libvips/build/../libvips/iofuncs/thread.c:148:11
    #16 0x55d12bc136f0 in g_thread_proxy (/out/generic_buffer_with_args_fuzzer+0xbe26f0)

DEDUP_TOKEN: __interceptor_malloc--aom_memalign--img_alloc_helper
SUMMARY: AddressSanitizer: 1552 byte(s) leaked in 2 allocation(s).

INFO: a leak has been found in the initial corpus.

I'm not sure yet if it's in vips, libheif or aom. I'll create an issue

@dloebl dloebl mentioned this pull request Aug 24, 2024
Closed
@dloebl
Copy link
Contributor Author

dloebl commented Aug 25, 2024
edited
Loading

The checks should pass again as soon as all the recent fixes have been merged back into master and I rebased this PR. I guess merging 8.15 into master is planned after the next release?

@kleisauke
Copy link
Member

We regularly merge the 8.x branches back into the master branch whenever fixes are made in those branches, see e.g. commit cdea0dd.

FWIW, the issue mentioned in #4110 (comment) occurs also frequently on this fuzzer.

@kleisauke
Copy link
Member

... I just ran this fuzzer locally with -max_total_time=28800 and PR #4119 cherry-picked. Let's see if it still finds anything interesting. :)

@dloebl
Copy link
Contributor Author

dloebl commented Aug 25, 2024

Sounds good! I'm still amazed at how many bugs were found already - 6, if I haven't lost count. I'm curious to see what OSS-Fuzz will find once it has been running for a few days

@jcupitt
Copy link
Member

jcupitt commented Aug 25, 2024

Yes, let's brace ourselves for the oss-fuzz flood. Thank you for doing all this work @dloebl !

@jcupitt jcupitt merged commit 48ff6c6 into libvips:master Aug 25, 2024
6 checks passed
@dloebl dloebl deleted the add-generic-args-fuzzer branch August 25, 2024 15:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kleisauke kleisauke kleisauke left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dloebl @kleisauke @jcupitt