Write a libpng fuzz target that uses png_set_progressive_read_fn instead of png_read_row |
||
Issue descriptionWe have a fuzzer for libpng that uses png_read_info and png_read_row [1]. But these are not the APIs used by Chromium's [2]/Blink's [3] decoders. They use png_set_progressive_read_fn and png_process_data. We should fuzz files using those APIs to get a better idea of how Chromium might be vulnerable. [1] https://cs.chromium.org/chromium/src/testing/libfuzzer/fuzzers/libpng_read_fuzzer.cc?type=cs [2] https://cs.chromium.org/chromium/src/ui/gfx/codec/png_codec.cc?type=cs&q=png_codec&l=1 [3] https://cs.chromium.org/chromium/src/third_party/WebKit/Source/platform/image-decoders/png/PNGImageDecoder.h?type=cs&q=PNGImageDecoder&l=36
,
Mar 3 2017
,
Mar 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/11a3425fff09d249101f8fb0dcd9c00ddb80283b commit 11a3425fff09d249101f8fb0dcd9c00ddb80283b Author: scroggo <scroggo@chromium.org> Date: Mon Mar 06 19:43:15 2017 Add a fuzzer for png_process_data The existing png fuzzer uses png_read_rows, which is not used by any Chromium clients. Use libpng's other API for progressive reading, which is used both by PNGImageDecoder and PNGCodec. Reuses much of the code from the existing fuzzer, with a build flag to choose between them. No need to supply any callbacks to libpng. This is merely to catch errors within libpng itself. BUG= 697101 Review-Url: https://codereview.chromium.org/2728103003 Cr-Commit-Position: refs/heads/master@{#454921} [modify] https://crrev.com/11a3425fff09d249101f8fb0dcd9c00ddb80283b/testing/libfuzzer/fuzzers/BUILD.gn [modify] https://crrev.com/11a3425fff09d249101f8fb0dcd9c00ddb80283b/testing/libfuzzer/fuzzers/libpng_read_fuzzer.cc
,
Mar 6 2017
|
||
►
Sign in to add a comment |
||
Comment 1 by scroggo@chromium.org
, Feb 28 2017