AImageDecoder: Add a fuzz target

    first_version: "9",

    unversioned_until: "current",

}

cc_fuzz {

    name: "imagedecoder_fuzzer",

    srcs: ["fuzz_imagedecoder.cpp"],

    header_libs: ["jni_headers"],

    shared_libs: [

        "libbinder",

        "libjnigraphics",

        "libutils",

    ],

    static_libs: ["libarect"],

    fuzz_config: {

        cc: ["scroggo@google.com"],

    },

}

/*

 * Copyright 2020 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

#include <android/imagedecoder.h>

#include <binder/IPCThreadState.h>

#include <stddef.h>

#include <stdint.h>

#include <cstdlib>

#include <memory>

struct DecoderDeleter {

    void operator()(AImageDecoder* decoder) const { AImageDecoder_delete(decoder); }

};

using DecoderPointer = std::unique_ptr<AImageDecoder, DecoderDeleter>;

static DecoderPointer makeDecoder(const uint8_t* data, size_t size) {

    AImageDecoder* decoder = nullptr;

    int result = AImageDecoder_createFromBuffer(data, size, &decoder);

    if (result != ANDROID_IMAGE_DECODER_SUCCESS) {

        // This was not a valid image.

        return nullptr;

    }

    return DecoderPointer(decoder);

}

struct PixelFreer {

    void operator()(void* pixels) const { std::free(pixels); }

};

using PixelPointer = std::unique_ptr<void, PixelFreer>;

extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {

    // Without this call, decoding HEIF may time out on binder IPC calls.

    android::ProcessState::self()->startThreadPool();

    DecoderPointer decoder = makeDecoder(data, size);

    if (!decoder) {

        return 0;

    }

    const AImageDecoderHeaderInfo* info = AImageDecoder_getHeaderInfo(decoder.get());

    int32_t width = AImageDecoderHeaderInfo_getWidth(info);

    int32_t height = AImageDecoderHeaderInfo_getHeight(info);

    // Set an arbitrary limit on the size of an image. The fuzzer runs with a

    // limited amount of memory, and keeping this allocation small allows the

    // fuzzer to continue running to try to find more serious problems. This

    // size is large enough to hold a photo taken by a current gen phone.

    constexpr int32_t kMaxDimension = 5000;

    if (width > kMaxDimension || height > kMaxDimension) {

        return 0;

    }

    size_t stride = AImageDecoder_getMinimumStride(decoder.get());

    size_t pixelSize = height * stride;

    auto pixels = PixelPointer(std::malloc(pixelSize));

    if (!pixels.get()) {

        return 0;

    }

    AImageDecoder_decodeImage(decoder.get(), pixels.get(), stride, pixelSize);

    return 0;

}