Merge pull request #862 from LebedevRI/panasonic-v8-fuzz

Panasonic v8: a few more fuzz fixes

Author: LebedevRI

fuzz/librawspeed/decompressors/PanasonicV8Decompressor.cpp

@@ -86,6 +86,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) {
     auto stripHeightsInput = bs.getStream(numStripHeights, sizeof(uint16_t));
     auto defineCodes = bs.getStream(numDefineCodesSize);
     const auto initialPrediction = bs.getArray<uint16_t, 4>();
+    const auto imgDim = bs.getArray<int, 2>();
 
     // The rest of the bs are the input strips.
 
@@ -112,10 +113,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) {
     auto stripHeights = stripHeightsInput.getVector<uint16_t>(numStripHeights);
     stripHeights.reserve(1); // Array1DRef does not like nullptr's.
 
-    const auto imgDim = iRectangle2D({0, 0}, mRaw->dim);
-
     PanasonicV8Decompressor::DecompressorParamsBuilder builder(
-        imgDim, initialPrediction, getAsArray1DRef(strips),
+        {imgDim[0], imgDim[1]}, initialPrediction, getAsArray1DRef(strips),
         getAsArray1DRef(stripLineOffsets), getAsArray1DRef(stripWidths),
         getAsArray1DRef(stripHeights), defineCodes);
 

src/librawspeed/decoders/Rw2Decoder.cpp

@@ -250,10 +250,8 @@ RawImage Rw2Decoder::decodeRawV8(const TiffIFD& raw) const {
   const std::vector<Array1DRef<const uint8_t>> mStrips =
       getInputStrips(mParams, mFile);
 
-  const auto imgDim = iRectangle2D({0, 0}, mRaw->dim);
-
   PanasonicV8Decompressor::DecompressorParamsBuilder b(
-      imgDim, mParams.initialPrediction, getAsArray1DRef(mStrips),
+      mRaw->dim, mParams.initialPrediction, getAsArray1DRef(mStrips),
       getAsArray1DRef(mParams.stripLineOffsets),
       getAsArray1DRef(mParams.stripWidths),
       getAsArray1DRef(mParams.stripHeights),

src/librawspeed/decompressors/PanasonicV8Decompressor.cpp

@@ -167,10 +167,9 @@ evaluateConsecutiveTiles(const iRectangle2D rect, const iRectangle2D nextRect) {
   return Invalid;
 }
 
-void isValidImageGrid(iRectangle2D imgDim,
-                      Array1DRef<const iRectangle2D> rects) {
-  auto outPos = imgDim.pos;
-  invariant(outPos.x == 0 && outPos.y == 0);
+void isValidImageGrid(iPoint2D imgSize, Array1DRef<const iRectangle2D> rects) {
+  auto outPos = iPoint2D(0, 0);
+  const auto imgDim = iRectangle2D(outPos, imgSize);
 
   iRectangle2D rect = rects(0);
   if (rect.pos != outPos)
@@ -296,11 +295,13 @@ PanasonicV8Decompressor::DecompressorParamsBuilder::getDecoderLUT(
 
 std::vector<iRectangle2D>
 PanasonicV8Decompressor::DecompressorParamsBuilder::getOutRects(
-    iRectangle2D imgDim, Array1DRef<const uint32_t> stripLineOffsets,
+    iPoint2D imgSize, Array1DRef<const uint32_t> stripLineOffsets,
     Array1DRef<const uint16_t> stripWidths,
     Array1DRef<const uint16_t> stripHeights) {
-  if (!imgDim.hasPositiveArea())
+  if (!imgSize.hasPositiveArea())
     ThrowRDE("Empty image requested");
+  if (imgSize.x % 2 != 0 || imgSize.y % 2 != 0)
+    ThrowRDE("Image size is not multiple of 2");
   const int totalStrips = stripLineOffsets.size();
   if (stripWidths.size() != totalStrips || stripHeights.size() != totalStrips)
     ThrowRDE("Inputs have mismatched length");
@@ -317,16 +318,22 @@ PanasonicV8Decompressor::DecompressorParamsBuilder::getOutRects(
 
     const auto rect = iRectangle2D(iPoint2D(stripOutputX, stripOutputY),
                                    iPoint2D(stripWidth, stripHeight));
+    const auto imgDim = iRectangle2D({0, 0}, imgSize);
 
     if (!rect.isThisInside(imgDim))
       ThrowRDE("Tile isn't fully within the output image");
     if (!rect.hasPositiveArea())
       ThrowRDE("The tile is empty");
 
+    if (rect.pos.x % 2 != 0 || rect.pos.y % 2 != 0)
+      ThrowRDE("Tile position is not multiple of 2");
+    if (rect.dim.x % 2 != 0 || rect.dim.y % 2 != 0)
+      ThrowRDE("Tile size is not multiple of 2");
+
     mOutRects.emplace_back(rect);
   }
 
-  isValidImageGrid(imgDim, getAsArray1DRef(mOutRects));
+  isValidImageGrid(imgSize, getAsArray1DRef(mOutRects));
   return mOutRects;
 }
 
@@ -340,7 +347,7 @@ PanasonicV8Decompressor::PanasonicV8Decompressor(RawImage outputImg,
       mRawOutput->getBpp() != sizeof(uint16_t)) {
     ThrowRDE("Unexpected component count / data type");
   }
-  if (!mRawOutput->dim.hasPositiveArea())
+  if (mRawOutput->dim != mParams.imgSize)
     ThrowRDE("Unexpected image dimensions");
   const auto maxBpp = maxBitsPerPixelNeeded(mParams.mDecoderLUT);
   if (maxBpp > 32) {
@@ -426,7 +433,6 @@ void PanasonicV8Decompressor::decompressStrip(const Array2DRef<uint16_t> out,
         for (int i = 0; i != 2; ++i) {
           const int32_t diff = decoder.decodeNextDiffValue();
           const int32_t decodedValue = pred(i, j) + diff;
-          invariant(decodedValue > 0);
           pred(i, j) = uint16_t(std::clamp(
               decodedValue, 0, int32_t(std::numeric_limits<uint16_t>::max())));
           outBlock(i, j) = pred(i, j);

src/librawspeed/decompressors/PanasonicV8Decompressor.h

@@ -69,6 +69,7 @@ class PanasonicV8Decompressor final : public AbstractDecompressor {
   struct DecompressorParamsBuilder;
 
   struct DecompressorParams {
+    iPoint2D imgSize;
     const Array1DRef<const Array1DRef<const uint8_t>> mStrips;
     const Array1DRef<const iRectangle2D> mOutRect;
     const Array1DRef<const DecoderLUTEntry> mDecoderLUT;
@@ -79,15 +80,17 @@ class PanasonicV8Decompressor final : public AbstractDecompressor {
   private:
     friend struct DecompressorParamsBuilder;
 
-    DecompressorParams(Array1DRef<const Array1DRef<const uint8_t>> mStrips_,
+    DecompressorParams(iPoint2D imgSize_,
+                       Array1DRef<const Array1DRef<const uint8_t>> mStrips_,
                        Array1DRef<const iRectangle2D> mOutRect_,
                        Array1DRef<const DecoderLUTEntry> mDecoderLUT_,
                        Bayer2x2 initialPrediction_)
-        : mStrips(mStrips_), mOutRect(mOutRect_), mDecoderLUT(mDecoderLUT_),
-          initialPrediction(initialPrediction_) {}
+        : imgSize(imgSize_), mStrips(mStrips_), mOutRect(mOutRect_),
+          mDecoderLUT(mDecoderLUT_), initialPrediction(initialPrediction_) {}
   };
 
   struct DecompressorParamsBuilder {
+    iPoint2D imgSize;
     const std::vector<PanasonicV8Decompressor::DecoderLUTEntry> mDecoderLUT;
     const Array1DRef<const Array1DRef<const uint8_t>> mStrips;
     const Bayer2x2 initialPrediction;
@@ -98,20 +101,20 @@ class PanasonicV8Decompressor final : public AbstractDecompressor {
         ByteStream bs);
 
     std::vector<iRectangle2D> static getOutRects(
-        iRectangle2D imgDim, Array1DRef<const uint32_t> stripLineOffsets,
+        iPoint2D imgSize, Array1DRef<const uint32_t> stripLineOffsets,
         Array1DRef<const uint16_t> stripWidths,
         Array1DRef<const uint16_t> stripHeights);
 
     // NOLINTNEXTLINE(readability-function-size)
     DecompressorParamsBuilder(
-        iRectangle2D imgDim, Bayer2x2 initialPrediction_,
+        iPoint2D imgSize_, Bayer2x2 initialPrediction_,
         Array1DRef<const Array1DRef<const uint8_t>> mStrips_,
         Array1DRef<const uint32_t> stripLineOffsets,
         Array1DRef<const uint16_t> stripWidths,
         Array1DRef<const uint16_t> stripHeights, ByteStream defineCodes)
-        : mDecoderLUT(getDecoderLUT(defineCodes)), mStrips(mStrips_),
-          initialPrediction(initialPrediction_),
-          mOutRects(getOutRects(imgDim, stripLineOffsets, stripWidths,
+        : imgSize(imgSize_), mDecoderLUT(getDecoderLUT(defineCodes)),
+          mStrips(mStrips_), initialPrediction(initialPrediction_),
+          mOutRects(getOutRects(imgSize, stripLineOffsets, stripWidths,
                                 stripHeights)) {
       if (mStrips.size() != implicit_cast<int>(mOutRects.size()))
         ThrowRDE("Got different number of input strips vs output tiles");
@@ -122,8 +125,8 @@ class PanasonicV8Decompressor final : public AbstractDecompressor {
     }
 
     [[nodiscard]] DecompressorParams getDecompressorParams() const {
-      return {mStrips, getAsArray1DRef(mOutRects), getAsArray1DRef(mDecoderLUT),
-              initialPrediction};
+      return {imgSize, mStrips, getAsArray1DRef(mOutRects),
+              getAsArray1DRef(mDecoderLUT), initialPrediction};
     }
   };