OSSFuzz Integration (#190)

capuanob · web-flow · commit da1e0dd43661 · 2025-02-23T19:42:33.000-08:00
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
@@ -0,0 +1,39 @@
+name: CIFuzz
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+permissions: { }
+jobs:
+  Fuzzing:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Build Fuzzers
+        id: build
+        uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
+        with:
+          oss-fuzz-project-name: 'jpegoptim'
+          language: c
+      - name: Run Fuzzers
+        uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
+        with:
+          oss-fuzz-project-name: 'jpegoptim'
+          language: c
+          fuzz-seconds: 800
+          output-sarif: true
+      - name: Upload Crash
+        uses: actions/upload-artifact@v4
+        if: failure() && steps.build.outcome == 'success'
+        with:
+          name: artifacts
+          path: ./out/artifacts
+      - name: Upload Sarif
+        if: always() && steps.build.outcome == 'success'
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: cifuzz-sarif/results.sarif
+          checkout_path: cifuzz-sarif
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -5,6 +5,8 @@ project(jpegoptim C)
 # LIBJPEG_INCLUDE_DIR and LIBJPEG_LIBRARY must both be specified if a custom libjpeg implementation is desired.
 option(WITH_ARITH "Enable arithmetic coding (if supported by the libjpeg implementation)" 1)
 option(USE_MOZJPEG "Download, build, and link with MozJPEG rather than the system libjpeg. Build with NASM installed for SIMD support." 1)
+option(BUILD_FUZZERS "Build harnesses with instrumentation" 0)
+
 set(LIBJPEG_INCLUDE_DIR "" CACHE PATH "Custom libjpeg header directory")
 set(LIBJPEG_LIBRARY "" CACHE FILEPATH "Custom libjpeg library binary")
 if(MSVC)
@@ -83,7 +85,6 @@ set_property(GLOBAL PROPERTY USE_FOLDERS ON)
 
 
 # Source groups
-
 set(SOURCE_FILES
     jpegoptim.c
     jpegsrc.c
@@ -93,10 +94,20 @@ set(SOURCE_FILES
     )
 source_group("Source Files" FILES ${SOURCE_FILES})
 
-
 # Target
-
-add_executable(${PROJECT_NAME} ${SOURCE_FILES})
+if(BUILD_FUZZERS)
+    add_compile_definitions(BUILD_FOR_OSS_FUZZ=1)
+    add_compile_options(-Wno-implicit-function-declaration)
+    add_library(${PROJECT_NAME} ${SOURCE_FILES})
+    target_include_directories(${PROJECT_NAME} PUBLIC ${CMAKE_CURRENT_SOURCE_DIR})
+
+    # Temporarily remove fuzzing flags that would break compiler checks
+    set(ORIG_C_FLAGS "${CMAKE_C_FLAGS}")
+    string(REGEX REPLACE "-fsanitize=[^ ]+" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}")
+    string(REGEX REPLACE "-fsanitize=[^ ]+" "" $ENV{CFLAGS} "${CMAKE_C_FLAGS}")
+else()
+    add_executable(${PROJECT_NAME} ${SOURCE_FILES})
+endif()
 
 if(MSVC)
     use_props(${PROJECT_NAME} "${CMAKE_CONFIGURATION_TYPES}" "${DEFAULT_CXX_PROPS}")
@@ -308,6 +319,7 @@ endif()
 # Dependencies
 
 if(USE_MOZJPEG)
+
     # Link with mozjpeg.
     # Version tree: https://github.com/mozilla/mozjpeg/tree/fd569212597dcc249752bd38ea58a4e2072da24f
 
@@ -318,11 +330,17 @@ if(USE_MOZJPEG)
         set(JPEGLIB_SUPPORTS_ARITH_CODE 1)
     endif()
 
+    if (BUILD_FUZZERS)
+        set(MOZJPEG_EXTENDED_CMAKE_FLAGS -DCMAKE_C_FLAGS="")
+    else()
+        set(MOZJPEG_EXTENDED_CMAKE_FLAGS "")
+    endif()
+
     ExternalProject_Add(mozjpeg_lib
          GIT_REPOSITORY https://github.com/mozilla/mozjpeg.git
          GIT_TAG fd569212597dcc249752bd38ea58a4e2072da24f
          PREFIX ${CMAKE_CURRENT_BINARY_DIR}/mozjpeg
-         CMAKE_ARGS -DCMAKE_INSTALL_PREFIX:PATH=${CMAKE_CURRENT_BINARY_DIR}/mozjpeg -DPNG_SUPPORTED=0 -DWITH_TURBOJPEG=0 -DENABLE_SHARED=0 ${ARITH_FLAGS}
+         CMAKE_ARGS -DCMAKE_INSTALL_PREFIX:PATH=${CMAKE_CURRENT_BINARY_DIR}/mozjpeg -DPNG_SUPPORTED=0 -DWITH_TURBOJPEG=0 -DENABLE_SHARED=0 ${ARITH_FLAGS} ${MOZJPEG_EXTENDED_CMAKE_FLAGS}
     )
 
 
@@ -476,6 +494,11 @@ if (Python3_FOUND)
 endif()
 
 
+if (BUILD_FUZZERS AND DEFINED ENV{LIB_FUZZING_ENGINE})
+     set(CMAKE_C_FLAGS "${ORIG_C_FLAGS}")
+     add_subdirectory(fuzz)
+endif()
+
 install(TARGETS ${PROJECT_NAME})
 install(FILES jpegoptim.1 TYPE MAN)
 install(FILES README COPYRIGHT LICENSE TYPE DOC)
diff --git a/fuzz/CMakeLists.txt b/fuzz/CMakeLists.txt
@@ -0,0 +1,27 @@
+# Fuzz process is dependent upon a few environment variables provided by OSSFuzz during the build process
+# For more information, see google.github.io/oss-fuzz/getting-started/new-project-guide/#buildsh-script-environment
+
+add_definitions(-DNDEBUG)  # Do not want assertions for fuzz-testing
+
+if (DEFINED JPEG_ENGINE)
+    set(FUZZER_NAME "${JPEG_ENGINE}_compression_fuzzer")
+else()
+    set(FUZZER_NAME "unknown_compression_fuzzer")
+endif()
+
+add_executable(${FUZZER_NAME} fuzz_compression.c fuzz_manager.c)
+
+# Configure compilation options
+target_compile_options(${FUZZER_NAME} PRIVATE "$ENV{CMAKE_C_FLAGS}")
+set(CMAKE_C_COMPILER "$ENV{CC}" CACHE STRING "C compiler" FORCE)
+
+# Configure linking options
+target_link_options(${FUZZER_NAME} PRIVATE "$ENV{LIB_FUZZING_ENGINE}")
+target_link_libraries(${FUZZER_NAME} PRIVATE ${PROJECT_NAME})
+
+# Install the built fuzzer(s) to output directory
+if (DEFINED ENV{OUT})
+    install(TARGETS ${FUZZER_NAME} DESTINATION $ENV{OUT})
+else()
+    message(FATAL_ERROR "Cannot install if $OUT is not defined!")
+endif()
diff --git a/fuzz/build.sh b/fuzz/build.sh
@@ -0,0 +1,45 @@
+cd $SRC/jpegoptim
+
+mkdir -p build
+
+export ASAN_OPTIONS=detect_leaks=0
+
+# Build for libjpeg
+cmake -S . -B build-libjpeg \
+    -DJPEG_ENGINE=libjpeg \
+    -DBUILD_FUZZERS=On \
+    -DCMAKE_C_COMPILER_WORKS=1 \
+    -DUSE_MOZJPEG=0 \
+    -DBUILD_SHARED_LIBS=OFF \
+    -DLIBJPEG_INCLUDE_DIR=/usr/include \
+    -DLIBJPEG_LIBRARY=/usr/lib/x86_64-linux-gnu/libjpeg.a \
+  && cmake --build build-libjpeg --target install
+
+# Build for libjpeg-turbo
+cmake -S . -B build-libjpegturbo \
+    -DJPEG_ENGINE=libjpegturbo \
+    -DBUILD_FUZZERS=ON \
+    -DCMAKE_C_COMPILER_WORKS=1 \
+    -DUSE_MOZJPEG=0 \
+    -DBUILD_SHARED_LIBS=OFF \
+    -DLIBJPEG_INCLUDE_DIR=/opt/libjpeg-turbo/include \
+    -DLIBJPEG_LIBRARY=/opt/libjpeg-turbo/lib64/libjpeg.a \
+  && cmake --build build-libjpegturbo --target install
+
+# Build for mozjpeg
+cmake -S . -B build-mozjpeg \
+    -DJPEG_ENGINE=mozjpeg \
+    -DBUILD_FUZZERS=On \
+    -DCMAKE_C_COMPILER_WORKS=1 \
+    -DUSE_MOZJPEG=1 \
+    -DBUILD_SHARED_LIBS=OFF \
+  && cmake --build build-mozjpeg --target install
+
+# Prepare corpora
+mkdir -p fuzz/corpus
+find . -name "*.jpg" -exec cp {} fuzz/corpus \;
+
+# Save corpora per build
+zip -q $OUT/libjpeg_compression_fuzzer_seed_corpus.zip fuzz/corpus/*
+cp $OUT/libjpeg_compression_fuzzer_seed_corpus.zip $OUT/libjpegturbo_compression_fuzzer_seed_corpus.zip
+cp $OUT/libjpeg_compression_fuzzer_seed_corpus.zip $OUT/mozjpeg_compression_fuzzer_seed_corpus.zip
diff --git a/fuzz/fuzz_compression.c b/fuzz/fuzz_compression.c
@@ -0,0 +1,43 @@
+#include <stdint.h>
+#include "fuzz_manager.h"
+#include "jpegoptim.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, const size_t size)
+{
+  int rc = -1;
+  struct stat file_stat;
+
+  fuzz_manager_init();
+
+  if (0 != lstat(fuzz_manager.fuzz_file_name, &file_stat)) {
+    // Getting file stat failed
+    goto end;
+  }
+
+  // Write data to fuzz file
+  FILE *fuzz_file = fopen(fuzz_manager.fuzz_file_name, "wb+");
+
+  if (!fuzz_file) {
+    goto end;
+  }
+
+  if (size != fwrite(data, sizeof(uint8_t), size, fuzz_file)) {
+    goto end;
+  }
+  fclose(fuzz_file);
+
+  optimize(
+    fuzz_manager.log_fh,
+    fuzz_manager.fuzz_file_name,
+    fuzz_manager.new_fuzz_file_name,
+    fuzz_manager.tmp_dir,
+    &file_stat,
+    &fuzz_manager.rate,
+    &fuzz_manager.saved
+  );
+
+  rc = 0;
+
+  end:
+  return rc;
+}
diff --git a/fuzz/fuzz_manager.c b/fuzz/fuzz_manager.c
@@ -0,0 +1,47 @@
+#include <libgen.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include "fuzz_manager.h"
+#include "jpegoptim.h"
+
+fuzz_manager_t fuzz_manager = {0};
+
+void generate_temp_file_name(char *buf, size_t size)
+{
+  int fd;
+  strncpy(buf, "/dev/shm/fuzz_file_XXXXXX", size);
+  if (-1 == (fd = mkstemp(buf)))
+  {
+    perror("mkstemp");
+    exit(EXIT_FAILURE);
+  }
+  close(fd);
+}
+
+void fuzz_manager_init()
+{
+  if (fuzz_manager.is_init)
+  {
+    return;
+  }
+
+  fuzz_set_target_size(-75);
+
+  fuzz_manager.is_init = true;
+  fuzz_manager.log_fh = fopen("/dev/null", "a"); // Do not log
+
+  generate_temp_file_name(fuzz_manager.fuzz_file_name, PATH_MAX);
+  generate_temp_file_name(fuzz_manager.new_fuzz_file_name, PATH_MAX);
+
+  strncpy(fuzz_manager.tmp_dir, fuzz_manager.fuzz_file_name, PATH_MAX);
+  dirname(fuzz_manager.tmp_dir);
+  // Ensure the temp path ends with a /
+  size_t tmp_len = strnlen(fuzz_manager.tmp_dir, PATH_MAX);
+
+  if (tmp_len < PATH_MAX - 1 && fuzz_manager.tmp_dir[tmp_len - 1] != '/')
+  {
+    fuzz_manager.tmp_dir[tmp_len] = '/';
+    fuzz_manager.tmp_dir[tmp_len + 1] = '\0';
+  }
+}
diff --git a/fuzz/fuzz_manager.h b/fuzz/fuzz_manager.h
@@ -0,0 +1,27 @@
+#ifndef FUZZ_MANAGER_H
+#define FUZZ_MANAGER_H
+#include <linux/limits.h>
+#include <stdbool.h>
+#include <stdio.h>
+
+/**
+ * Manages necessary state across fuzz iterations, should exist as singleton
+ */
+typedef struct fuzz_manager
+{
+  bool is_init;
+  double rate, saved;
+  FILE *log_fh;
+  char fuzz_file_name[PATH_MAX + 1];
+  char new_fuzz_file_name[PATH_MAX + 1];
+  char tmp_dir[PATH_MAX + 1];
+} fuzz_manager_t;
+
+extern fuzz_manager_t fuzz_manager;
+
+/**
+ * Initializes the fuzz manager singleton, if it has not already been
+ */
+void fuzz_manager_init();
+
+#endif //FUZZ_MANAGER_H
diff --git a/fuzz/libjpeg_builders/install_libjpeg.sh b/fuzz/libjpeg_builders/install_libjpeg.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+DEBIAN_FRONTEND=noninteractive apt install -y libjpeg-dev
diff --git a/fuzz/libjpeg_builders/install_libjpegturbo.sh b/fuzz/libjpeg_builders/install_libjpegturbo.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# This script builds libjpeg-turbo from source, as a static library
+cd $SRC
+git clone https://github.com/libjpeg-turbo/libjpeg-turbo.git
+cd libjpeg-turbo
+mkdir -p build
+cmake -G"Unix Makefiles" -S . -B build -DBUILD_SHARED_LIBS=OFF -DWITH_JPEG8=1 -DCMAKE_INSTALL_PREFIX=/opt/libjpeg-turbo
+cmake --build build --target install
diff --git a/jpegoptim.c b/jpegoptim.c
@@ -1341,6 +1341,7 @@ int wait_for_worker(FILE *log_fh)
 #endif
 
 
+#ifndef BUILD_FOR_OSS_FUZZ // Libfuzzer provides its own fuzzer
 /****************************************************************************/
 int main(int argc, char **argv)
 {
@@ -1551,5 +1552,10 @@ int main(int argc, char **argv)
 
 	return (decompress_err_count > 0 || compress_err_count > 0 ? 1 : 0);;
 }
-
+#else
+void fuzz_set_target_size(const int new_target_size)
+{
+	target_size = new_target_size;
+}
+#endif /* BUILD_FOR_OSS_FUZZ */
 /* eof :-) */
diff --git a/jpegoptim.h b/jpegoptim.h
@@ -92,7 +92,18 @@ void jpeg_custom_src(j_decompress_ptr dinfo, FILE *infile,
 		unsigned char **bufptr,	size_t *bufsizeptr, size_t *bufusedptr, size_t incsize);
 void jpeg_custom_mem_src(j_decompress_ptr dinfo, unsigned char *buf, size_t bufsize);
 
-
+#ifdef BUILD_FOR_OSS_FUZZ
+// Forward declare the main function to allow access from the harness
+int optimize(FILE *log_fh, const char *filename, const char *newname,
+	const char *tmpdir, struct stat *file_stat,
+	double *rate, double *saved);
+
+/**
+ * Fuzzing utility function to set the target size global value
+ * @param new_target_size: The value to override the target size with
+ */
+void fuzz_set_target_size(int new_target_size);
+#endif /* BUILD_FOR_OSS_FUZZ */
 
 #ifdef	__cplusplus
 }

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+#!/bin/bash`
	`2`	`+`
	`3`	`+DEBIAN_FRONTEND=noninteractive apt install -y libjpeg-dev`