1 /*
2  * Copyright 2016 Google Inc.
3  *
4  * Use of this source code is governed by a BSD-style license that can be
5  * found in the LICENSE file.
6  */
7 
8 #ifndef Fuzz_DEFINED
9 #define Fuzz_DEFINED
10 
11 #include "../tools/Registry.h"
12 #include "SkData.h"
13 #include "SkImageFilter.h"
14 #include "SkMalloc.h"
15 #include "SkRegion.h"
16 #include "SkTypes.h"
17 
18 #include <limits>
19 #include <cmath>
20 #include <signal.h>
21 #include <limits>
22 
23 class Fuzz : SkNoncopyable {
24 public:
Fuzz(sk_sp<SkData> bytes)25     explicit Fuzz(sk_sp<SkData> bytes) : fBytes(bytes), fNextByte(0) {}
26 
27     // Returns the total number of "random" bytes available.
size()28     size_t size() { return fBytes->size(); }
29     // Returns if there are no bytes remaining for fuzzing.
exhausted()30     bool exhausted() {
31         return fBytes->size() == fNextByte;
32     }
33 
remaining()34     size_t remaining() {
35         return fBytes->size() - fNextByte;
36     }
37 
deplete()38     void deplete() {
39         fNextByte = fBytes->size();
40     }
41 
42     // next() loads fuzzed bytes into the variable passed in by pointer.
43     // We use this approach instead of T next() because different compilers
44     // evaluate function parameters in different orders. If fuzz->next()
45     // returned 5 and then 7, foo(fuzz->next(), fuzz->next()) would be
46     // foo(5, 7) when compiled on GCC and foo(7, 5) when compiled on Clang.
47     // By requiring params to be passed in, we avoid the temptation to call
48     // next() in a way that does not consume fuzzed bytes in a single
49     // platform-independent order.
50     template <typename T>
next(T * t)51     void next(T* t) { this->nextBytes(t, sizeof(T)); }
52 
53     // This is a convenient way to initialize more than one argument at a time.
54     template <typename Arg, typename... Args>
55     void next(Arg* first, Args... rest);
56 
57     // nextRange returns values only in [min, max].
58     template <typename T, typename Min, typename Max>
59     void nextRange(T*, Min, Max);
60 
61     // nextN loads n * sizeof(T) bytes into ptr
62     template <typename T>
63     void nextN(T* ptr, int n);
64 
signalBug()65     void signalBug(){
66         // Tell the fuzzer that these inputs found a bug.
67         SkDebugf("Signal bug\n");
68         raise(SIGSEGV);
69     }
70 
71     // Specialized versions for when true random doesn't quite make sense
72     void next(bool* b);
73     void next(SkImageFilter::CropRect* cropRect);
74     void next(SkRegion* region);
75 
76     void nextRange(float* f, float min, float max);
77 
78 private:
79     template <typename T>
80     T nextT();
81 
82     sk_sp<SkData> fBytes;
83     size_t fNextByte;
84     friend void fuzz__MakeEncoderCorpus(Fuzz*);
85 
86     void nextBytes(void* ptr, size_t size);
87 };
88 
89 template <typename Arg, typename... Args>
next(Arg * first,Args...rest)90 inline void Fuzz::next(Arg* first, Args... rest) {
91    this->next(first);
92    this->next(rest...);
93 }
94 
95 template <typename T, typename Min, typename Max>
nextRange(T * value,Min min,Max max)96 inline void Fuzz::nextRange(T* value, Min min, Max max) {
97     this->next(value);
98     if (*value < (T)min) { *value = (T)min; }
99     if (*value > (T)max) { *value = (T)max; }
100 }
101 
102 template <typename T>
nextN(T * ptr,int n)103 inline void Fuzz::nextN(T* ptr, int n) {
104    for (int i = 0; i < n; i++) {
105        this->next(ptr+i);
106    }
107 }
108 
109 struct Fuzzable {
110     const char* name;
111     void (*fn)(Fuzz*);
112 };
113 
114 // Not static so that we can link these into oss-fuzz harnesses if we like.
115 #define DEF_FUZZ(name, f)                                               \
116     void fuzz_##name(Fuzz*);                                            \
117     sk_tools::Registry<Fuzzable> register_##name({#name, fuzz_##name}); \
118     void fuzz_##name(Fuzz* f)
119 
120 #endif//Fuzz_DEFINED
121