[cmake] add fuzzer tests

tests imported from https://github.com/ergnoorr/fuzzrdp

reported by Evgeny Legerov of Kaspersky Lab.
This commit is contained in:
akallabeth 2024-04-16 11:18:51 +02:00 committed by akallabeth
parent 0a0df77c39
commit f3b2aea781
5 changed files with 509 additions and 24 deletions

15
cmake/AddFuzzerTest.cmake Normal file
View File

@ -0,0 +1,15 @@
macro(add_fuzzer_test FILES LINK_LIBS)
if (BUILD_FUZZERS)
string(REPLACE " " ";" LOCAL_LINK_LIBS ${LINK_LIBS})
list(APPEND LOCAL_LINK_LIBS fuzzer_config)
foreach(test ${FILES})
get_filename_component(TestName ${test} NAME_WE)
add_executable(${TestName} ${test})
# Use PUBLIC to force 'fuzzer_config' for all dependent targets.
target_link_libraries(${TestName} PUBLIC ${LOCAL_LINK_LIBS})
add_test(${TestName} ${TESTING_OUTPUT_DIRECTORY}/${MODULE_NAME} ${TestName})
set_target_properties(${TestName} PROPERTIES RUNTIME_OUTPUT_DIRECTORY "${TESTING_OUTPUT_DIRECTORY}")
add_dependencies(fuzzers ${TestName})
endforeach()
endif (BUILD_FUZZERS)
endmacro()

View File

@ -35,3 +35,9 @@ endforeach()
set_property(TARGET ${MODULE_NAME} PROPERTY FOLDER "FreeRDP/Test") set_property(TARGET ${MODULE_NAME} PROPERTY FOLDER "FreeRDP/Test")
set(FUZZERS
TestFuzzCodecs.c
)
include (AddFuzzerTest)
add_fuzzer_test("${FUZZERS}" "freerdp winpr")

View File

@ -0,0 +1,480 @@
/* https://github.com/ergnoorr/fuzzrdp
*
* MIT License
*
* Copyright (c) 2024 ergnoorr
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include <freerdp/assistance.h>
#include <winpr/crt.h>
#include <winpr/print.h>
#include <winpr/platform.h>
#include <freerdp/codec/interleaved.h>
#include <freerdp/codec/planar.h>
#include <freerdp/codec/bulk.h>
#include <freerdp/codec/clear.h>
#include <freerdp/codec/zgfx.h>
#include <freerdp/log.h>
#include <winpr/bitstream.h>
#include <freerdp/codec/rfx.h>
#include <freerdp/codec/progressive.h>
#include <freerdp/freerdp.h>
#include <freerdp/gdi/gdi.h>
#include "../progressive.h"
#include "../mppc.h"
#include "../xcrush.h"
#include "../ncrush.h"
static BOOL test_ClearDecompressExample(UINT32 nr, UINT32 width, UINT32 height,
const BYTE* pSrcData, const UINT32 SrcSize)
{
BOOL rc = FALSE;
int status = 0;
BYTE* pDstData = calloc(1ull * width * height, 4);
CLEAR_CONTEXT* clear = clear_context_new(FALSE);
WINPR_UNUSED(nr);
if (!clear || !pDstData)
goto fail;
status = clear_decompress(clear, pSrcData, SrcSize, width, height, pDstData,
PIXEL_FORMAT_XRGB32, 0, 0, 0, width, height, NULL);
// printf("clear_decompress example %" PRIu32 " status: %d\n", nr, status);
// fflush(stdout);
rc = (status == 0);
fail:
clear_context_free(clear);
free(pDstData);
return rc;
}
static int TestFreeRDPCodecClear(const uint8_t* Data, size_t Size)
{
if (Size > UINT32_MAX)
return -1;
test_ClearDecompressExample(2, 78, 17, Data, (UINT32)Size);
test_ClearDecompressExample(3, 64, 24, Data, (UINT32)Size);
test_ClearDecompressExample(4, 7, 15, Data, (UINT32)Size);
return 0;
}
static int TestFreeRDPCodecXCrush(const uint8_t* Data, size_t Size)
{
if (Size > UINT32_MAX)
return -1;
const BYTE* OutputBuffer = NULL;
UINT32 DstSize = 0;
XCRUSH_CONTEXT* xcrush = xcrush_context_new(TRUE);
if (!xcrush)
return 0;
xcrush_decompress(xcrush, Data, (UINT32)Size, &OutputBuffer, &DstSize, 0);
xcrush_context_free(xcrush);
return 0;
}
static int test_ZGfxDecompressFoxSingle(const uint8_t* Data, size_t Size)
{
if (Size > UINT32_MAX)
return -1;
int rc = -1;
int status = 0;
UINT32 Flags = 0;
const BYTE* pSrcData = (const BYTE*)Data;
UINT32 SrcSize = (UINT32)Size;
UINT32 DstSize = 0;
BYTE* pDstData = NULL;
ZGFX_CONTEXT* zgfx = zgfx_context_new(TRUE);
if (!zgfx)
return -1;
status = zgfx_decompress(zgfx, pSrcData, SrcSize, &pDstData, &DstSize, Flags);
if (status < 0)
goto fail;
rc = 0;
fail:
free(pDstData);
zgfx_context_free(zgfx);
return rc;
}
static int TestFreeRDPCodecZGfx(const uint8_t* Data, size_t Size)
{
test_ZGfxDecompressFoxSingle(Data, Size);
return 0;
}
static BOOL test_NCrushDecompressBells(const uint8_t* Data, size_t Size)
{
if (Size > UINT32_MAX)
return FALSE;
BOOL rc = FALSE;
int status = 0;
UINT32 Flags = PACKET_COMPRESSED | 2;
const BYTE* pSrcData = (const BYTE*)Data;
UINT32 SrcSize = (UINT32)Size;
UINT32 DstSize = 0;
const BYTE* pDstData = NULL;
NCRUSH_CONTEXT* ncrush = ncrush_context_new(FALSE);
if (!ncrush)
return rc;
status = ncrush_decompress(ncrush, pSrcData, SrcSize, &pDstData, &DstSize, Flags);
if (status < 0)
goto fail;
rc = TRUE;
fail:
ncrush_context_free(ncrush);
return rc;
}
static int TestFreeRDPCodecNCrush(const uint8_t* Data, size_t Size)
{
test_NCrushDecompressBells(Data, Size);
return 0;
}
static const size_t IMG_WIDTH = 64;
static const size_t IMG_HEIGHT = 64;
static const size_t FORMAT_SIZE = 4;
static const UINT32 FORMAT = PIXEL_FORMAT_XRGB32;
static int TestFreeRDPCodecRemoteFX(const uint8_t* Data, size_t Size)
{
int rc = -1;
REGION16 region = { 0 };
RFX_CONTEXT* context = rfx_context_new(FALSE);
BYTE* dest = calloc(IMG_WIDTH * IMG_HEIGHT, FORMAT_SIZE);
size_t stride = FORMAT_SIZE * IMG_WIDTH;
if (!context)
goto fail;
if (Size > UINT32_MAX)
goto fail;
if (stride > UINT32_MAX)
goto fail;
if (!dest)
goto fail;
region16_init(&region);
if (!rfx_process_message(context, Data, (UINT32)Size, 0, 0, dest, FORMAT, (UINT32)stride,
IMG_HEIGHT, &region))
goto fail;
region16_clear(&region);
if (!rfx_process_message(context, Data, (UINT32)Size, 0, 0, dest, FORMAT, (UINT32)stride,
IMG_HEIGHT, &region))
goto fail;
region16_print(&region);
rc = 0;
fail:
region16_uninit(&region);
rfx_context_free(context);
free(dest);
return rc;
}
static int test_MppcDecompressBellsRdp5(const uint8_t* Data, size_t Size)
{
int rc = -1;
int status = 0;
UINT32 Flags = PACKET_AT_FRONT | PACKET_COMPRESSED | 1;
const BYTE* pSrcData = Data;
UINT32 SrcSize = (UINT32)Size;
UINT32 DstSize = 0;
const BYTE* pDstData = NULL;
MPPC_CONTEXT* mppc = mppc_context_new(1, FALSE);
if (!mppc)
return -1;
status = mppc_decompress(mppc, pSrcData, SrcSize, &pDstData, &DstSize, Flags);
if (status < 0)
goto fail;
rc = 0;
fail:
mppc_context_free(mppc);
return rc;
}
static int test_MppcDecompressBellsRdp4(const uint8_t* Data, size_t Size)
{
if (Size > UINT32_MAX)
return -1;
int rc = -1;
int status = 0;
UINT32 Flags = PACKET_AT_FRONT | PACKET_COMPRESSED | 0;
const BYTE* pSrcData = (const BYTE*)Data;
UINT32 SrcSize = (UINT32)Size;
UINT32 DstSize = 0;
const BYTE* pDstData = NULL;
MPPC_CONTEXT* mppc = mppc_context_new(0, FALSE);
if (!mppc)
return -1;
status = mppc_decompress(mppc, pSrcData, SrcSize, &pDstData, &DstSize, Flags);
if (status < 0)
goto fail;
rc = 0;
fail:
mppc_context_free(mppc);
return rc;
}
static int test_MppcDecompressBufferRdp5(const uint8_t* Data, size_t Size)
{
if (Size > UINT32_MAX)
return -1;
int rc = -1;
int status = 0;
UINT32 Flags = PACKET_AT_FRONT | PACKET_COMPRESSED | 1;
const BYTE* pSrcData = (const BYTE*)Data;
UINT32 SrcSize = (UINT32)Size;
UINT32 DstSize = 0;
const BYTE* pDstData = NULL;
MPPC_CONTEXT* mppc = mppc_context_new(1, FALSE);
if (!mppc)
return -1;
status = mppc_decompress(mppc, pSrcData, SrcSize, &pDstData, &DstSize, Flags);
if (status < 0)
goto fail;
rc = 0;
fail:
mppc_context_free(mppc);
return rc;
}
static int TestFreeRDPCodecMppc(const uint8_t* Data, size_t Size)
{
test_MppcDecompressBellsRdp5(Data, Size);
test_MppcDecompressBellsRdp4(Data, Size);
test_MppcDecompressBufferRdp5(Data, Size);
return 0;
}
static BOOL progressive_decode(const uint8_t* Data, size_t Size)
{
BOOL res = FALSE;
int rc = 0;
BYTE* resultData = NULL;
UINT32 ColorFormat = PIXEL_FORMAT_BGRX32;
REGION16 invalidRegion = { 0 };
UINT32 scanline = 4240;
UINT32 width = 1060;
UINT32 height = 827;
if (Size > UINT32_MAX)
return FALSE;
PROGRESSIVE_CONTEXT* progressiveDec = progressive_context_new(FALSE);
region16_init(&invalidRegion);
if (!progressiveDec)
goto fail;
resultData = calloc(scanline, height);
if (!resultData)
goto fail;
rc = progressive_create_surface_context(progressiveDec, 0, width, height);
if (rc <= 0)
goto fail;
rc = progressive_decompress(progressiveDec, Data, (UINT32)Size, resultData, ColorFormat,
scanline, 0, 0, &invalidRegion, 0, 0);
if (rc < 0)
goto fail;
res = TRUE;
fail:
region16_uninit(&invalidRegion);
progressive_context_free(progressiveDec);
free(resultData);
return res;
}
static int TestFreeRDPCodecProgressive(const uint8_t* Data, size_t Size)
{
progressive_decode(Data, Size);
return 0;
}
static BOOL i_run_encode_decode(UINT16 bpp, BITMAP_INTERLEAVED_CONTEXT* encoder,
BITMAP_INTERLEAVED_CONTEXT* decoder, const uint8_t* Data,
size_t Size)
{
BOOL rc2 = FALSE;
BOOL rc = 0;
const UINT32 w = 64;
const UINT32 h = 64;
const UINT32 x = 0;
const UINT32 y = 0;
const UINT32 format = PIXEL_FORMAT_RGBX32;
const size_t step = (w + 13ull) * 4ull;
const size_t SrcSize = step * h;
BYTE* pSrcData = calloc(1, SrcSize);
BYTE* pDstData = calloc(1, SrcSize);
BYTE* tmp = calloc(1, SrcSize);
WINPR_UNUSED(encoder);
if (!pSrcData || !pDstData || !tmp)
goto fail;
if (Size > UINT32_MAX)
goto fail;
winpr_RAND(pSrcData, SrcSize);
if (!bitmap_interleaved_context_reset(decoder))
goto fail;
rc = interleaved_decompress(decoder, Data, (UINT32)Size, w, h, bpp, pDstData, format, step, x,
y, w, h, NULL);
if (!rc)
goto fail;
rc2 = TRUE;
fail:
free(pSrcData);
free(pDstData);
free(tmp);
return rc2;
}
static int TestFreeRDPCodecInterleaved(const uint8_t* Data, size_t Size)
{
int rc = -1;
BITMAP_INTERLEAVED_CONTEXT* decoder = bitmap_interleaved_context_new(FALSE);
if (!decoder)
goto fail;
i_run_encode_decode(24, NULL, decoder, Data, Size);
i_run_encode_decode(16, NULL, decoder, Data, Size);
i_run_encode_decode(15, NULL, decoder, Data, Size);
rc = 0;
fail:
bitmap_interleaved_context_free(decoder);
return rc;
}
static BOOL RunTestPlanar(BITMAP_PLANAR_CONTEXT* planar, const BYTE* srcBitmap,
const UINT32 srcFormat, const UINT32 dstFormat, const UINT32 width,
const UINT32 height, const uint8_t* Data, size_t Size)
{
BOOL rc = FALSE;
WINPR_UNUSED(srcBitmap);
WINPR_UNUSED(srcFormat);
if (Size > UINT32_MAX)
return FALSE;
UINT32 dstSize = (UINT32)Size;
const BYTE* compressedBitmap = Data;
BYTE* decompressedBitmap =
(BYTE*)calloc(height, 1ull * width * FreeRDPGetBytesPerPixel(dstFormat));
rc = TRUE;
if (!decompressedBitmap)
goto fail;
if (!planar_decompress(planar, compressedBitmap, dstSize, width, height, decompressedBitmap,
dstFormat, 0, 0, 0, width, height, FALSE))
{
goto fail;
}
rc = TRUE;
fail:
free(decompressedBitmap);
return rc;
}
static BOOL TestPlanar(const UINT32 format, const uint8_t* Data, size_t Size)
{
BOOL rc = FALSE;
const DWORD planarFlags = PLANAR_FORMAT_HEADER_NA | PLANAR_FORMAT_HEADER_RLE;
BITMAP_PLANAR_CONTEXT* planar = freerdp_bitmap_planar_context_new(planarFlags, 64, 64);
if (!planar)
goto fail;
RunTestPlanar(planar, NULL, PIXEL_FORMAT_RGBX32, format, 64, 64, Data, Size);
RunTestPlanar(planar, NULL, PIXEL_FORMAT_RGB16, format, 32, 32, Data, Size);
rc = TRUE;
fail:
freerdp_bitmap_planar_context_free(planar);
return rc;
}
static int TestFreeRDPCodecPlanar(const uint8_t* Data, size_t Size)
{
TestPlanar(0, Data, Size);
return 0;
}
int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size)
{
if (Size < 4)
return 0;
int i = 0;
winpr_RAND(&i, sizeof(i));
i = i % 18;
if (i < 2)
TestFreeRDPCodecClear(Data, Size);
else if (i < 4)
TestFreeRDPCodecXCrush(Data, Size);
else if (i < 6)
TestFreeRDPCodecZGfx(Data, Size);
else if (i < 8)
TestFreeRDPCodecNCrush(Data, Size);
else if (i < 10)
TestFreeRDPCodecRemoteFX(Data, Size);
else if (i < 12)
TestFreeRDPCodecMppc(Data, Size);
else if (i < 14)
TestFreeRDPCodecProgressive(Data, Size);
else if (i < 16)
TestFreeRDPCodecInterleaved(Data, Size);
else if (i < 18)
TestFreeRDPCodecPlanar(Data, Size);
return 0;
}

View File

@ -8,7 +8,7 @@ set(${MODULE_PREFIX}_TESTS
TestAddinArgv.c TestAddinArgv.c
TestCommonAssistance.c) TestCommonAssistance.c)
set(${MODULE_PREFIX}_FUZZERS set(FUZZERS
TestFuzzCommonAssistanceParseFileBuffer.c TestFuzzCommonAssistanceParseFileBuffer.c
TestFuzzCommonAssistanceBinToHexString.c TestFuzzCommonAssistanceBinToHexString.c
TestFuzzCommonAssistanceHexStringToBin.c) TestFuzzCommonAssistanceHexStringToBin.c)
@ -21,17 +21,8 @@ add_executable(${MODULE_NAME} ${${MODULE_PREFIX}_SRCS})
target_link_libraries(${MODULE_NAME} freerdp winpr) target_link_libraries(${MODULE_NAME} freerdp winpr)
if (BUILD_FUZZERS) include (AddFuzzerTest)
foreach(test ${${MODULE_PREFIX}_FUZZERS}) add_fuzzer_test("${FUZZERS}" "freerdp winpr")
get_filename_component(TestName ${test} NAME_WE)
add_executable(${TestName} ${test})
# Use PUBLIC to force 'fuzzer_config' for all dependent targets.
target_link_libraries(${TestName} PUBLIC freerdp winpr fuzzer_config)
add_test(${TestName} ${TESTING_OUTPUT_DIRECTORY}/${MODULE_NAME} ${TestName})
set_target_properties(${TestName} PROPERTIES RUNTIME_OUTPUT_DIRECTORY "${TESTING_OUTPUT_DIRECTORY}")
add_dependencies(fuzzers ${TestName})
endforeach()
endif (BUILD_FUZZERS)
set_target_properties(${MODULE_NAME} PROPERTIES RUNTIME_OUTPUT_DIRECTORY "${TESTING_OUTPUT_DIRECTORY}") set_target_properties(${MODULE_NAME} PROPERTIES RUNTIME_OUTPUT_DIRECTORY "${TESTING_OUTPUT_DIRECTORY}")

View File

@ -9,8 +9,9 @@ set(${MODULE_PREFIX}_TESTS
TestStreamDump.c TestStreamDump.c
TestSettings.c) TestSettings.c)
set(${MODULE_PREFIX}_FUZZERS set(FUZZERS
TestFuzzCryptoCertificateDataSetPEM.c) TestFuzzCryptoCertificateDataSetPEM.c
)
if(WITH_SAMPLE AND WITH_SERVER AND NOT WIN32) if(WITH_SAMPLE AND WITH_SERVER AND NOT WIN32)
add_definitions(-DCMAKE_EXECUTABLE_SUFFIX="${CMAKE_EXECUTABLE_SUFFIX}") add_definitions(-DCMAKE_EXECUTABLE_SUFFIX="${CMAKE_EXECUTABLE_SUFFIX}")
@ -32,16 +33,8 @@ add_definitions(-DTESTING_SRC_DIRECTORY="${PROJECT_SOURCE_DIR}")
target_link_libraries(${MODULE_NAME} freerdp winpr freerdp-client) target_link_libraries(${MODULE_NAME} freerdp winpr freerdp-client)
if (BUILD_FUZZERS) include (AddFuzzerTest)
foreach(test ${${MODULE_PREFIX}_FUZZERS}) add_fuzzer_test("${FUZZERS}" "freerdp winpr")
get_filename_component(TestName ${test} NAME_WE)
add_executable(${TestName} ${test})
target_link_libraries(${TestName} freerdp winpr freerdp-client fuzzer_config)
add_test(${TestName} ${TESTING_OUTPUT_DIRECTORY}/${MODULE_NAME} ${TestName})
set_target_properties(${TestName} PROPERTIES RUNTIME_OUTPUT_DIRECTORY "${TESTING_OUTPUT_DIRECTORY}")
add_dependencies(fuzzers ${TestName})
endforeach()
endif (BUILD_FUZZERS)
set_target_properties(${MODULE_NAME} PROPERTIES RUNTIME_OUTPUT_DIRECTORY "${TESTING_OUTPUT_DIRECTORY}") set_target_properties(${MODULE_NAME} PROPERTIES RUNTIME_OUTPUT_DIRECTORY "${TESTING_OUTPUT_DIRECTORY}")