FreeRDP/libfreerdp/codec/test/TestFuzzCodecs.c

/* https://github.com/ergnoorr/fuzzrdp
 *
 * MIT License
 *
 * Copyright (c) 2024 ergnoorr
 *
 * Permission is hereby granted, free of charge, to any person obtaining a copy
 * of this software and associated documentation files (the "Software"), to deal
 * in the Software without restriction, including without limitation the rights
 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 * copies of the Software, and to permit persons to whom the Software is
 * furnished to do so, subject to the following conditions:
 *
 * The above copyright notice and this permission notice shall be included in all
 * copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 * SOFTWARE.
 */
#include <freerdp/assistance.h>

#include <winpr/crt.h>
#include <winpr/print.h>
#include <winpr/platform.h>
#include <freerdp/codec/interleaved.h>
#include <freerdp/codec/planar.h>
#include <freerdp/codec/bulk.h>
#include <freerdp/codec/clear.h>
#include <freerdp/codec/zgfx.h>
#include <freerdp/log.h>
#include <winpr/bitstream.h>
#include <freerdp/codec/rfx.h>
#include <freerdp/codec/progressive.h>

#include <freerdp/freerdp.h>
#include <freerdp/gdi/gdi.h>

#include "../progressive.h"
#include "../mppc.h"
#include "../xcrush.h"
#include "../ncrush.h"

static BOOL test_ClearDecompressExample(UINT32 nr, UINT32 width, UINT32 height,
                                        const BYTE* pSrcData, const UINT32 SrcSize)
{
	BOOL rc = FALSE;
	int status = 0;
	BYTE* pDstData = calloc(1ull * width * height, 4);
	CLEAR_CONTEXT* clear = clear_context_new(FALSE);

	WINPR_UNUSED(nr);
	if (!clear || !pDstData)
		goto fail;

	status = clear_decompress(clear, pSrcData, SrcSize, width, height, pDstData,
	                          PIXEL_FORMAT_XRGB32, 0, 0, 0, width, height, NULL);
	// printf("clear_decompress example %" PRIu32 " status: %d\n", nr, status);
	// fflush(stdout);
	rc = (status == 0);
fail:
	clear_context_free(clear);
	free(pDstData);
	return rc;
}

static int TestFreeRDPCodecClear(const uint8_t* Data, size_t Size)
{
	if (Size > UINT32_MAX)
		return -1;
	test_ClearDecompressExample(2, 78, 17, Data, (UINT32)Size);
	test_ClearDecompressExample(3, 64, 24, Data, (UINT32)Size);
	test_ClearDecompressExample(4, 7, 15, Data, (UINT32)Size);
	return 0;
}

static int TestFreeRDPCodecXCrush(const uint8_t* Data, size_t Size)
{
	if (Size > UINT32_MAX)
		return -1;

	const BYTE* OutputBuffer = NULL;
	UINT32 DstSize = 0;
	XCRUSH_CONTEXT* xcrush = xcrush_context_new(TRUE);
	if (!xcrush)
		return 0;
	xcrush_decompress(xcrush, Data, (UINT32)Size, &OutputBuffer, &DstSize, 0);
	xcrush_context_free(xcrush);
	return 0;
}

static int test_ZGfxDecompressFoxSingle(const uint8_t* Data, size_t Size)
{
	if (Size > UINT32_MAX)
		return -1;
	int rc = -1;
	int status = 0;
	UINT32 Flags = 0;
	const BYTE* pSrcData = (const BYTE*)Data;
	UINT32 SrcSize = (UINT32)Size;
	UINT32 DstSize = 0;
	BYTE* pDstData = NULL;
	ZGFX_CONTEXT* zgfx = zgfx_context_new(TRUE);

	if (!zgfx)
		return -1;

	status = zgfx_decompress(zgfx, pSrcData, SrcSize, &pDstData, &DstSize, Flags);
	if (status < 0)
		goto fail;

	rc = 0;
fail:
	free(pDstData);
	zgfx_context_free(zgfx);
	return rc;
}

static int TestFreeRDPCodecZGfx(const uint8_t* Data, size_t Size)
{
	test_ZGfxDecompressFoxSingle(Data, Size);
	return 0;
}

static BOOL test_NCrushDecompressBells(const uint8_t* Data, size_t Size)
{
	if (Size > UINT32_MAX)
		return FALSE;

	BOOL rc = FALSE;
	int status = 0;
	UINT32 Flags = PACKET_COMPRESSED | 2;
	const BYTE* pSrcData = (const BYTE*)Data;
	UINT32 SrcSize = (UINT32)Size;
	UINT32 DstSize = 0;
	const BYTE* pDstData = NULL;
	NCRUSH_CONTEXT* ncrush = ncrush_context_new(FALSE);

	if (!ncrush)
		return rc;

	status = ncrush_decompress(ncrush, pSrcData, SrcSize, &pDstData, &DstSize, Flags);
	if (status < 0)
		goto fail;

	rc = TRUE;
fail:
	ncrush_context_free(ncrush);
	return rc;
}

static int TestFreeRDPCodecNCrush(const uint8_t* Data, size_t Size)
{
	test_NCrushDecompressBells(Data, Size);
	return 0;
}

static const size_t IMG_WIDTH = 64;
static const size_t IMG_HEIGHT = 64;
static const size_t FORMAT_SIZE = 4;
static const UINT32 FORMAT = PIXEL_FORMAT_XRGB32;

static int TestFreeRDPCodecRemoteFX(const uint8_t* Data, size_t Size)
{
	int rc = -1;
	REGION16 region = { 0 };
	RFX_CONTEXT* context = rfx_context_new(FALSE);
	BYTE* dest = calloc(IMG_WIDTH * IMG_HEIGHT, FORMAT_SIZE);
	size_t stride = FORMAT_SIZE * IMG_WIDTH;
	if (!context)
		goto fail;
	if (Size > UINT32_MAX)
		goto fail;
	if (stride > UINT32_MAX)
		goto fail;
	if (!dest)
		goto fail;

	region16_init(&region);
	if (!rfx_process_message(context, Data, (UINT32)Size, 0, 0, dest, FORMAT, (UINT32)stride,
	                         IMG_HEIGHT, &region))
		goto fail;

	region16_clear(&region);
	if (!rfx_process_message(context, Data, (UINT32)Size, 0, 0, dest, FORMAT, (UINT32)stride,
	                         IMG_HEIGHT, &region))
		goto fail;
	region16_print(&region);

	rc = 0;
fail:
	region16_uninit(&region);
	rfx_context_free(context);
	free(dest);
	return rc;
}

static int test_MppcDecompressBellsRdp5(const uint8_t* Data, size_t Size)
{
	int rc = -1;
	int status = 0;
	UINT32 Flags = PACKET_AT_FRONT | PACKET_COMPRESSED | 1;
	const BYTE* pSrcData = Data;
	UINT32 SrcSize = (UINT32)Size;
	UINT32 DstSize = 0;
	const BYTE* pDstData = NULL;
	MPPC_CONTEXT* mppc = mppc_context_new(1, FALSE);

	if (!mppc)
		return -1;

	status = mppc_decompress(mppc, pSrcData, SrcSize, &pDstData, &DstSize, Flags);

	if (status < 0)
		goto fail;

	rc = 0;

fail:
	mppc_context_free(mppc);
	return rc;
}

static int test_MppcDecompressBellsRdp4(const uint8_t* Data, size_t Size)
{
	if (Size > UINT32_MAX)
		return -1;
	int rc = -1;
	int status = 0;
	UINT32 Flags = PACKET_AT_FRONT | PACKET_COMPRESSED | 0;
	const BYTE* pSrcData = (const BYTE*)Data;
	UINT32 SrcSize = (UINT32)Size;
	UINT32 DstSize = 0;
	const BYTE* pDstData = NULL;
	MPPC_CONTEXT* mppc = mppc_context_new(0, FALSE);

	if (!mppc)
		return -1;

	status = mppc_decompress(mppc, pSrcData, SrcSize, &pDstData, &DstSize, Flags);

	if (status < 0)
		goto fail;

	rc = 0;
fail:
	mppc_context_free(mppc);
	return rc;
}

static int test_MppcDecompressBufferRdp5(const uint8_t* Data, size_t Size)
{
	if (Size > UINT32_MAX)
		return -1;
	int rc = -1;
	int status = 0;
	UINT32 Flags = PACKET_AT_FRONT | PACKET_COMPRESSED | 1;
	const BYTE* pSrcData = (const BYTE*)Data;
	UINT32 SrcSize = (UINT32)Size;
	UINT32 DstSize = 0;
	const BYTE* pDstData = NULL;
	MPPC_CONTEXT* mppc = mppc_context_new(1, FALSE);

	if (!mppc)
		return -1;

	status = mppc_decompress(mppc, pSrcData, SrcSize, &pDstData, &DstSize, Flags);

	if (status < 0)
		goto fail;

	rc = 0;
fail:
	mppc_context_free(mppc);
	return rc;
}

static int TestFreeRDPCodecMppc(const uint8_t* Data, size_t Size)
{
	test_MppcDecompressBellsRdp5(Data, Size);
	test_MppcDecompressBellsRdp4(Data, Size);
	test_MppcDecompressBufferRdp5(Data, Size);
	return 0;
}

static BOOL progressive_decode(const uint8_t* Data, size_t Size)
{
	BOOL res = FALSE;
	int rc = 0;
	BYTE* resultData = NULL;
	UINT32 ColorFormat = PIXEL_FORMAT_BGRX32;
	REGION16 invalidRegion = { 0 };
	UINT32 scanline = 4240;
	UINT32 width = 1060;
	UINT32 height = 827;
	if (Size > UINT32_MAX)
		return FALSE;

	PROGRESSIVE_CONTEXT* progressiveDec = progressive_context_new(FALSE);

	region16_init(&invalidRegion);
	if (!progressiveDec)
		goto fail;

	resultData = calloc(scanline, height);
	if (!resultData)
		goto fail;

	rc = progressive_create_surface_context(progressiveDec, 0, width, height);
	if (rc <= 0)
		goto fail;

	rc = progressive_decompress(progressiveDec, Data, (UINT32)Size, resultData, ColorFormat,
	                            scanline, 0, 0, &invalidRegion, 0, 0);
	if (rc < 0)
		goto fail;

	res = TRUE;
fail:
	region16_uninit(&invalidRegion);
	progressive_context_free(progressiveDec);
	free(resultData);
	return res;
}

static int TestFreeRDPCodecProgressive(const uint8_t* Data, size_t Size)
{
	progressive_decode(Data, Size);
	return 0;
}

static BOOL i_run_encode_decode(UINT16 bpp, BITMAP_INTERLEAVED_CONTEXT* encoder,
                                BITMAP_INTERLEAVED_CONTEXT* decoder, const uint8_t* Data,
                                size_t Size)
{
	BOOL rc2 = FALSE;
	BOOL rc = 0;
	const UINT32 w = 64;
	const UINT32 h = 64;
	const UINT32 x = 0;
	const UINT32 y = 0;
	const UINT32 format = PIXEL_FORMAT_RGBX32;
	const size_t step = (w + 13ull) * 4ull;
	const size_t SrcSize = step * h;
	BYTE* pSrcData = calloc(1, SrcSize);
	BYTE* pDstData = calloc(1, SrcSize);
	BYTE* tmp = calloc(1, SrcSize);

	WINPR_UNUSED(encoder);
	if (!pSrcData || !pDstData || !tmp)
		goto fail;

	if (Size > UINT32_MAX)
		goto fail;

	winpr_RAND(pSrcData, SrcSize);

	if (!bitmap_interleaved_context_reset(decoder))
		goto fail;

	rc = interleaved_decompress(decoder, Data, (UINT32)Size, w, h, bpp, pDstData, format, step, x,
	                            y, w, h, NULL);

	if (!rc)
		goto fail;

	rc2 = TRUE;
fail:
	free(pSrcData);
	free(pDstData);
	free(tmp);
	return rc2;
}

static int TestFreeRDPCodecInterleaved(const uint8_t* Data, size_t Size)
{
	int rc = -1;
	BITMAP_INTERLEAVED_CONTEXT* decoder = bitmap_interleaved_context_new(FALSE);

	if (!decoder)
		goto fail;

	i_run_encode_decode(24, NULL, decoder, Data, Size);
	i_run_encode_decode(16, NULL, decoder, Data, Size);
	i_run_encode_decode(15, NULL, decoder, Data, Size);
	rc = 0;
fail:
	bitmap_interleaved_context_free(decoder);
	return rc;
}

static BOOL RunTestPlanar(BITMAP_PLANAR_CONTEXT* planar, const BYTE* srcBitmap,
                          const UINT32 srcFormat, const UINT32 dstFormat, const UINT32 width,
                          const UINT32 height, const uint8_t* Data, size_t Size)
{
	BOOL rc = FALSE;
	WINPR_UNUSED(srcBitmap);
	WINPR_UNUSED(srcFormat);
	if (Size > UINT32_MAX)
		return FALSE;
	UINT32 dstSize = (UINT32)Size;
	const BYTE* compressedBitmap = Data;
	BYTE* decompressedBitmap =
	    (BYTE*)calloc(height, 1ull * width * FreeRDPGetBytesPerPixel(dstFormat));
	rc = TRUE;

	if (!decompressedBitmap)
		goto fail;

	if (!planar_decompress(planar, compressedBitmap, dstSize, width, height, decompressedBitmap,
	                       dstFormat, 0, 0, 0, width, height, FALSE))
	{
		goto fail;
	}

	rc = TRUE;
fail:
	free(decompressedBitmap);
	return rc;
}

static BOOL TestPlanar(const UINT32 format, const uint8_t* Data, size_t Size)
{
	BOOL rc = FALSE;
	const DWORD planarFlags = PLANAR_FORMAT_HEADER_NA | PLANAR_FORMAT_HEADER_RLE;
	BITMAP_PLANAR_CONTEXT* planar = freerdp_bitmap_planar_context_new(planarFlags, 64, 64);

	if (!planar)
		goto fail;

	RunTestPlanar(planar, NULL, PIXEL_FORMAT_RGBX32, format, 64, 64, Data, Size);

	RunTestPlanar(planar, NULL, PIXEL_FORMAT_RGB16, format, 32, 32, Data, Size);

	rc = TRUE;
fail:
	freerdp_bitmap_planar_context_free(planar);
	return rc;
}

static int TestFreeRDPCodecPlanar(const uint8_t* Data, size_t Size)
{
	TestPlanar(0, Data, Size);
	return 0;
}

int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size)
{
	if (Size < 4)
		return 0;

	TestFreeRDPCodecClear(Data, Size);
	TestFreeRDPCodecXCrush(Data, Size);
	TestFreeRDPCodecZGfx(Data, Size);
	TestFreeRDPCodecNCrush(Data, Size);
	TestFreeRDPCodecRemoteFX(Data, Size);
	TestFreeRDPCodecMppc(Data, Size);
	TestFreeRDPCodecProgressive(Data, Size);
	TestFreeRDPCodecInterleaved(Data, Size);
	TestFreeRDPCodecPlanar(Data, Size);

	return 0;
}