fuzzing/orphans/libexif/libexif_fuzzer.cpp - platform/tools/security - Git at Google

 #include <libexif/exif-data.h>
 #include <libexif/exif-loader.h>
 #include <stddef.h>
 #include <stdlib.h>
 #include <string.h>

 constexpr size_t kMaxDataSize = 32;

 /* Extract all MakerNote tags */
 static void mnote_dump(ExifData *data) {
   ExifMnoteData *mn = exif_data_get_mnote_data(data);
   if (mn) {
     int num = exif_mnote_data_count(mn);

     /* Loop through all MakerNote tags */
     for (int i = 0; i < num; ++i) {
       char buf[1024];
       exif_mnote_data_get_value(mn, i, buf, sizeof(buf));
     }
   }
 }

 static void dump_value(ExifEntry *entry, void *) {
   char buf[1024];
   exif_entry_get_value(entry, buf, sizeof(buf));
 }

 static void data_func(ExifContent *content, void *) {
   exif_content_foreach_entry(content, dump_value, NULL);
 }

 /* This is like exif_data_dump but without writing to stdout */
 static void data_dump(ExifData *data) {
   exif_data_foreach_content(data, data_func, NULL);
 }

 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   if (!data) {
     return 0;
   }

   size = (size % kMaxDataSize);
   uint8_t *buffer = (uint8_t *)malloc(size * sizeof(uint8_t));
   memcpy(buffer, data, size);
   // Parse tags using (ultimately) exif_data_load_data()
   auto image = exif_data_new_from_data(buffer, size);
   if (image) {
     // Exercise the EXIF tag manipulation code
     exif_data_get_mnote_data(image);
     data_dump(image);
     mnote_dump(image);
     unsigned char *buf;
     unsigned int sz;
     exif_data_save_data(image, &buf, &sz);
     free(buf);
     exif_data_fix(image);
     exif_data_unref(image);
   }

   // Parse tags again, but using exif_loader_write(), which is a separate
   // parser.  There is no need to fuzz the parsed ExifData again, since it will
   // be identical to what has been loaded (and fuzzed) above.
   ExifLoader *loader = exif_loader_new();
   if (!loader) {
     free(buffer);
     return 0;
   }
   exif_loader_write(loader, const_cast<unsigned char *>(buffer), size);
   image = exif_loader_get_data(loader);
   if (image) {
     exif_data_unref(image);
   }
   exif_loader_unref(loader);
   free(buffer);
   return 0;
 }
	#include <libexif/exif-data.h>
	#include <libexif/exif-loader.h>
	#include <stddef.h>
	#include <stdlib.h>
	#include <string.h>

	constexpr size_t kMaxDataSize = 32;

	/* Extract all MakerNote tags */
	static void mnote_dump(ExifData *data) {
	ExifMnoteData *mn = exif_data_get_mnote_data(data);
	if (mn) {
	int num = exif_mnote_data_count(mn);

	/* Loop through all MakerNote tags */
	for (int i = 0; i < num; ++i) {
	char buf[1024];
	exif_mnote_data_get_value(mn, i, buf, sizeof(buf));
	}
	}
	}

	static void dump_value(ExifEntry entry, void ) {
	char buf[1024];
	exif_entry_get_value(entry, buf, sizeof(buf));
	}

	static void data_func(ExifContent content, void ) {
	exif_content_foreach_entry(content, dump_value, NULL);
	}

	/* This is like exif_data_dump but without writing to stdout */
	static void data_dump(ExifData *data) {
	exif_data_foreach_content(data, data_func, NULL);
	}

	extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
	if (!data) {
	return 0;
	}

	size = (size % kMaxDataSize);
	uint8_t buffer = (uint8_t )malloc(size * sizeof(uint8_t));
	memcpy(buffer, data, size);
	// Parse tags using (ultimately) exif_data_load_data()
	auto image = exif_data_new_from_data(buffer, size);
	if (image) {
	// Exercise the EXIF tag manipulation code
	exif_data_get_mnote_data(image);
	data_dump(image);
	mnote_dump(image);
	unsigned char *buf;
	unsigned int sz;
	exif_data_save_data(image, &buf, &sz);
	free(buf);
	exif_data_fix(image);
	exif_data_unref(image);
	}

	// Parse tags again, but using exif_loader_write(), which is a separate
	// parser. There is no need to fuzz the parsed ExifData again, since it will
	// be identical to what has been loaded (and fuzzed) above.
	ExifLoader *loader = exif_loader_new();
	if (!loader) {
	free(buffer);
	return 0;
	}
	exif_loader_write(loader, const_cast<unsigned char *>(buffer), size);
	image = exif_loader_get_data(loader);
	if (image) {
	exif_data_unref(image);
	}
	exif_loader_unref(loader);
	free(buffer);
	return 0;
	}