Add a fuzz target to test DNG image parsing in dng_sdk. am: 0c2c0ca07a am: 49be9325f2
Original change: https://android-review.googlesource.com/c/platform/external/dng_sdk/+/1487679
Change-Id: Ibb9abf8881e295bd58423d201bc7e6ee0540f0c2
diff --git a/fuzzer/Android.bp b/fuzzer/Android.bp
new file mode 100644
index 0000000..5bf44fa
--- /dev/null
+++ b/fuzzer/Android.bp
@@ -0,0 +1,26 @@
+cc_fuzz {
+ name: "dng_parser_fuzzer",
+ host_supported: true,
+ srcs: [
+ "dng_parser_fuzzer.cpp",
+ ],
+ cflags: [
+ "-Wno-unused-parameter",
+ "-fexceptions",
+ ],
+ static_libs: [
+ "libdng_sdk",
+ "libjpeg",
+ "liblog",
+ "libz",
+ ],
+ target: {
+ darwin: {
+ enabled: false,
+ },
+ },
+ corpus: [
+ "seeds/CVE_2020_9589/original.dng",
+ "seeds/CVE_2020_9589/poc.dng",
+ ],
+}
diff --git a/fuzzer/README.md b/fuzzer/README.md
new file mode 100644
index 0000000..edc7ef2
--- /dev/null
+++ b/fuzzer/README.md
@@ -0,0 +1,47 @@
+# Fuzzing DNG SDK
+
+This fuzzer is intented to do a varian analysis of the issue reported
+in b/156261521.
+
+Here is a list of some CVEs previously discovered in DNG SDK:
+
+* CVE-2020-9589
+* CVE-2020-9590
+* CVE-2020-9620
+* CVE-2020-9621
+* CVE-2020-9622
+* CVE-2020-9623
+* CVE-2020-9624
+* CVE-2020-9625
+* CVE-2020-9626
+* CVE-2020-9627
+* CVE-2020-9628
+* CVE-2020-9629
+
+## Building & running the fuzz target: Android device
+
+It is recommended to set rss limit to higher values (such as 4096) when running
+the fuzzer to avoid frequent OOM libFuzzer crashes.
+
+```sh
+$ source build/envsetup.sh
+$ lunch aosp_arm64-eng
+$ SANITIZE_TARGET=hwaddress make dng_parser_fuzzer
+$ adb sync data
+$ adb shell /data/fuzz/arm64/dng_parser_fuzzer/dng_parser_fuzzer \
+$ -rss_limit=4096 \
+$ /data/fuzz/arm64/dng_parser_fuzzer/corpus
+```
+
+## Building & running the fuzz target: Host
+
+```sh
+$ source build/envsetup.sh
+$ lunch aosp_x86_64-eng
+$ SANITIZE_HOST=address make dng_parser_fuzzer
+$ LD_LIBRARY_PATH=$ANDROID_HOST_OUT/fuzz/x86_64/lib/ \
+$ $ANDROID_HOST_OUT/fuzz/x86_64/dng_parser_fuzzer/dng_parser_fuzzer \
+$ -rss_limit_mb=4096 \
+$ $ANDROID_HOST_OUT/fuzz/x86_64/dng_parser_fuzzer/corpus/
+```
+
diff --git a/fuzzer/dng_parser_fuzzer.cpp b/fuzzer/dng_parser_fuzzer.cpp
new file mode 100644
index 0000000..84db0f3
--- /dev/null
+++ b/fuzzer/dng_parser_fuzzer.cpp
@@ -0,0 +1,36 @@
+#include <stddef.h>
+#include <stdint.h>
+
+#include "dng_exceptions.h"
+#include "dng_host.h"
+#include "dng_info.h"
+#include "dng_memory_stream.h"
+#include "dng_negative.h"
+
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ dng_host host;
+ dng_memory_stream stream(host.Allocator());
+
+ stream.Put(data, size);
+ stream.SetReadPosition(0);
+
+ std::unique_ptr<dng_negative> negative(host.Make_dng_negative());
+
+ try {
+ dng_info info;
+ info.Parse(host, stream);
+ info.PostParse(host);
+
+ if (info.IsValidDNG()) {
+ negative->Parse(host, stream, info);
+ negative->PostParse(host, stream, info);
+ negative->ReadStage1Image(host, stream, info);
+ }
+ } catch (dng_exception &e) {
+ // dng_sdk throws C++ exceptions on errors
+ // catch them here to prevent libFuzzer from crashing.
+ }
+
+ return 0;
+}
diff --git a/fuzzer/seeds/CVE_2020_9589/original.dng b/fuzzer/seeds/CVE_2020_9589/original.dng
new file mode 100755
index 0000000..a30ac76
--- /dev/null
+++ b/fuzzer/seeds/CVE_2020_9589/original.dng
Binary files differ
diff --git a/fuzzer/seeds/CVE_2020_9589/poc.dng b/fuzzer/seeds/CVE_2020_9589/poc.dng
new file mode 100755
index 0000000..b838844
--- /dev/null
+++ b/fuzzer/seeds/CVE_2020_9589/poc.dng
Binary files differ
