integrate with OSS-Fuzz (continuous automated fuzzing), and fix a recent regression (leak) about libpng HOT 18 CLOSED

I gave a whack at updating the project, by adding the eXIf chunk to the dictionary.
Where is the seed corpus actually located? Is it the PNG files contained in the libpng distribution?

from libpng.

I assumed @kcc meant a large variety of PNG color_types, sample_depths, etc. The libpng directory "contrib/testpngs" which is currently included in the corpus covers most of them.

from libpng.

Yes. By diverse I mean different features of the data format, or, more precisely, inputs that cover different parts of code.
I encourage you to look at the coverage achieved on the oss-fuzz's corpus to see what code remains uncovered.

@glennrp did you change something in the build system recently?
Our dashboard (oss-fuzz.com, you can see it too) shows that the last two days the total number of instrumented basic blocks dropped from 6634 to 1166

from libpng.

from libpng.

I think I generated the appropriate pull request

Nope, I don't see it. :(

from libpng.

Without seeing the test case I attempted a fix which I've pushed to libpng16.

Didn't seem to help.
I can attach the repro here (should I?), but it only triggers in read_fuzzer.cc (which does png_set_crc_action(png_handler.png_ptr, PNG_CRC_QUIET_USE, PNG_CRC_QUIET_USE);)

from libpng.

You can attach the reproducer here or mail it to [email protected]

from libpng.

Attached reproducer (gzip-ed, to please GitHub).
It causes the leak when fed to read_fuzzer.cc

clusterfuzz-testcase-minimized-6064109344784384.gz

from libpng.

from libpng.

I can confirm that the leak report is gone, thanks!
Do you mind if I add your e-mail to https://github.com/google/oss-fuzz/blob/master/projects/libpng/project.yaml ?

This way you will receive e-mail if the bot finds any more bugs (and you'll get access to the details)

from libpng.

Yes, please add my e-mail to the distribution list.

FYI I tested with
valgrind pngtest --relaxed file.png
The "--relaxed" option turns off CRC checking.

from libpng.

Done: https://github.com/google/oss-fuzz/blob/master/projects/libpng/project.yaml

When you have a chance, please take a look at https://github.com/google/oss-fuzz/blob/master/projects/libpng/libpng_read_fuzzer.cc (is there anything to improve there? can you add something similar to the main libpng tree?).

Note that Google has a monetary reward program for participating in OSS-Fuzz:
https://opensource.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html

The "--relaxed" option turns off CRC checking.

Good to know, thanks!

from libpng.

Yes, @glennrp, current seed corpus is being collected by the following command:

find $SRC/libpng -name "*.png" | xargs zip $OUT/libpng_read_fuzzer_seed_corpus.zip

in libpng checkout.

from libpng.

There also is another set of corpus files generated by the fuzzer and improved over time. Those files in the cloud are not "seed" corpus, it's a working corpus, I would say. It is synchronized across all VMs running libpng fuzzer, and it grows automatically over time.

You can download a minimized version of that corpus using "Corpus backup" link on the fuzzer stats page: https://oss-fuzz.com/v2/fuzzer-stats/by-day/2017-07-27/2017-08-02/fuzzer/libFuzzer_libpng_read_fuzzer/job/libfuzzer_asan_libpng

from libpng.

If you know some other good public source of diverse png files, feel free to extend the command line that creates libpng_read_fuzzer_seed_corpus.zip in https://github.com/google/oss-fuzz/blob/master/projects/libpng/build.sh

from libpng.

@kcc Could you clarify what you mean by diverse? I can try to find a source.

from libpng.

I did update libpng_read_fuzzer.cc but the "coverage" report is showing me some other version.

from libpng.

Moving the discussion to google/oss-fuzz#809, if you don't mind

from libpng.