Use structure aware fuzzing for pngs
Bug: 142252770
Bug: 169137236
Bug: 169139756
Test: this
Features built into the PNG format slow down fuzzing (e.g. CRC, encoded
lengths) [1]. Use structure aware fuzzing for PNG to do a better search
through the input space. Add png_mutator.h (unchanged from [2] under the
Apache 2.0 license). Split imagedecoder_fuzzer into two targets: one for
PNGs (since the mutator converts all inputs into PNG), and one for the
other formats.
Move fuzz_imagedecoder.cpp and the corpus/ into the new fuzz/ directory,
to keep fuzzing separate from the libjnigraphics library. Remove
png_test.png from the corpus; structure aware fuzzing will do a better
job of fuzzing PNGs, and the generic one should focus on other formats.
[1] https://github.com/google/fuzzing/blob/master/docs/structure-aware-fuzzing.md
[2] https://github.com/google/fuzzer-test-suite/blob/51356066dc70c43c9da0ad98e887684a0394860f/libpng-1.2.56/png_mutator.h#L1
Change-Id: I8aebb0d0abfa18793334f2d217b28a51d096123a
diff --git a/native/graphics/jni/Android.bp b/native/graphics/jni/Android.bp
index 3751564..d464587 100644
--- a/native/graphics/jni/Android.bp
+++ b/native/graphics/jni/Android.bp
@@ -74,9 +74,9 @@
unversioned_until: "current",
}
-cc_fuzz {
- name: "imagedecoder_fuzzer",
- srcs: ["fuzz_imagedecoder.cpp"],
+cc_defaults {
+ name: "imagedecoder_fuzzer_defaults",
+ srcs: ["fuzz/fuzz_imagedecoder.cpp"],
header_libs: ["jni_headers"],
shared_libs: [
"libbinder",
@@ -97,6 +97,22 @@
"allocator_may_return_null = 1",
],
},
- corpus: ["corpus/*"],
host_supported: true,
}
+
+cc_fuzz {
+ name: "imagedecoder_fuzzer",
+ defaults: ["imagedecoder_fuzzer_defaults"],
+ corpus: ["fuzz/corpus/*"],
+}
+
+cc_fuzz {
+ name: "imagedecoder_png_fuzzer",
+ defaults: ["imagedecoder_fuzzer_defaults"],
+ shared_libs: [
+ "libz",
+ ],
+ cflags: [
+ "-DPNG_MUTATOR_DEFINE_LIBFUZZER_CUSTOM_MUTATOR",
+ ],
+}