From d250e4be01d2776e244e65b2e4732eaadc9cb9e2 Mon Sep 17 00:00:00 2001 From: treeform Date: Fri, 11 Feb 2022 21:08:24 -0800 Subject: [PATCH] Fixed fuzzing. --- src/pixie/fileformats/bmp.nim | 20 ++++++++++---------- tests/fuzz_bmp.nim | 14 +++++++------- tests/test_bmp.nim | 3 ++- 3 files changed, 19 insertions(+), 18 deletions(-) diff --git a/src/pixie/fileformats/bmp.nim b/src/pixie/fileformats/bmp.nim index 4f2a5bd..6a69efe 100644 --- a/src/pixie/fileformats/bmp.nim +++ b/src/pixie/fileformats/bmp.nim @@ -35,8 +35,8 @@ proc decodeBmp*(data: string): Image {.raises: [PixieError].} = useAlpha = false flipVertical = false - if numColors < 0: - raise newException(PixieError, "Invalid BMP data") + if numColors < 0 or numColors > 256: + raise newException(PixieError, "Invalid number of colors") if dibHeader notin [40, 108]: raise newException(PixieError, "Invalid BMP data") @@ -101,10 +101,10 @@ proc decodeBmp*(data: string): Image {.raises: [PixieError].} = if padding > 0: offset += 4 - padding for x in 0 ..< result.width: - if offset >= data.len: - raise newException(PixieError, "Truncated BMP data") var rgba: ColorRGBA if haveBits == 0: + if offset >= data.len: + raise newException(PixieError, "Truncated BMP data") colorBits = data.readUint8(offset) haveBits = 8 offset += 1 @@ -127,10 +127,10 @@ proc decodeBmp*(data: string): Image {.raises: [PixieError].} = if padding > 0: offset += 4 - padding for x in 0 ..< result.width: - if offset >= data.len: - raise newException(PixieError, "Truncated BMP data") var rgba: ColorRGBA if haveBits == 0: + if offset >= data.len: + raise newException(PixieError, "Truncated BMP data") colorBits = data.readUint8(offset) haveBits = 8 offset += 1 @@ -163,10 +163,10 @@ proc decodeBmp*(data: string): Image {.raises: [PixieError].} = for y in 0 ..< result.height: # pad the row let padding = (offset - startOffset) mod 4 - if padding >= 0: + if padding > 0: offset += 4 - padding for x in 0 ..< result.width: - if offset + 3 > data.len: + if offset + 2 >= data.len: raise newException(PixieError, "Truncated BMP data") var rgba: ColorRGBA rgba.r = data.readUint8(offset + 2) @@ -176,10 +176,10 @@ proc decodeBmp*(data: string): Image {.raises: [PixieError].} = offset += 3 result[x, result.height - y - 1] = rgba.rgbx() - if bits == 32: + elif bits == 32: for y in 0 ..< result.height: for x in 0 ..< result.width: - if offset >= data.len - 2: + if offset + 3 >= data.len: raise newException(PixieError, "Truncated BMP data") var rgba: ColorRGBA let color = data.readUint32(offset) diff --git a/tests/fuzz_bmp.nim b/tests/fuzz_bmp.nim index e742430..9ab3ee5 100644 --- a/tests/fuzz_bmp.nim +++ b/tests/fuzz_bmp.nim @@ -2,12 +2,13 @@ import pixie/common, pixie/fileformats/bmp, random, strformat, flatty/binny, os randomize() -var originals = @[readFile("tests/fileformats/bmp/knight.32.bmp")] +var originals = @["tests/fileformats/bmp/knight.32.bmp"] for file in walkFiles("tests/fileformats/bmp/bmpsuite/*"): - originals.add(readFile(file)) + originals.add(file) -for i in 0 ..< 100_000: - var data = originals[rand(originals.len-1)] +for i in 0 ..< 1000: + let file = originals[rand(originals.len-1)] + var data = readFile(file) let pos = rand(data.len-1) value = rand(255).char @@ -18,12 +19,11 @@ for i in 0 ..< 100_000: let width = data.readInt32(18).int height = data.readInt32(22).int - numColors = data.readInt32(46).int - if abs(width) > 1000 or abs(height) > 1000 or numColors > 1000: + if abs(width) > 1000 or abs(height) > 1000: echo "too big" continue - echo &"{i} {pos} {repr(value)}" + echo &"{i} {file} {pos} {repr(value)}" try: let img = decodeBmp(data) doAssert img.height > 0 and img.width > 0 diff --git a/tests/test_bmp.nim b/tests/test_bmp.nim index 5d903f3..80761e5 100644 --- a/tests/test_bmp.nim +++ b/tests/test_bmp.nim @@ -45,5 +45,6 @@ block: block: for file in walkFiles("tests/fileformats/bmp/bmpsuite/*"): + # echo file let image = decodeBmp(readFile(file)) - image.writeFile(file.replace("bmpsuite", "output") & ".png") + #image.writeFile(file.replace("bmpsuite", "output") & ".png")