Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fuzz imagemagick #430

Closed
Dor1s opened this issue Mar 2, 2017 · 9 comments
Closed

fuzz imagemagick #430

Dor1s opened this issue Mar 2, 2017 · 9 comments
Labels
new target

Comments

@Dor1s
Copy link
Contributor

Dor1s commented Mar 2, 2017

https://www.imagemagick.org/script/index.php had a plenty of security problems and probably still has them.
@Dor1s
Copy link
Contributor Author

Dor1s commented Mar 2, 2017

@dlemstra, have you heard about OSS-Fuzz?

Would you be interested in getting continuous fuzz testing for ImageMagick? We'd be happy to help.

@dlemstra
Copy link
Contributor

dlemstra commented Mar 2, 2017

We would love to join. Can you give us some pointers on how to set this up?

@Dor1s
Copy link
Contributor Author

Dor1s commented Mar 2, 2017

Sure! It's quite simple. We use docker to provide the same environment for both developers and our infrastructure, more info on adding new project: https://github.com/google/oss-fuzz/blob/master/docs/new_project_guide.md

If you've never touched libFuzzer, it would be good to go through tutorial.libfuzzer.info. It's like writing a unit test.

For example, I see HuffmanDecodeImage in https://github.com/ImageMagick/ImageMagick/blob/f6ff9eaa865134189fce2cf73b109da589178bde/MagickCore/compress.c#L366, such decoding API looks like a juicy target for fuzzing.

That function needs a pointer to Image object, which can be initialized from Blob: https://github.com/ImageMagick/ImageMagick/blob/6a3d581a642ec5b3c8759e67cd18fb77cf32854c/Magick%2B%2B/lib/Image.cpp#L82

A Blob object can be initialized using raw data bytes (https://github.com/ImageMagick/ImageMagick/blob/master/Magick%2B%2B/lib/Blob.cpp#L24) -- the easiest case we might have :)

So, a new fuzz target may be something like:

using namespace Magick;

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
  const Blob blob(Data, Size);
  Image image(blob);
  ExceptionInfo ex;
  auto res = HuffmanDecodeImage(&image, &ex);

  // maybe call something else?
  return 0;
}

@kcc kcc mentioned this issue Apr 3, 2017
Closed
44 tasks
@inferno-chromium
Copy link
Collaborator

tracked in #402.

@dlemstra - any success so far with OSS-Fuzz integration ?

@dlemstra
Copy link
Contributor

dlemstra commented Apr 3, 2017

Been away for the whole last month. Haven't given it a try yet. Hope I will be able to work on this in a couple weeks.

@inferno-chromium
Copy link
Collaborator

Thanks @dlemstra

@dlemstra
Copy link
Contributor

dlemstra commented Aug 4, 2017

Could you reopen this issue and assign it to me @inferno-chromium? I lost track of this again.

@inferno-chromium
Copy link
Collaborator

@dlemstra - can't assign it to you, but lets keep this open for tracking.

@reaperhulk reaperhulk mentioned this issue Dec 16, 2017
Merged
@alex
Copy link
Contributor

alex commented Jan 12, 2018

This can be closed now, it's happening!

@Dor1s Dor1s closed this as completed Jan 13, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
new target
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@alex @Dor1s @inferno-chromium @dlemstra