Update code to v1.0.14 (10)

android/extern/libjpeg-turbo/fuzz/CMakeLists.txt

@@ -0,0 +1,55 @@
+if(NOT ENABLE_STATIC)
+  message(FATAL_ERROR "Fuzz targets require static libraries.")
+endif()
+if(NOT WITH_TURBOJPEG)
+  message(FATAL_ERROR "Fuzz targets require the TurboJPEG API library.")
+endif()
+
+set(FUZZ_BINDIR "" CACHE PATH
+  "Directory into which fuzz targets should be installed")
+if(NOT FUZZ_BINDIR)
+  message(FATAL_ERROR "FUZZ_BINDIR must be specified.")
+endif()
+message(STATUS "FUZZ_BINDIR = ${FUZZ_BINDIR}")
+
+set(FUZZ_LIBRARY "" CACHE STRING
+  "Path to fuzzer library or flags necessary to link with it")
+if(NOT FUZZ_LIBRARY)
+  message(FATAL_ERROR "FUZZ_LIBRARY must be specified.")
+endif()
+message(STATUS "FUZZ_LIBRARY = ${FUZZ_LIBRARY}")
+
+enable_language(CXX)
+
+set(EFFECTIVE_CXX_FLAGS
+  "${CMAKE_CXX_FLAGS} ${CMAKE_CXX_FLAGS_${CMAKE_BUILD_TYPE_UC}}")
+message(STATUS "C++ Compiler flags = ${EFFECTIVE_CXX_FLAGS}")
+
+add_executable(cjpeg_fuzzer${FUZZER_SUFFIX} cjpeg.cc ../cdjpeg.c ../rdbmp.c
+  ../rdgif.c ../rdppm.c ../rdswitch.c ../rdtarga.c)
+set_property(TARGET cjpeg_fuzzer${FUZZER_SUFFIX} PROPERTY COMPILE_FLAGS
+  ${COMPILE_FLAGS})
+target_link_libraries(cjpeg_fuzzer${FUZZER_SUFFIX} ${FUZZ_LIBRARY} jpeg-static)
+install(TARGETS cjpeg_fuzzer${FUZZER_SUFFIX} RUNTIME DESTINATION
+  ${FUZZ_BINDIR})
+
+macro(add_fuzz_target target source_file)
+  add_executable(${target}_fuzzer${FUZZER_SUFFIX} ${source_file})
+  target_link_libraries(${target}_fuzzer${FUZZER_SUFFIX} ${FUZZ_LIBRARY}
+    turbojpeg-static)
+  install(TARGETS ${target}_fuzzer${FUZZER_SUFFIX} RUNTIME DESTINATION
+    ${FUZZ_BINDIR})
+endmacro()
+
+add_fuzz_target(compress compress.cc)
+
+add_fuzz_target(compress_yuv compress_yuv.cc)
+
+# NOTE: This target is named libjpeg_turbo_fuzzer instead of decompress_fuzzer
+# in order to preserve the corpora from Google's OSS-Fuzz target for
+# libjpeg-turbo, which this target replaces.
+add_fuzz_target(libjpeg_turbo decompress.cc)
+
+add_fuzz_target(decompress_yuv decompress_yuv.cc)
+
+add_fuzz_target(transform transform.cc)

android/extern/libjpeg-turbo/fuzz/build.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+set -u
+set -e
+
+FUZZER_SUFFIX=
+if [ $# -ge 1 ]; then
+	FUZZER_SUFFIX="$1"
+	FUZZER_SUFFIX="`echo $1 | sed 's/\./_/g'`"
+fi
+
+cmake . -DCMAKE_BUILD_TYPE=RelWithDebInfo -DENABLE_STATIC=1 -DENABLE_SHARED=0 \
+	-DCMAKE_C_FLAGS_RELWITHDEBINFO="-g -DNDEBUG" \
+	-DCMAKE_CXX_FLAGS_RELWITHDEBINFO="-g -DNDEBUG" -DCMAKE_INSTALL_PREFIX=$WORK \
+	-DWITH_FUZZ=1 -DFUZZ_BINDIR=$OUT -DFUZZ_LIBRARY=$LIB_FUZZING_ENGINE \
+	-DFUZZER_SUFFIX="$FUZZER_SUFFIX"
+make "-j$(nproc)" "--load-average=$(nproc)"
+make install
+
+cp $SRC/compress_fuzzer_seed_corpus.zip $OUT/cjpeg_fuzzer${FUZZER_SUFFIX}_seed_corpus.zip
+cp $SRC/compress_fuzzer_seed_corpus.zip $OUT/compress_fuzzer${FUZZER_SUFFIX}_seed_corpus.zip
+cp $SRC/compress_fuzzer_seed_corpus.zip $OUT/compress_yuv_fuzzer${FUZZER_SUFFIX}_seed_corpus.zip
+cp $SRC/decompress_fuzzer_seed_corpus.zip $OUT/libjpeg_turbo_fuzzer${FUZZER_SUFFIX}_seed_corpus.zip
+cp $SRC/decompress_fuzzer_seed_corpus.zip $OUT/decompress_yuv_fuzzer${FUZZER_SUFFIX}_seed_corpus.zip
+cp $SRC/decompress_fuzzer_seed_corpus.zip $OUT/transform_fuzzer${FUZZER_SUFFIX}_seed_corpus.zip

android/extern/libjpeg-turbo/fuzz/cjpeg.cc

@@ -0,0 +1,89 @@
+/*
+ * Copyright (C)2021 D. R. Commander.  All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * - Redistributions of source code must retain the above copyright notice,
+ *   this list of conditions and the following disclaimer.
+ * - Redistributions in binary form must reproduce the above copyright notice,
+ *   this list of conditions and the following disclaimer in the documentation
+ *   and/or other materials provided with the distribution.
+ * - Neither the name of the libjpeg-turbo Project nor the names of its
+ *   contributors may be used to endorse or promote products derived from this
+ *   software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS",
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* This fuzz target wraps cjpeg in order to test esoteric compression options
+   as well as the GIF and Targa readers. */
+
+#define main  cjpeg_main
+#define CJPEG_FUZZER
+extern "C" {
+#include "../cjpeg.c"
+}
+#undef main
+#undef CJPEG_FUZZER
+
+#include <stdint.h>
+#include <unistd.h>
+
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+  char filename[FILENAME_MAX] = { 0 };
+  char *argv1[] = {
+    (char *)"cjpeg", (char *)"-dct", (char *)"float", (char *)"-memdst",
+    (char *)"-optimize", (char *)"-quality", (char *)"100,99,98",
+    (char *)"-restart", (char *)"2", (char *)"-sample", (char *)"4x1,2x2,1x2",
+    (char *)"-targa", NULL
+  };
+  char *argv2[] = {
+    (char *)"cjpeg", (char *)"-arithmetic", (char *)"-dct", (char *)"float",
+    (char *)"-memdst", (char *)"-quality", (char *)"90,80,70", (char *)"-rgb",
+    (char *)"-sample", (char *)"2x2", (char *)"-smooth", (char *)"50",
+    (char *)"-targa", NULL
+  };
+  int fd = -1;
+#if defined(__has_feature) && __has_feature(memory_sanitizer)
+  char env[18] = "JSIMD_FORCENONE=1";
+
+  /* The libjpeg-turbo SIMD extensions produce false positives with
+     MemorySanitizer. */
+  putenv(env);
+#endif
+
+  snprintf(filename, FILENAME_MAX, "/tmp/libjpeg-turbo_cjpeg_fuzz.XXXXXX");
+  if ((fd = mkstemp(filename)) < 0 || write(fd, data, size) < 0)
+    goto bailout;
+
+  argv1[12] = argv2[13] = filename;
+
+  cjpeg_main(13, argv1);
+  cjpeg_main(14, argv2);
+
+  argv1[12] = argv2[13] = NULL;
+  argv1[11] = argv2[12] = filename;
+
+  cjpeg_main(12, argv1);
+  cjpeg_main(13, argv2);
+
+bailout:
+  if (fd >= 0) {
+    close(fd);
+    if (strlen(filename) > 0) unlink(filename);
+  }
+  return 0;
+}

android/extern/libjpeg-turbo/fuzz/compress.cc

@@ -0,0 +1,133 @@
+/*
+ * Copyright (C)2021 D. R. Commander.  All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * - Redistributions of source code must retain the above copyright notice,
+ *   this list of conditions and the following disclaimer.
+ * - Redistributions in binary form must reproduce the above copyright notice,
+ *   this list of conditions and the following disclaimer in the documentation
+ *   and/or other materials provided with the distribution.
+ * - Neither the name of the libjpeg-turbo Project nor the names of its
+ *   contributors may be used to endorse or promote products derived from this
+ *   software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS",
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <turbojpeg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <unistd.h>
+
+
+#define NUMTESTS  7
+/* Private flag that triggers different TurboJPEG API behavior when fuzzing */
+#define TJFLAG_FUZZING  (1 << 30)
+
+
+struct test {
+  enum TJPF pf;
+  enum TJSAMP subsamp;
+  int quality;
+};
+
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+  tjhandle handle = NULL;
+  unsigned char *srcBuf = NULL, *dstBuf = NULL;
+  int width = 0, height = 0, fd = -1, i, ti;
+  char filename[FILENAME_MAX] = { 0 };
+  struct test tests[NUMTESTS] = {
+    { TJPF_RGB, TJSAMP_444, 100 },
+    { TJPF_BGR, TJSAMP_422, 90 },
+    { TJPF_RGBX, TJSAMP_420, 80 },
+    { TJPF_BGRA, TJSAMP_411, 70 },
+    { TJPF_XRGB, TJSAMP_GRAY, 60 },
+    { TJPF_GRAY, TJSAMP_GRAY, 50 },
+    { TJPF_CMYK, TJSAMP_440, 40 }
+  };
+#if defined(__has_feature) && __has_feature(memory_sanitizer)
+  char env[18] = "JSIMD_FORCENONE=1";
+
+  /* The libjpeg-turbo SIMD extensions produce false positives with
+     MemorySanitizer. */
+  putenv(env);
+#endif
+
+  snprintf(filename, FILENAME_MAX, "/tmp/libjpeg-turbo_compress_fuzz.XXXXXX");
+  if ((fd = mkstemp(filename)) < 0 || write(fd, data, size) < 0)
+    goto bailout;
+
+  if ((handle = tjInitCompress()) == NULL)
+    goto bailout;
+
+  for (ti = 0; ti < NUMTESTS; ti++) {
+    int flags = TJFLAG_FUZZING, sum = 0, pf = tests[ti].pf;
+    unsigned long dstSize = 0, maxBufSize;
+
+    /* Test non-default compression options on specific iterations. */
+    if (ti == 0)
+      flags |= TJFLAG_BOTTOMUP | TJFLAG_ACCURATEDCT;
+    else if (ti == 1)
+      flags |= TJFLAG_PROGRESSIVE;
+    if (ti != 2)
+      flags |= TJFLAG_NOREALLOC;
+
+    /* tjLoadImage() refuses to load images larger than 1 Megapixel when
+       FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION is defined (yes, that's a dirty
+       hack), so we don't need to check the width and height here. */
+    if ((srcBuf = tjLoadImage(filename, &width, 1, &height, &pf,
+                              flags)) == NULL)
+      continue;
+
+    maxBufSize = tjBufSize(width, height, tests[ti].subsamp);
+    if (flags & TJFLAG_NOREALLOC) {
+      if ((dstBuf = (unsigned char *)malloc(maxBufSize)) == NULL)
+        goto bailout;
+    } else
+      dstBuf = NULL;
+
+    if (tjCompress2(handle, srcBuf, width, 0, height, pf, &dstBuf, &dstSize,
+                    tests[ti].subsamp, tests[ti].quality, flags) == 0) {
+      /* Touch all of the output pixels in order to catch uninitialized reads
+         when using MemorySanitizer. */
+      for (i = 0; i < dstSize; i++)
+        sum += dstBuf[i];
+    }
+
+    free(dstBuf);
+    dstBuf = NULL;
+    tjFree(srcBuf);
+    srcBuf = NULL;
+
+    /* Prevent the code above from being optimized out.  This test should never
+       be true, but the compiler doesn't know that. */
+    if (sum > 255 * maxBufSize)
+      goto bailout;
+  }
+
+bailout:
+  free(dstBuf);
+  tjFree(srcBuf);
+  if (fd >= 0) {
+    close(fd);
+    if (strlen(filename) > 0) unlink(filename);
+  }
+  if (handle) tjDestroy(handle);
+  return 0;
+}

android/extern/libjpeg-turbo/fuzz/compress_yuv.cc

@@ -0,0 +1,148 @@
+/*
+ * Copyright (C)2021 D. R. Commander.  All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * - Redistributions of source code must retain the above copyright notice,
+ *   this list of conditions and the following disclaimer.
+ * - Redistributions in binary form must reproduce the above copyright notice,
+ *   this list of conditions and the following disclaimer in the documentation
+ *   and/or other materials provided with the distribution.
+ * - Neither the name of the libjpeg-turbo Project nor the names of its
+ *   contributors may be used to endorse or promote products derived from this
+ *   software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS",
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <turbojpeg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <unistd.h>
+
+
+#define NUMTESTS  6
+/* Private flag that triggers different TurboJPEG API behavior when fuzzing */
+#define TJFLAG_FUZZING  (1 << 30)
+
+
+struct test {
+  enum TJPF pf;
+  enum TJSAMP subsamp;
+  int quality;
+};
+
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+  tjhandle handle = NULL;
+  unsigned char *srcBuf = NULL, *dstBuf = NULL, *yuvBuf = NULL;
+  int width = 0, height = 0, fd = -1, i, ti;
+  char filename[FILENAME_MAX] = { 0 };
+  struct test tests[NUMTESTS] = {
+    { TJPF_XBGR, TJSAMP_444, 100 },
+    { TJPF_XRGB, TJSAMP_422, 90 },
+    { TJPF_BGR, TJSAMP_420, 80 },
+    { TJPF_RGB, TJSAMP_411, 70 },
+    { TJPF_BGR, TJSAMP_GRAY, 60 },
+    { TJPF_GRAY, TJSAMP_GRAY, 50 }
+  };
+  char arithEnv[16] = "TJ_ARITHMETIC=0";
+  char restartEnv[13] = "TJ_RESTART=0";
+#if defined(__has_feature) && __has_feature(memory_sanitizer)
+  char simdEnv[18] = "JSIMD_FORCENONE=1";
+
+  /* The libjpeg-turbo SIMD extensions produce false positives with
+     MemorySanitizer. */
+  putenv(simdEnv);
+#endif
+  putenv(arithEnv);
+  putenv(restartEnv);
+
+  snprintf(filename, FILENAME_MAX, "/tmp/libjpeg-turbo_compress_yuv_fuzz.XXXXXX");
+  if ((fd = mkstemp(filename)) < 0 || write(fd, data, size) < 0)
+    goto bailout;
+
+  if ((handle = tjInitCompress()) == NULL)
+    goto bailout;
+
+  for (ti = 0; ti < NUMTESTS; ti++) {
+    int flags = TJFLAG_FUZZING | TJFLAG_NOREALLOC, sum = 0, pf = tests[ti].pf;
+    unsigned long dstSize = 0, maxBufSize;
+
+    /* Test non-default compression options on specific iterations. */
+    if (ti == 0)
+      flags |= TJFLAG_BOTTOMUP | TJFLAG_ACCURATEDCT;
+    else if (ti == 1 || ti == 3)
+      flags |= TJFLAG_PROGRESSIVE;
+    if (ti == 2 || ti == 3)
+      arithEnv[14] = '1';
+    else
+      arithEnv[14] = '0';
+    if (ti == 1 || ti == 2)
+      restartEnv[11] = '2';
+    else
+      restartEnv[11] = '0';
+
+    /* tjLoadImage() refuses to load images larger than 1 Megapixel when
+       FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION is defined (yes, that's a dirty
+       hack), so we don't need to check the width and height here. */
+    if ((srcBuf = tjLoadImage(filename, &width, 1, &height, &pf,
+                              flags)) == NULL)
+      continue;
+
+    maxBufSize = tjBufSize(width, height, tests[ti].subsamp);
+    if ((dstBuf = (unsigned char *)malloc(maxBufSize)) == NULL)
+      goto bailout;
+    if ((yuvBuf =
+         (unsigned char *)malloc(tjBufSizeYUV2(width, 1, height,
+                                               tests[ti].subsamp))) == NULL)
+      goto bailout;
+
+    if (tjEncodeYUV3(handle, srcBuf, width, 0, height, pf, yuvBuf, 1,
+                     tests[ti].subsamp, flags) == 0 &&
+        tjCompressFromYUV(handle, yuvBuf, width, 1, height, tests[ti].subsamp,
+                          &dstBuf, &dstSize, tests[ti].quality, flags) == 0) {
+      /* Touch all of the output pixels in order to catch uninitialized reads
+         when using MemorySanitizer. */
+      for (i = 0; i < dstSize; i++)
+        sum += dstBuf[i];
+    }
+
+    free(dstBuf);
+    dstBuf = NULL;
+    free(yuvBuf);
+    yuvBuf = NULL;
+    tjFree(srcBuf);
+    srcBuf = NULL;
+
+    /* Prevent the code above from being optimized out.  This test should never
+       be true, but the compiler doesn't know that. */
+    if (sum > 255 * maxBufSize)
+      goto bailout;
+  }
+
+bailout:
+  free(dstBuf);
+  free(yuvBuf);
+  tjFree(srcBuf);
+  if (fd >= 0) {
+    close(fd);
+    if (strlen(filename) > 0) unlink(filename);
+  }
+  if (handle) tjDestroy(handle);
+  return 0;
+}

android/extern/libjpeg-turbo/fuzz/decompress.cc

@@ -0,0 +1,106 @@
+/*
+ * Copyright (C)2021 D. R. Commander.  All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * - Redistributions of source code must retain the above copyright notice,
+ *   this list of conditions and the following disclaimer.
+ * - Redistributions in binary form must reproduce the above copyright notice,
+ *   this list of conditions and the following disclaimer in the documentation
+ *   and/or other materials provided with the distribution.
+ * - Neither the name of the libjpeg-turbo Project nor the names of its
+ *   contributors may be used to endorse or promote products derived from this
+ *   software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS",
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <turbojpeg.h>
+#include <stdlib.h>
+#include <stdint.h>
+
+
+#define NUMPF  4
+
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+  tjhandle handle = NULL;
+  unsigned char *dstBuf = NULL;
+  int width = 0, height = 0, jpegSubsamp, jpegColorspace, pfi;
+  /* TJPF_RGB-TJPF_BGR share the same code paths, as do TJPF_RGBX-TJPF_XRGB and
+     TJPF_RGBA-TJPF_ARGB.  Thus, the pixel formats below should be the minimum
+     necessary to achieve full coverage. */
+  enum TJPF pixelFormats[NUMPF] =
+    { TJPF_RGB, TJPF_BGRX, TJPF_GRAY, TJPF_CMYK };
+#if defined(__has_feature) && __has_feature(memory_sanitizer)
+  char env[18] = "JSIMD_FORCENONE=1";
+
+  /* The libjpeg-turbo SIMD extensions produce false positives with
+     MemorySanitizer. */
+  putenv(env);
+#endif
+
+  if ((handle = tjInitDecompress()) == NULL)
+    goto bailout;
+
+  /* We ignore the return value of tjDecompressHeader3(), because some JPEG
+     images may have unusual subsampling configurations that the TurboJPEG API
+     cannot identify but can still decompress. */
+  tjDecompressHeader3(handle, data, size, &width, &height, &jpegSubsamp,
+                      &jpegColorspace);
+
+  /* Ignore 0-pixel images and images larger than 1 Megapixel, as Google's
+     OSS-Fuzz target for libjpeg-turbo did.  Casting width to (uint64_t)
+     prevents integer overflow if width * height > INT_MAX. */
+  if (width < 1 || height < 1 || (uint64_t)width * height > 1048576)
+    goto bailout;
+
+  for (pfi = 0; pfi < NUMPF; pfi++) {
+    int pf = pixelFormats[pfi], flags = TJFLAG_LIMITSCANS, i, sum = 0;
+    int w = width, h = height;
+
+    /* Test non-default decompression options on the first iteration. */
+    if (pfi == 0)
+      flags |= TJFLAG_BOTTOMUP | TJFLAG_FASTUPSAMPLE | TJFLAG_FASTDCT;
+    /* Test IDCT scaling on the second iteration. */
+    else if (pfi == 1) {
+      w = (width + 1) / 2;
+      h = (height + 1) / 2;
+    }
+
+    if ((dstBuf = (unsigned char *)malloc(w * h * tjPixelSize[pf])) == NULL)
+      goto bailout;
+
+    if (tjDecompress2(handle, data, size, dstBuf, w, 0, h, pf, flags) == 0) {
+      /* Touch all of the output pixels in order to catch uninitialized reads
+         when using MemorySanitizer. */
+      for (i = 0; i < w * h * tjPixelSize[pf]; i++)
+        sum += dstBuf[i];
+    }
+
+    free(dstBuf);
+    dstBuf = NULL;
+
+    /* Prevent the code above from being optimized out.  This test should never
+       be true, but the compiler doesn't know that. */
+    if (sum > 255 * 1048576 * tjPixelSize[pf])
+      goto bailout;
+  }
+
+bailout:
+  free(dstBuf);
+  if (handle) tjDestroy(handle);
+  return 0;
+}

android/extern/libjpeg-turbo/fuzz/decompress_yuv.cc

@@ -0,0 +1,111 @@
+/*
+ * Copyright (C)2021 D. R. Commander.  All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * - Redistributions of source code must retain the above copyright notice,
+ *   this list of conditions and the following disclaimer.
+ * - Redistributions in binary form must reproduce the above copyright notice,
+ *   this list of conditions and the following disclaimer in the documentation
+ *   and/or other materials provided with the distribution.
+ * - Neither the name of the libjpeg-turbo Project nor the names of its
+ *   contributors may be used to endorse or promote products derived from this
+ *   software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS",
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <turbojpeg.h>
+#include <stdlib.h>
+#include <stdint.h>
+
+
+#define NUMPF  3
+
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+  tjhandle handle = NULL;
+  unsigned char *dstBuf = NULL, *yuvBuf = NULL;
+  int width = 0, height = 0, jpegSubsamp, jpegColorspace, pfi;
+  /* TJPF_RGB-TJPF_BGR share the same code paths, as do TJPF_RGBX-TJPF_XRGB and
+     TJPF_RGBA-TJPF_ARGB.  Thus, the pixel formats below should be the minimum
+     necessary to achieve full coverage. */
+  enum TJPF pixelFormats[NUMPF] =
+    { TJPF_BGR, TJPF_XRGB, TJPF_GRAY };
+#if defined(__has_feature) && __has_feature(memory_sanitizer)
+  char env[18] = "JSIMD_FORCENONE=1";
+
+  /* The libjpeg-turbo SIMD extensions produce false positives with
+     MemorySanitizer. */
+  putenv(env);
+#endif
+
+  if ((handle = tjInitDecompress()) == NULL)
+    goto bailout;
+
+  if (tjDecompressHeader3(handle, data, size, &width, &height, &jpegSubsamp,
+                          &jpegColorspace) < 0)
+    goto bailout;
+
+  /* Ignore 0-pixel images and images larger than 1 Megapixel.  Casting width
+     to (uint64_t) prevents integer overflow if width * height > INT_MAX. */
+  if (width < 1 || height < 1 || (uint64_t)width * height > 1048576)
+    goto bailout;
+
+  for (pfi = 0; pfi < NUMPF; pfi++) {
+    int pf = pixelFormats[pfi], flags = TJFLAG_LIMITSCANS, i, sum = 0;
+    int w = width, h = height;
+
+    /* Test non-default decompression options on the first iteration. */
+    if (pfi == 0)
+      flags |= TJFLAG_BOTTOMUP | TJFLAG_FASTUPSAMPLE | TJFLAG_FASTDCT;
+    /* Test IDCT scaling on the second iteration. */
+    else if (pfi == 1) {
+      w = (width + 3) / 4;
+      h = (height + 3) / 4;
+    }
+
+    if ((dstBuf = (unsigned char *)malloc(w * h * tjPixelSize[pf])) == NULL)
+      goto bailout;
+    if ((yuvBuf =
+         (unsigned char *)malloc(tjBufSizeYUV2(w, 1, h, jpegSubsamp))) == NULL)
+      goto bailout;
+
+    if (tjDecompressToYUV2(handle, data, size, yuvBuf, w, 1, h, flags) == 0 &&
+        tjDecodeYUV(handle, yuvBuf, 1, jpegSubsamp, dstBuf, w, 0, h, pf,
+                    flags) == 0) {
+      /* Touch all of the output pixels in order to catch uninitialized reads
+         when using MemorySanitizer. */
+      for (i = 0; i < w * h * tjPixelSize[pf]; i++)
+        sum += dstBuf[i];
+    }
+
+    free(dstBuf);
+    dstBuf = NULL;
+    free(yuvBuf);
+    yuvBuf = NULL;
+
+    /* Prevent the code above from being optimized out.  This test should never
+       be true, but the compiler doesn't know that. */
+    if (sum > 255 * 1048576 * tjPixelSize[pf])
+      goto bailout;
+  }
+
+bailout:
+  free(dstBuf);
+  free(yuvBuf);
+  if (handle) tjDestroy(handle);
+  return 0;
+}

android/extern/libjpeg-turbo/fuzz/transform.cc

@@ -0,0 +1,135 @@
+/*
+ * Copyright (C)2021 D. R. Commander.  All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * - Redistributions of source code must retain the above copyright notice,
+ *   this list of conditions and the following disclaimer.
+ * - Redistributions in binary form must reproduce the above copyright notice,
+ *   this list of conditions and the following disclaimer in the documentation
+ *   and/or other materials provided with the distribution.
+ * - Neither the name of the libjpeg-turbo Project nor the names of its
+ *   contributors may be used to endorse or promote products derived from this
+ *   software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS",
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <turbojpeg.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+
+
+#define NUMXFORMS  3
+
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+  tjhandle handle = NULL;
+  unsigned char *dstBufs[NUMXFORMS] = { NULL, NULL, NULL };
+  unsigned long dstSizes[NUMXFORMS] = { 0, 0, 0 }, maxBufSize;
+  int width = 0, height = 0, jpegSubsamp, jpegColorspace, i, t;
+  tjtransform transforms[NUMXFORMS];
+#if defined(__has_feature) && __has_feature(memory_sanitizer)
+  char env[18] = "JSIMD_FORCENONE=1";
+
+  /* The libjpeg-turbo SIMD extensions produce false positives with
+     MemorySanitizer. */
+  putenv(env);
+#endif
+
+  if ((handle = tjInitTransform()) == NULL)
+    goto bailout;
+
+  /* We ignore the return value of tjDecompressHeader3(), because some JPEG
+     images may have unusual subsampling configurations that the TurboJPEG API
+     cannot identify but can still transform. */
+  tjDecompressHeader3(handle, data, size, &width, &height, &jpegSubsamp,
+                      &jpegColorspace);
+
+  /* Ignore 0-pixel images and images larger than 1 Megapixel.  Casting width
+     to (uint64_t) prevents integer overflow if width * height > INT_MAX. */
+  if (width < 1 || height < 1 || (uint64_t)width * height > 1048576)
+    goto bailout;
+
+  if (jpegSubsamp < 0 || jpegSubsamp >= TJ_NUMSAMP)
+    jpegSubsamp = TJSAMP_444;
+
+  for (t = 0; t < NUMXFORMS; t++)
+    memset(&transforms[t], 0, sizeof(tjtransform));
+
+  transforms[0].op = TJXOP_NONE;
+  transforms[0].options = TJXOPT_PROGRESSIVE | TJXOPT_COPYNONE;
+  dstBufs[0] = (unsigned char *)malloc(tjBufSize(width, height, jpegSubsamp));
+  if (!dstBufs[0])
+    goto bailout;
+
+  transforms[1].r.w = (width + 1) / 2;
+  transforms[1].r.h = (height + 1) / 2;
+  transforms[1].op = TJXOP_TRANSPOSE;
+  transforms[1].options = TJXOPT_GRAY | TJXOPT_CROP | TJXOPT_COPYNONE;
+  dstBufs[1] =
+    (unsigned char *)malloc(tjBufSize((width + 1) / 2, (height + 1) / 2,
+                                      TJSAMP_GRAY));
+  if (!dstBufs[1])
+    goto bailout;
+
+  transforms[2].op = TJXOP_ROT90;
+  transforms[2].options = TJXOPT_TRIM | TJXOPT_COPYNONE;
+  dstBufs[2] = (unsigned char *)malloc(tjBufSize(height, width, jpegSubsamp));
+  if (!dstBufs[2])
+    goto bailout;
+
+  maxBufSize = tjBufSize(width, height, jpegSubsamp);
+
+  if (tjTransform(handle, data, size, NUMXFORMS, dstBufs, dstSizes, transforms,
+                  TJFLAG_LIMITSCANS | TJFLAG_NOREALLOC) == 0) {
+    /* Touch all of the output pixels in order to catch uninitialized reads
+       when using MemorySanitizer. */
+    for (t = 0; t < NUMXFORMS; t++) {
+      int sum = 0;
+
+      for (i = 0; i < dstSizes[t]; i++)
+        sum += dstBufs[t][i];
+
+      /* Prevent the code above from being optimized out.  This test should
+         never be true, but the compiler doesn't know that. */
+      if (sum > 255 * maxBufSize)
+        goto bailout;
+    }
+  }
+
+  transforms[0].options &= ~TJXOPT_COPYNONE;
+  free(dstBufs[0]);
+  dstBufs[0] = NULL;
+  dstSizes[0] = 0;
+
+  if (tjTransform(handle, data, size, 1, dstBufs, dstSizes, transforms,
+                  TJFLAG_LIMITSCANS) == 0) {
+    int sum = 0;
+
+    for (i = 0; i < dstSizes[0]; i++)
+      sum += dstBufs[0][i];
+
+    if (sum > 255 * maxBufSize)
+      goto bailout;
+  }
+
+bailout:
+  for (t = 0; t < NUMXFORMS; t++)
+    free(dstBufs[t]);
+  if (handle) tjDestroy(handle);
+  return 0;
+}