From 59b0ca1abfb1ce4e83d75b5818a45f5c6b9628f6 Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@git.imagemagick.org>
Date: Sun, 11 Mar 2018 17:30:11 +0100
Subject: [PATCH] Added separate fuzzer for pinging images.

---
 Magick++/fuzz/build_fuzzers.sh | 18 ++++++++----
 Magick++/fuzz/ping_fuzzer.cc   | 51 ++++++++++++++++++++++++++++++++++
 2 files changed, 64 insertions(+), 5 deletions(-)
 create mode 100644 Magick++/fuzz/ping_fuzzer.cc

diff --git a/Magick++/fuzz/build_fuzzers.sh b/Magick++/fuzz/build_fuzzers.sh
index 967acb313..3dbce7fac 100644
--- a/Magick++/fuzz/build_fuzzers.sh
+++ b/Magick++/fuzz/build_fuzzers.sh
@@ -7,8 +7,8 @@ $MAGICK_COMPILER $MAGICK_COMPILER_FLAGS -std=c++11 -I$MAGICK_INCLUDE "$MAGICK_SR
 
 for f in $MAGICK_SRC/*_fuzzer.cc; do
     fuzzer=$(basename "$f" _fuzzer.cc)
-    # encoder_fuzzer is special
-    if [ "$fuzzer" == "encoder" ]; then
+    # encoder_fuzzer and ping_fuzzer are special
+    if [ "$fuzzer" == "encoder" ] || [ "$fuzzer" == "ping" ]; then
         continue
     fi
     $MAGICK_COMPILER $MAGICK_COMPILER_FLAGS -std=c++11 -I$MAGICK_INCLUDE \
@@ -21,12 +21,20 @@ for item in $("$MAGICK_SRC/encoder_list"); do
     encoder=${info%:*}
     initializer=${info##*:}
     encoder_flags="-DFUZZ_IMAGEMAGICK_ENCODER=$encoder"
-    if [ "${item:0:1}" == "+" ]; then
-        encoder_flags="$encoder_flags -DFUZZ_IMAGEMAGICK_ENCODER_WRITE=1"
-    fi
     if [ "$initializer" != "" ]; then
       encoder_flags="$encoder_flags -DFUZZ_IMAGEMAGICK_ENCODER_INITIALIZER=$initializer"
     fi
+
+    $MAGICK_COMPILER $MAGICK_COMPILER_FLAGS -std=c++11 -I$MAGICK_INCLUDE \
+        "$MAGICK_SRC/ping_fuzzer.cc" -o "$MAGICK_OUTPUT/ping_${encoder,,}_fuzzer" \
+         $encoder_flags $MAGICK_LIBS
+
+    echo -e "[libfuzzer]\nclose_fd_mask=3" > "$MAGICK_OUTPUT/ping_${encoder,,}_fuzzer.options"
+
+    if [ "${item:0:1}" == "+" ]; then
+        encoder_flags="$encoder_flags -DFUZZ_IMAGEMAGICK_ENCODER_WRITE=1"
+    fi
+
     $MAGICK_COMPILER $MAGICK_COMPILER_FLAGS -std=c++11 -I$MAGICK_INCLUDE \
         "$MAGICK_SRC/encoder_fuzzer.cc" -o "$MAGICK_OUTPUT/encoder_${encoder,,}_fuzzer" \
          $encoder_flags $MAGICK_LIBS
diff --git a/Magick++/fuzz/ping_fuzzer.cc b/Magick++/fuzz/ping_fuzzer.cc
new file mode 100644
index 000000000..c962e5d0e
--- /dev/null
+++ b/Magick++/fuzz/ping_fuzzer.cc
@@ -0,0 +1,51 @@
+#include <cstdint>
+
+#include <Magick++/Blob.h>
+#include <Magick++/Image.h>
+
+#include "utils.cc"
+
+#define FUZZ_ENCODER_STRING_LITERAL_X(name) FUZZ_ENCODER_STRING_LITERAL(name)
+#define FUZZ_ENCODER_STRING_LITERAL(name) #name
+
+#ifndef FUZZ_ENCODER
+#define FUZZ_ENCODER FUZZ_ENCODER_STRING_LITERAL_X(FUZZ_IMAGEMAGICK_ENCODER)
+#endif
+
+#ifndef FUZZ_IMAGEMAGICK_INITIALIZER
+#define FUZZ_IMAGEMAGICK_INITIALIZER ""
+#endif
+#define FUZZ_ENCODER_INITIALIZER FUZZ_ENCODER_STRING_LITERAL_X(FUZZ_IMAGEMAGICK_INITIALIZER)
+
+static ssize_t EncoderInitializer(const uint8_t *Data, const size_t Size, Magick::Image &image)
+{
+  if (FUZZ_ENCODER_INITIALIZER == "interlace") {
+    Magick::InterlaceType interlace = (Magick::InterlaceType) *reinterpret_cast<const char *>(Data);
+    if (interlace > Magick::PNGInterlace)
+      return -1;
+    image.interlaceType(interlace);
+    return 1;
+  }
+
+  return 0;
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  Magick::Image image;
+  const ssize_t offset = EncoderInitializer(Data, Size, image);
+  if (offset < 0)
+    return 0;
+  std::string encoder = FUZZ_ENCODER;
+  image.magick(encoder);
+  image.fileName(std::string(encoder) + ":");
+  const Magick::Blob blob(Data + offset, Size - offset);
+  try {
+    image.ping(blob);
+  }
+  catch (Magick::Exception &e) {
+    return 0;
+  }
+  return 0;
+}
+
+#include "travis.cc"
-- 
2.40.0