update libpng

update libpng, the repo now requires a vcpkg setup for integrating but skipping the install step should allow it to work for windows an linux, mac might need more
This commit is contained in:
marauder2k7 2025-12-31 20:11:14 +00:00
parent c593d860a0
commit 5d644b4ffb
300 changed files with 25573 additions and 17698 deletions

View file

@ -1,4 +1,3 @@
Last changed in libpng 1.6.33 [September 28, 2017]
Copyright (c) 2017 Glenn Randers-Pehrson
This code is released under the libpng license.

View file

@ -1,4 +1,5 @@
#!/bin/bash -eu
# Copyright 2017-2018 Glenn Randers-Pehrson
# Copyright 2016 Google Inc.
#
@ -14,8 +15,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Last changed in libpng 1.6.35 [July 15, 2018]
#
# Revisions by Glenn Randers-Pehrson, 2017:
# 1. Build only the library, not the tools (changed "make -j$(nproc) all" to
# "make -j$(nproc) libpng16.la").

View file

@ -1,12 +1,9 @@
// libpng_read_fuzzer.cc
// Copyright 2017-2018 Glenn Randers-Pehrson
// Copyright 2015 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that may
// be found in the LICENSE file https://cs.chromium.org/chromium/src/LICENSE
// Last changed in libpng 1.6.35 [July 15, 2018]
// The modifications in 2017 by Glenn Randers-Pehrson include
// 1. addition of a PNG_CLEANUP macro,
// 2. setting the option to ignore ADLER32 checksums,
@ -17,14 +14,17 @@
#include <stddef.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <vector>
#define PNG_INTERNAL
#include "png.h"
#include "nalloc.h"
#define PNG_CLEANUP \
nalloc_end(); \
if(png_handler.png_ptr) \
{ \
if (png_handler.row_ptr) \
@ -60,7 +60,7 @@ struct PngObjectHandler {
png_free(png_ptr, row_ptr);
if (end_info_ptr)
png_destroy_read_struct(&png_ptr, &info_ptr, &end_info_ptr);
else if (info_ptr)
else if (info_ptr)
png_destroy_read_struct(&png_ptr, &info_ptr, nullptr);
else
png_destroy_read_struct(&png_ptr, nullptr, nullptr);
@ -78,6 +78,22 @@ void user_read_data(png_structp png_ptr, png_bytep data, size_t length) {
buf_state->data += length;
}
void* limited_malloc(png_structp, png_alloc_size_t size) {
// libpng may allocate large amounts of memory that the fuzzer reports as
// an error. In order to silence these errors, make libpng fail when trying
// to allocate a large amount. This allocator used to be in the Chromium
// version of this fuzzer.
// This number is chosen to match the default png_user_chunk_malloc_max.
if (size > 8000000)
return nullptr;
return malloc(size);
}
void default_free(png_structp, png_voidp ptr) {
return free(ptr);
}
static const int kPngHeaderSize = 8;
// Entry point for LibFuzzer.
@ -87,6 +103,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
if (size < kPngHeaderSize) {
return 0;
}
nalloc_init(nullptr);
std::vector<unsigned char> v(data, data + size);
if (png_sig_cmp(v.data(), 0, kPngHeaderSize)) {
@ -106,6 +123,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
return 0;
}
nalloc_start(data, size);
png_handler.info_ptr = png_create_info_struct(png_handler.png_ptr);
if (!png_handler.info_ptr) {
PNG_CLEANUP
@ -118,6 +136,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
return 0;
}
// Use a custom allocator that fails for large allocations to avoid OOM.
png_set_mem_fn(png_handler.png_ptr, nullptr, limited_malloc, default_free);
png_set_crc_action(png_handler.png_ptr, PNG_CRC_QUIET_USE, PNG_CRC_QUIET_USE);
#ifdef PNG_IGNORE_ADLER32
png_set_option(png_handler.png_ptr, PNG_IGNORE_ADLER32, PNG_OPTION_ON);
@ -186,5 +207,21 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
png_read_end(png_handler.png_ptr, png_handler.end_info_ptr);
PNG_CLEANUP
#ifdef PNG_SIMPLIFIED_READ_SUPPORTED
// Simplified READ API
png_image image;
memset(&image, 0, (sizeof image));
image.version = PNG_IMAGE_VERSION;
if (!png_image_begin_read_from_memory(&image, data, size)) {
return 0;
}
image.format = PNG_FORMAT_RGBA;
std::vector<png_byte> buffer(PNG_IMAGE_SIZE(image));
png_image_finish_read(&image, NULL, buffer.data(), 0, NULL);
#endif
return 0;
}

View file

@ -0,0 +1,330 @@
/*
MIT License
Copyright (c) 2025 Catena cyber
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
*/
#ifndef NALLOC_H_
#define NALLOC_H_
#if defined(__clang__) && defined(__has_feature)
#if __has_feature(address_sanitizer)
#define NALLOC_ASAN 1
#endif
#endif
#include <errno.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef __cplusplus
extern "C" {
#endif
static const uint32_t nalloc_crc32_table[] = {
0x00000000, 0x04c11db7, 0x09823b6e, 0x0d4326d9, 0x130476dc, 0x17c56b6b,
0x1a864db2, 0x1e475005, 0x2608edb8, 0x22c9f00f, 0x2f8ad6d6, 0x2b4bcb61,
0x350c9b64, 0x31cd86d3, 0x3c8ea00a, 0x384fbdbd, 0x4c11db70, 0x48d0c6c7,
0x4593e01e, 0x4152fda9, 0x5f15adac, 0x5bd4b01b, 0x569796c2, 0x52568b75,
0x6a1936c8, 0x6ed82b7f, 0x639b0da6, 0x675a1011, 0x791d4014, 0x7ddc5da3,
0x709f7b7a, 0x745e66cd, 0x9823b6e0, 0x9ce2ab57, 0x91a18d8e, 0x95609039,
0x8b27c03c, 0x8fe6dd8b, 0x82a5fb52, 0x8664e6e5, 0xbe2b5b58, 0xbaea46ef,
0xb7a96036, 0xb3687d81, 0xad2f2d84, 0xa9ee3033, 0xa4ad16ea, 0xa06c0b5d,
0xd4326d90, 0xd0f37027, 0xddb056fe, 0xd9714b49, 0xc7361b4c, 0xc3f706fb,
0xceb42022, 0xca753d95, 0xf23a8028, 0xf6fb9d9f, 0xfbb8bb46, 0xff79a6f1,
0xe13ef6f4, 0xe5ffeb43, 0xe8bccd9a, 0xec7dd02d, 0x34867077, 0x30476dc0,
0x3d044b19, 0x39c556ae, 0x278206ab, 0x23431b1c, 0x2e003dc5, 0x2ac12072,
0x128e9dcf, 0x164f8078, 0x1b0ca6a1, 0x1fcdbb16, 0x018aeb13, 0x054bf6a4,
0x0808d07d, 0x0cc9cdca, 0x7897ab07, 0x7c56b6b0, 0x71159069, 0x75d48dde,
0x6b93dddb, 0x6f52c06c, 0x6211e6b5, 0x66d0fb02, 0x5e9f46bf, 0x5a5e5b08,
0x571d7dd1, 0x53dc6066, 0x4d9b3063, 0x495a2dd4, 0x44190b0d, 0x40d816ba,
0xaca5c697, 0xa864db20, 0xa527fdf9, 0xa1e6e04e, 0xbfa1b04b, 0xbb60adfc,
0xb6238b25, 0xb2e29692, 0x8aad2b2f, 0x8e6c3698, 0x832f1041, 0x87ee0df6,
0x99a95df3, 0x9d684044, 0x902b669d, 0x94ea7b2a, 0xe0b41de7, 0xe4750050,
0xe9362689, 0xedf73b3e, 0xf3b06b3b, 0xf771768c, 0xfa325055, 0xfef34de2,
0xc6bcf05f, 0xc27dede8, 0xcf3ecb31, 0xcbffd686, 0xd5b88683, 0xd1799b34,
0xdc3abded, 0xd8fba05a, 0x690ce0ee, 0x6dcdfd59, 0x608edb80, 0x644fc637,
0x7a089632, 0x7ec98b85, 0x738aad5c, 0x774bb0eb, 0x4f040d56, 0x4bc510e1,
0x46863638, 0x42472b8f, 0x5c007b8a, 0x58c1663d, 0x558240e4, 0x51435d53,
0x251d3b9e, 0x21dc2629, 0x2c9f00f0, 0x285e1d47, 0x36194d42, 0x32d850f5,
0x3f9b762c, 0x3b5a6b9b, 0x0315d626, 0x07d4cb91, 0x0a97ed48, 0x0e56f0ff,
0x1011a0fa, 0x14d0bd4d, 0x19939b94, 0x1d528623, 0xf12f560e, 0xf5ee4bb9,
0xf8ad6d60, 0xfc6c70d7, 0xe22b20d2, 0xe6ea3d65, 0xeba91bbc, 0xef68060b,
0xd727bbb6, 0xd3e6a601, 0xdea580d8, 0xda649d6f, 0xc423cd6a, 0xc0e2d0dd,
0xcda1f604, 0xc960ebb3, 0xbd3e8d7e, 0xb9ff90c9, 0xb4bcb610, 0xb07daba7,
0xae3afba2, 0xaafbe615, 0xa7b8c0cc, 0xa379dd7b, 0x9b3660c6, 0x9ff77d71,
0x92b45ba8, 0x9675461f, 0x8832161a, 0x8cf30bad, 0x81b02d74, 0x857130c3,
0x5d8a9099, 0x594b8d2e, 0x5408abf7, 0x50c9b640, 0x4e8ee645, 0x4a4ffbf2,
0x470cdd2b, 0x43cdc09c, 0x7b827d21, 0x7f436096, 0x7200464f, 0x76c15bf8,
0x68860bfd, 0x6c47164a, 0x61043093, 0x65c52d24, 0x119b4be9, 0x155a565e,
0x18197087, 0x1cd86d30, 0x029f3d35, 0x065e2082, 0x0b1d065b, 0x0fdc1bec,
0x3793a651, 0x3352bbe6, 0x3e119d3f, 0x3ad08088, 0x2497d08d, 0x2056cd3a,
0x2d15ebe3, 0x29d4f654, 0xc5a92679, 0xc1683bce, 0xcc2b1d17, 0xc8ea00a0,
0xd6ad50a5, 0xd26c4d12, 0xdf2f6bcb, 0xdbee767c, 0xe3a1cbc1, 0xe760d676,
0xea23f0af, 0xeee2ed18, 0xf0a5bd1d, 0xf464a0aa, 0xf9278673, 0xfde69bc4,
0x89b8fd09, 0x8d79e0be, 0x803ac667, 0x84fbdbd0, 0x9abc8bd5, 0x9e7d9662,
0x933eb0bb, 0x97ffad0c, 0xafb010b1, 0xab710d06, 0xa6322bdf, 0xa2f33668,
0xbcb4666d, 0xb8757bda, 0xb5365d03, 0xb1f740b4
};
// Nallocfuzz data to take a decision
uint32_t nalloc_random_state = 0;
__thread unsigned int nalloc_running = 0;
bool nalloc_initialized = false;
uint32_t nalloc_runs = 0;
// Nalloc fuzz parameters
uint32_t nalloc_bitmask = 0xFF;
bool nalloc_random_bitmask = true;
uint32_t nalloc_magic = 0x294cee63;
bool nalloc_verbose = false;
#ifdef NALLOC_ASAN
extern void __sanitizer_print_stack_trace(void);
#endif
// Generic init, using env variables to get parameters
void nalloc_init(const char *prog) {
if (nalloc_initialized) {
return;
}
nalloc_initialized = true;
char *bitmask = getenv("NALLOC_FREQ");
if (bitmask) {
int shift = atoi(bitmask);
if (shift > 0 && shift < 31) {
nalloc_bitmask = 1 << shift;
nalloc_random_bitmask = false;
} else if (shift == 0) {
nalloc_random_bitmask = false;
nalloc_bitmask = 0;
}
} else if (prog == NULL || strstr(prog, "nalloc") == NULL) {
nalloc_random_bitmask = false;
nalloc_bitmask = 0;
return;
}
char *magic = getenv("NALLOC_MAGIC");
if (magic) {
nalloc_magic = (uint32_t)strtol(magic, NULL, 0);
}
char *verbose = getenv("NALLOC_VERBOSE");
if (verbose) {
nalloc_verbose = true;
}
}
// add one byte to the CRC
static inline void nalloc_random_update(uint8_t b) {
nalloc_random_state =
((uint32_t)((uint32_t)nalloc_random_state << 8)) ^
nalloc_crc32_table[((nalloc_random_state >> 24) ^ b) & 0xFF];
}
// Start the failure injections, using a buffer as seed
static int nalloc_start(const uint8_t *data, size_t size) {
if (nalloc_random_bitmask) {
if (nalloc_random_state & 0x10) {
nalloc_bitmask = 0xFFFFFFFF;
} else {
nalloc_bitmask = 1 << (5 + (nalloc_random_state & 0xF));
}
} else if (nalloc_bitmask == 0) {
// nalloc disabled
return 0;
}
nalloc_random_state = 0;
for (size_t i = 0; i < size; i++) {
nalloc_random_update(data[i]);
}
if (__sync_fetch_and_add(&nalloc_running, 1)) {
__sync_fetch_and_sub(&nalloc_running, 1);
return 0;
}
nalloc_runs++;
return 1;
}
// Stop the failure injections
static void nalloc_end() { __sync_fetch_and_sub(&nalloc_running, 1); }
static bool nalloc_backtrace_exclude(size_t size, const char *op) {
if (nalloc_verbose) {
fprintf(stderr, "failed %s(%zu) \n", op, size);
#ifdef NALLOC_ASAN
__sanitizer_print_stack_trace();
#endif
}
return false;
}
//
static bool nalloc_fail(size_t size, const char *op) {
// do not fail before thread init
if (nalloc_runs == 0) {
return false;
}
if (__sync_fetch_and_add(&nalloc_running, 1) != 1) {
// do not fail allocations outside of fuzzer input
// and do not fail inside of this function
__sync_fetch_and_sub(&nalloc_running, 1);
return false;
}
nalloc_random_update((uint8_t)size);
if (size >= 0x100) {
nalloc_random_update((uint8_t)(size >> 8));
if (size >= 0x10000) {
nalloc_random_update((uint8_t)(size >> 16));
// bigger may already fail or oom
}
}
if (((nalloc_random_state ^ nalloc_magic) & nalloc_bitmask) == 0) {
if (nalloc_backtrace_exclude(size, op)) {
__sync_fetch_and_sub(&nalloc_running, 1);
return false;
}
__sync_fetch_and_sub(&nalloc_running, 1);
return true;
}
__sync_fetch_and_sub(&nalloc_running, 1);
return false;
}
// ASAN interceptor for libc routines
#ifdef NALLOC_ASAN
extern void *__interceptor_malloc(size_t);
extern void *__interceptor_calloc(size_t, size_t);
extern void *__interceptor_realloc(void *, size_t);
extern void *__interceptor_reallocarray(void *, size_t, size_t);
extern ssize_t __interceptor_read(int, void *, size_t);
extern ssize_t __interceptor_write(int, const void *, size_t);
extern ssize_t __interceptor_recv(int, void *, size_t, int);
extern ssize_t __interceptor_send(int, const void *, size_t, int);
#define nalloc_malloc(s) __interceptor_malloc(s)
#define nalloc_calloc(s, n) __interceptor_calloc(s, n)
#define nalloc_realloc(p, s) __interceptor_realloc(p, s)
#define nalloc_reallocarray(p, s, n) __interceptor_reallocarray(p, s, n)
#define nalloc_read(f, b, s) __interceptor_read(f, b, s)
#define nalloc_write(f, b, s) __interceptor_write(f, b, s)
#define nalloc_recv(f, b, s, x) __interceptor_recv(f, b, s, x)
#define nalloc_send(f, b, s, x) __interceptor_send(f, b, s, x)
#else
extern void *__libc_malloc(size_t);
extern void *__libc_calloc(size_t, size_t);
extern void *__libc_realloc(void *, size_t);
extern void *__libc_reallocarray(void *, size_t, size_t);
extern ssize_t __read(int, void *, size_t);
extern ssize_t __write(int, const void *, size_t);
extern ssize_t __recv(int, void *, size_t, int);
extern ssize_t __send(int, const void *, size_t, int);
#define nalloc_malloc(s) __libc_malloc(s)
#define nalloc_calloc(s, n) __libc_calloc(s, n)
#define nalloc_realloc(p, s) __libc_realloc(p, s)
#define nalloc_reallocarray(p, s, n) __libc_reallocarray(p, s, n)
#define nalloc_read(f, b, s) __read(f, b, s)
#define nalloc_write(f, b, s) __write(f, b, s)
#define nalloc_recv(f, b, s, x) __recv(f, b, s, x)
#define nalloc_send(f, b, s, x) __send(f, b, s, x)
#endif
// nalloc standard function overwrites with pseudo-random failures
ssize_t read(int fd, void *buf, size_t count) {
if (nalloc_fail(count, "read")) {
errno = EIO;
return -1;
}
return nalloc_read(fd, buf, count);
}
ssize_t write(int fd, const void *buf, size_t count) {
if (nalloc_fail(count, "write")) {
errno = EIO;
return -1;
}
return nalloc_write(fd, buf, count);
}
ssize_t recv(int fd, void *buf, size_t count, int flags) {
if (nalloc_fail(count, "recv")) {
errno = EIO;
return -1;
}
return nalloc_recv(fd, buf, count, flags);
}
ssize_t send(int fd, const void *buf, size_t count, int flags) {
if (nalloc_fail(count, "send")) {
errno = EIO;
return -1;
}
return nalloc_send(fd, buf, count, flags);
}
void *calloc(size_t nmemb, size_t size) {
if (nalloc_fail(size, "calloc")) {
errno = ENOMEM;
return NULL;
}
return nalloc_calloc(nmemb, size);
}
void *malloc(size_t size) {
if (nalloc_fail(size, "malloc")) {
errno = ENOMEM;
return NULL;
}
return nalloc_malloc(size);
}
void *realloc(void *ptr, size_t size) {
if (nalloc_fail(size, "realloc")) {
errno = ENOMEM;
return NULL;
}
return nalloc_realloc(ptr, size);
}
void *reallocarray(void *ptr, size_t nmemb, size_t size) {
if (nalloc_fail(size, "reallocarray")) {
errno = ENOMEM;
return NULL;
}
return nalloc_reallocarray(ptr, nmemb, size);
}
#ifdef __cplusplus
} // extern "C" {
#endif
#endif // NALLOC_H_