1 files changed, 88 insertions, 0 deletions

diff --git a/tests/fuzzer/simple_api_fuzzer.c b/tests/fuzzer/simple_api_fuzzer.c
new file mode 100644
index 00000000..fbc9310b
--- /dev/null
+++ b/tests/fuzzer/simple_api_fuzzer.c
@@ -0,0 +1,88 @@
+// Copyright 2018 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+
+#include "./fuzz_utils.h"
+#include "webp/decode.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t* const data, size_t size) {
+  int w, h;
+  if (!WebPGetInfo(data, size, &w, &h)) return 0;
+  if ((size_t)w * h > kFuzzPxLimit) return 0;
+
+  const uint8_t value = FuzzHash(data, size);
+  uint8_t* buf = NULL;
+
+  // For *Into functions, which decode into an external buffer, an
+  // intentionally too small buffer can be given with low probability.
+  if (value < 0x16) {
+    buf = WebPDecodeRGBA(data, size, &w, &h);
+  } else if (value < 0x2b) {
+    buf = WebPDecodeBGRA(data, size, &w, &h);
+#if !defined(WEBP_REDUCE_CSP)
+  } else if (value < 0x40) {
+    buf = WebPDecodeARGB(data, size, &w, &h);
+  } else if (value < 0x55) {
+    buf = WebPDecodeRGB(data, size, &w, &h);
+  } else if (value < 0x6a) {
+    buf = WebPDecodeBGR(data, size, &w, &h);
+#endif  // !defined(WEBP_REDUCE_CSP)
+  } else if (value < 0x7f) {
+    uint8_t *u, *v;
+    int stride, uv_stride;
+    buf = WebPDecodeYUV(data, size, &w, &h, &u, &v, &stride, &uv_stride);
+  } else if (value < 0xe8) {
+    const int stride = (value < 0xbe ? 4 : 3) * w;
+    size_t buf_size = stride * h;
+    if (value % 0x10 == 0) buf_size--;
+    uint8_t* const ext_buf = (uint8_t*)malloc(buf_size);
+    if (value < 0x94) {
+      WebPDecodeRGBAInto(data, size, ext_buf, buf_size, stride);
+#if !defined(WEBP_REDUCE_CSP)
+    } else if (value < 0xa9) {
+      WebPDecodeARGBInto(data, size, ext_buf, buf_size, stride);
+    } else if (value < 0xbe) {
+      WebPDecodeBGRInto(data, size, ext_buf, buf_size, stride);
+    } else if (value < 0xd3) {
+      WebPDecodeRGBInto(data, size, ext_buf, buf_size, stride);
+#endif  // !defined(WEBP_REDUCE_CSP)
+    } else {
+      WebPDecodeBGRAInto(data, size, ext_buf, buf_size, stride);
+    }
+    free(ext_buf);
+  } else {
+    size_t luma_size = w * h;
+    const int uv_stride = (w + 1) / 2;
+    size_t u_size = uv_stride * (h + 1) / 2;
+    size_t v_size = uv_stride * (h + 1) / 2;
+    if (value % 0x10 == 0) {
+      if (size & 1) luma_size--;
+      if (size & 2) u_size--;
+      if (size & 4) v_size--;
+    }
+    uint8_t* const luma_buf = (uint8_t*)malloc(luma_size);
+    uint8_t* const u_buf = (uint8_t*)malloc(u_size);
+    uint8_t* const v_buf = (uint8_t*)malloc(v_size);
+    WebPDecodeYUVInto(data, size, luma_buf, luma_size, w /* luma_stride */,
+                      u_buf, u_size, uv_stride, v_buf, v_size, uv_stride);
+    free(luma_buf);
+    free(u_buf);
+    free(v_buf);
+  }
+
+  if (buf) WebPFree(buf);
+
+  return 0;
+}