From 855cc6c835bd9ef878a724970e1c1f1d6a6bb3f0 Mon Sep 17 00:00:00 2001
From: newpavlov <newpavlov@gmail.com>
Date: Fri, 8 Jun 2018 17:17:06 +0300
Subject: [PATCH 1/5] added fuzzy testing

---
 flif/src/components/metadata.rs               |  12 +++++++++-
 flif/tests/fuzz.rs                            |  20 ++++++++++++++++
 fuzz/.gitignore                               |   4 ++++
 fuzz/Cargo.toml                               |  22 ++++++++++++++++++
 ...h-8d04f4ab0c66838d13561517a34fc18cdf062439 | Bin 0 -> 52 bytes
 fuzz/fuzz_targets/fuzz_flif.rs                |   9 +++++++
 6 files changed, 66 insertions(+), 1 deletion(-)
 create mode 100644 flif/tests/fuzz.rs
 create mode 100644 fuzz/.gitignore
 create mode 100644 fuzz/Cargo.toml
 create mode 100644 fuzz/artifacts/fuzz_flif/crash-8d04f4ab0c66838d13561517a34fc18cdf062439
 create mode 100644 fuzz/fuzz_targets/fuzz_flif.rs

diff --git a/flif/src/components/metadata.rs b/flif/src/components/metadata.rs
index 8e7ef50..ac4d17d 100644
--- a/flif/src/components/metadata.rs
+++ b/flif/src/components/metadata.rs
@@ -3,6 +3,9 @@ use error::*;
 use inflate::inflate_bytes;
 use numbers::FlifReadExt;
 
+// maximum size of the comressed metadata chunk to prevent DoS attack
+const MAX_METADATA_CHUNK: usize = 1<<20;
+
 #[derive(Copy, Clone, Debug)]
 pub enum ChunkType {
     Iccp,
@@ -59,9 +62,16 @@ impl Metadata {
         };
 
         let chunk_size = reader.read_varint()?;
+        if chunk_size > MAX_METADATA_CHUNK {
+            Err(Error::InvalidMetadata(format!(
+                "requested chunk size ({} bytes) is bigger than the limit ({} bytes)",
+                chunk_size, MAX_METADATA_CHUNK
+            )))?
+        }
         let mut deflated_chunk = vec![0; chunk_size];
         reader.read_exact(&mut deflated_chunk)?;
-        let inflated_chunk = inflate_bytes(&deflated_chunk).map_err(Error::InvalidMetadata)?;
+        let inflated_chunk = inflate_bytes(&deflated_chunk)
+            .map_err(Error::InvalidMetadata)?;
 
         Ok(MetadataType::Optional(Metadata {
             chunk_type,
diff --git a/flif/tests/fuzz.rs b/flif/tests/fuzz.rs
new file mode 100644
index 0000000..e53c2bd
--- /dev/null
+++ b/flif/tests/fuzz.rs
@@ -0,0 +1,20 @@
+extern crate flif;
+
+use flif::Flif;
+use std::io::{Cursor, Read};
+
+/// Tests an issue found in [#15](https://github.com/dgriffen/flif.rs/issues/15)
+#[test]
+fn fuzz_artifacts() {
+    let paths = std::fs::read_dir("../fuzz/artifacts/fuzz_flif/").unwrap();
+
+    for path in paths {
+        let path = path.unwrap().path();
+        println!("Artifact: {}", path.display());
+        let mut data = Vec::new();
+        let mut file = std::fs::File::open(path).unwrap();
+        file.read_to_end(&mut data).unwrap();
+        // temporarily disabled
+        //let _ = Flif::decode(Cursor::new(&data)).map(|img| img.get_raw_pixels());
+    }
+}
diff --git a/fuzz/.gitignore b/fuzz/.gitignore
new file mode 100644
index 0000000..8f44bb5
--- /dev/null
+++ b/fuzz/.gitignore
@@ -0,0 +1,4 @@
+
+target
+corpus
+//artifacts
diff --git a/fuzz/Cargo.toml b/fuzz/Cargo.toml
new file mode 100644
index 0000000..4c8d927
--- /dev/null
+++ b/fuzz/Cargo.toml
@@ -0,0 +1,22 @@
+
+[package]
+name = "flif-fuzz"
+version = "0.0.1"
+authors = ["Automatically generated"]
+publish = false
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies.flif]
+path = "../flif/"
+[dependencies.libfuzzer-sys]
+git = "https://github.com/rust-fuzz/libfuzzer-sys.git"
+
+# Prevent this from interfering with workspaces
+[workspace]
+members = ["."]
+
+[[bin]]
+name = "fuzz_flif"
+path = "fuzz_targets/fuzz_flif.rs"
diff --git a/fuzz/artifacts/fuzz_flif/crash-8d04f4ab0c66838d13561517a34fc18cdf062439 b/fuzz/artifacts/fuzz_flif/crash-8d04f4ab0c66838d13561517a34fc18cdf062439
new file mode 100644
index 0000000000000000000000000000000000000000..4545b8612fc046972c5a4d27f8e14235479b0e00
GIT binary patch
literal 52
ncmZ?s@pLmWl>h(#2Lpow0|OHS0|T@98)lyj5aT~K;ARN`B5525

literal 0
HcmV?d00001

diff --git a/fuzz/fuzz_targets/fuzz_flif.rs b/fuzz/fuzz_targets/fuzz_flif.rs
new file mode 100644
index 0000000..9d1ed67
--- /dev/null
+++ b/fuzz/fuzz_targets/fuzz_flif.rs
@@ -0,0 +1,9 @@
+#![no_main]
+#[macro_use] extern crate libfuzzer_sys;
+extern crate flif;
+
+use std::io::Cursor;
+
+fuzz_target!(|data: &[u8]| {
+    let _ = flif::Flif::decode(Cursor::new(data)).map(|img| img.get_raw_pixels());
+});

From fddfc9970bbd5613d513b308ac9f24cfbbdc74ea Mon Sep 17 00:00:00 2001
From: newpavlov <newpavlov@gmail.com>
Date: Fri, 8 Jun 2018 17:26:51 +0300
Subject: [PATCH 2/5] revert formatting change

---
 flif/src/components/metadata.rs | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/flif/src/components/metadata.rs b/flif/src/components/metadata.rs
index ac4d17d..fc91143 100644
--- a/flif/src/components/metadata.rs
+++ b/flif/src/components/metadata.rs
@@ -70,8 +70,7 @@ impl Metadata {
         }
         let mut deflated_chunk = vec![0; chunk_size];
         reader.read_exact(&mut deflated_chunk)?;
-        let inflated_chunk = inflate_bytes(&deflated_chunk)
-            .map_err(Error::InvalidMetadata)?;
+        let inflated_chunk = inflate_bytes(&deflated_chunk).map_err(Error::InvalidMetadata)?;
 
         Ok(MetadataType::Optional(Metadata {
             chunk_type,

From f77b1c0e201d409b3e8b5d32c6ed6a313852f10b Mon Sep 17 00:00:00 2001
From: newpavlov <newpavlov@gmail.com>
Date: Fri, 8 Jun 2018 17:54:47 +0300
Subject: [PATCH 3/5] removed artifact test

---
 flif/tests/fuzz.rs                            |  20 ------------------
 fuzz/.gitignore                               |   2 +-
 ...h-8d04f4ab0c66838d13561517a34fc18cdf062439 | Bin 52 -> 0 bytes
 3 files changed, 1 insertion(+), 21 deletions(-)
 delete mode 100644 flif/tests/fuzz.rs
 delete mode 100644 fuzz/artifacts/fuzz_flif/crash-8d04f4ab0c66838d13561517a34fc18cdf062439

diff --git a/flif/tests/fuzz.rs b/flif/tests/fuzz.rs
deleted file mode 100644
index e53c2bd..0000000
--- a/flif/tests/fuzz.rs
+++ /dev/null
@@ -1,20 +0,0 @@
-extern crate flif;
-
-use flif::Flif;
-use std::io::{Cursor, Read};
-
-/// Tests an issue found in [#15](https://github.com/dgriffen/flif.rs/issues/15)
-#[test]
-fn fuzz_artifacts() {
-    let paths = std::fs::read_dir("../fuzz/artifacts/fuzz_flif/").unwrap();
-
-    for path in paths {
-        let path = path.unwrap().path();
-        println!("Artifact: {}", path.display());
-        let mut data = Vec::new();
-        let mut file = std::fs::File::open(path).unwrap();
-        file.read_to_end(&mut data).unwrap();
-        // temporarily disabled
-        //let _ = Flif::decode(Cursor::new(&data)).map(|img| img.get_raw_pixels());
-    }
-}
diff --git a/fuzz/.gitignore b/fuzz/.gitignore
index 8f44bb5..572e03b 100644
--- a/fuzz/.gitignore
+++ b/fuzz/.gitignore
@@ -1,4 +1,4 @@
 
 target
 corpus
-//artifacts
+artifacts
diff --git a/fuzz/artifacts/fuzz_flif/crash-8d04f4ab0c66838d13561517a34fc18cdf062439 b/fuzz/artifacts/fuzz_flif/crash-8d04f4ab0c66838d13561517a34fc18cdf062439
deleted file mode 100644
index 4545b8612fc046972c5a4d27f8e14235479b0e00..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 52
ncmZ?s@pLmWl>h(#2Lpow0|OHS0|T@98)lyj5aT~K;ARN`B5525


From 0df164fbd7703a3b5ae176b9057fda6449c0f76d Mon Sep 17 00:00:00 2001
From: newpavlov <newpavlov@gmail.com>
Date: Fri, 8 Jun 2018 18:36:17 +0300
Subject: [PATCH 4/5] revert metadata changes

---
 flif/src/components/metadata.rs | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/flif/src/components/metadata.rs b/flif/src/components/metadata.rs
index fc91143..8e7ef50 100644
--- a/flif/src/components/metadata.rs
+++ b/flif/src/components/metadata.rs
@@ -3,9 +3,6 @@ use error::*;
 use inflate::inflate_bytes;
 use numbers::FlifReadExt;
 
-// maximum size of the comressed metadata chunk to prevent DoS attack
-const MAX_METADATA_CHUNK: usize = 1<<20;
-
 #[derive(Copy, Clone, Debug)]
 pub enum ChunkType {
     Iccp,
@@ -62,12 +59,6 @@ impl Metadata {
         };
 
         let chunk_size = reader.read_varint()?;
-        if chunk_size > MAX_METADATA_CHUNK {
-            Err(Error::InvalidMetadata(format!(
-                "requested chunk size ({} bytes) is bigger than the limit ({} bytes)",
-                chunk_size, MAX_METADATA_CHUNK
-            )))?
-        }
         let mut deflated_chunk = vec![0; chunk_size];
         reader.read_exact(&mut deflated_chunk)?;
         let inflated_chunk = inflate_bytes(&deflated_chunk).map_err(Error::InvalidMetadata)?;

From 0e37ea237dfbab692eae74c4ff524bf14858d65b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D0=90=D1=80=D1=82=D1=91=D0=BC=20=D0=9F=D0=B0=D0=B2=D0=BB?=
 =?UTF-8?q?=D0=BE=D0=B2=20=5BArtyom=20Pavlov=5D?= <newpavlov@gmail.com>
Date: Sat, 9 Jun 2018 20:26:43 +0300
Subject: [PATCH 5/5] added fuzz limits

---
 fuzz/fuzz_targets/fuzz_flif.rs | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/fuzz/fuzz_targets/fuzz_flif.rs b/fuzz/fuzz_targets/fuzz_flif.rs
index 9d1ed67..c6bc318 100644
--- a/fuzz/fuzz_targets/fuzz_flif.rs
+++ b/fuzz/fuzz_targets/fuzz_flif.rs
@@ -5,5 +5,12 @@ extern crate flif;
 use std::io::Cursor;
 
 fuzz_target!(|data: &[u8]| {
-    let _ = flif::Flif::decode(Cursor::new(data)).map(|img| img.get_raw_pixels());
+    let limits = flif::Limits {
+        metadata_chunk: 32,
+        metadata_count: 8,
+        pixels: 1<<16,
+        maniac_nodes: 512,
+    };
+    let _ = flif::Flif::decode_with_limits(Cursor::new(data), limits)
+        .map(|img| img.get_raw_pixels());
 });