oss-fuzz: Transfer to an external repo and remove from this repo

A new repository named "pngfuzz", dedicated to fuzz testing PNG
processing software in general and libpng in particular, has been
created:

https://github.com/pnggroup/pngfuzz

Signed-off-by: Cosmin Truta <ctruta@gmail.com>

contrib/oss-fuzz/Dockerfile

@@ -1,28 +0,0 @@
-# Copyright 2024 Cosmin Truta
-# Copyright 2017 Glenn Randers-Pehrson
-# Copyright 2016 Google Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-################################################################################
-
-FROM gcr.io/oss-fuzz-base/base-builder
-
-RUN apt-get update && \
-    apt-get install -y make autoconf automake libtool zlib1g-dev
-
-RUN git clone --depth=1 https://github.com/pnggroup/libpng.git && \
-    git clone --depth=1 https://github.com/madler/zlib.git && \
-    cp libpng/contrib/oss-fuzz/build.sh $SRC
-
-WORKDIR /home/libpng

contrib/oss-fuzz/README.txt

@@ -1,40 +0,0 @@
-libpng additions to oss-fuzz
-============================
-
-Copyright (c) 2024 Cosmin Truta
-Copyright (c) 2017 Glenn Randers-Pehrson
-
-This code is released under the libpng license.
-For conditions of distribution and use, see the disclaimer
-and license in png.h
-
-Files in this directory are used by the oss-fuzz project
-(https://github.com/google/oss-fuzz/tree/master/projects/libpng).
-for "fuzzing" libpng.
-
-They were licensed by Google Inc, using the BSD-like Chromium license,
-which may be found at https://cs.chromium.org/chromium/src/LICENSE, or, if
-noted in the source, under the Apache-2.0 license, which may
-be found at http://www.apache.org/licenses/LICENSE-2.0 .
-If they have been modified, the derivatives are copyright Glenn Randers-Pehrson
-and are released under the same licenses as the originals.  Several of
-the original files (libpng_read_fuzzer.options, png.dict, project.yaml)
-had no licensing information; we assumed that these were under the Chromium
-license. Any new files are released under the libpng license (see png.h).
-
-The files are
-                            Original
- Filename                   or derived   Copyright          License
- =========================  ==========   ================   ==========
- Dockerfile*                derived      2017, Glenn R-P    Apache 2.0
- build.sh                   derived      2017, Glenn R-P    Apache 2.0
- libpng_read_fuzzer.cc      derived      2017, Glenn R-P    Chromium
- libpng_read_fuzzer.options original     2015, Chrome Devs  Chromium
- png.dict                   original     2015, Chrome Devs  Chromium
- README.txt (this file)     original     2017, Glenn R-P    libpng
-
- * Dockerfile is a copy of the file used by oss-fuzz. build.sh,
-   png.dict and libpng_read_fuzzer.* are the actual files used by oss-fuzz,
-   which retrieves them from the libpng repository at Github.
-
-To do: exercise the progressive reader and the png encoder.

contrib/oss-fuzz/build.sh

@@ -1,47 +0,0 @@
-#!/usr/bin/env bash
-set -eu
-
-# Copyright 2024 Cosmin Truta
-# Copyright 2017 Glenn Randers-Pehrson
-# Copyright 2016 Google Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-################################################################################
-
-# Disable logging via library build configuration control.
-sed -e "s/option STDIO/option STDIO disabled/" \
-    -e "s/option WARNING /option WARNING disabled/" \
-    -e "s/option WRITE enables WRITE_INT_FUNCTIONS/option WRITE disabled/" \
-    scripts/pnglibconf.dfa >scripts/pnglibconf.dfa.tmp
-mv -f scripts/pnglibconf.dfa.tmp scripts/pnglibconf.dfa
-
-# Build the libpng library ("libpng16.la"), excluding the auxiliary tools.
-autoreconf -f -i
-./configure --with-libpng-prefix=OSS_FUZZ_
-make -j$(nproc) clean
-make -j$(nproc) libpng16.la
-
-# Build libpng_read_fuzzer.
-$CXX $CXXFLAGS -std=c++11 -I. \
-     $SRC/libpng/contrib/oss-fuzz/libpng_read_fuzzer.cc \
-     -o $OUT/libpng_read_fuzzer \
-     -lFuzzingEngine .libs/libpng16.a -lz
-
-# Add seed corpus.
-find $SRC/libpng -name "*.png" | grep -v crashers | \
-     xargs zip $OUT/libpng_read_fuzzer_seed_corpus.zip
-
-cp $SRC/libpng/contrib/oss-fuzz/*.dict \
-   $SRC/libpng/contrib/oss-fuzz/*.options \
-   $OUT/

contrib/oss-fuzz/libpng_read_fuzzer.cc

@@ -1,224 +0,0 @@
-
-// libpng_read_fuzzer.cc
-// Copyright 2017-2018 Glenn Randers-Pehrson
-// Copyright 2015 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that may
-// be found in the LICENSE file https://cs.chromium.org/chromium/src/LICENSE
-
-// The modifications in 2017 by Glenn Randers-Pehrson include
-// 1. addition of a PNG_CLEANUP macro,
-// 2. setting the option to ignore ADLER32 checksums,
-// 3. adding "#include <string.h>" which is needed on some platforms
-//    to provide memcpy().
-// 4. adding read_end_info() and creating an end_info structure.
-// 5. adding calls to png_set_*() transforms commonly used by browsers.
-
-#include <stddef.h>
-#include <stdint.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <vector>
-
-#define PNG_INTERNAL
-#include "png.h"
-
-#define PNG_CLEANUP \
-  if(png_handler.png_ptr) \
-  { \
-    if (png_handler.row_ptr) \
-      png_free(png_handler.png_ptr, png_handler.row_ptr); \
-    if (png_handler.end_info_ptr) \
-      png_destroy_read_struct(&png_handler.png_ptr, &png_handler.info_ptr,\
-        &png_handler.end_info_ptr); \
-    else if (png_handler.info_ptr) \
-      png_destroy_read_struct(&png_handler.png_ptr, &png_handler.info_ptr,\
-        nullptr); \
-    else \
-      png_destroy_read_struct(&png_handler.png_ptr, nullptr, nullptr); \
-    png_handler.png_ptr = nullptr; \
-    png_handler.row_ptr = nullptr; \
-    png_handler.info_ptr = nullptr; \
-    png_handler.end_info_ptr = nullptr; \
-  }
-
-struct BufState {
-  const uint8_t* data;
-  size_t bytes_left;
-};
-
-struct PngObjectHandler {
-  png_infop info_ptr = nullptr;
-  png_structp png_ptr = nullptr;
-  png_infop end_info_ptr = nullptr;
-  png_voidp row_ptr = nullptr;
-  BufState* buf_state = nullptr;
-
-  ~PngObjectHandler() {
-    if (row_ptr)
-      png_free(png_ptr, row_ptr);
-    if (end_info_ptr)
-      png_destroy_read_struct(&png_ptr, &info_ptr, &end_info_ptr);
-    else if (info_ptr)
-      png_destroy_read_struct(&png_ptr, &info_ptr, nullptr);
-    else
-      png_destroy_read_struct(&png_ptr, nullptr, nullptr);
-    delete buf_state;
-  }
-};
-
-void user_read_data(png_structp png_ptr, png_bytep data, size_t length) {
-  BufState* buf_state = static_cast<BufState*>(png_get_io_ptr(png_ptr));
-  if (length > buf_state->bytes_left) {
-    png_error(png_ptr, "read error");
-  }
-  memcpy(data, buf_state->data, length);
-  buf_state->bytes_left -= length;
-  buf_state->data += length;
-}
-
-void* limited_malloc(png_structp, png_alloc_size_t size) {
-  // libpng may allocate large amounts of memory that the fuzzer reports as
-  // an error. In order to silence these errors, make libpng fail when trying
-  // to allocate a large amount. This allocator used to be in the Chromium
-  // version of this fuzzer.
-  // This number is chosen to match the default png_user_chunk_malloc_max.
-  if (size > 8000000)
-    return nullptr;
-
-  return malloc(size);
-}
-
-void default_free(png_structp, png_voidp ptr) {
-  return free(ptr);
-}
-
-static const int kPngHeaderSize = 8;
-
-// Entry point for LibFuzzer.
-// Roughly follows the libpng book example:
-// http://www.libpng.org/pub/png/book/chapter13.html
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
-  if (size < kPngHeaderSize) {
-    return 0;
-  }
-
-  std::vector<unsigned char> v(data, data + size);
-  if (png_sig_cmp(v.data(), 0, kPngHeaderSize)) {
-    // not a PNG.
-    return 0;
-  }
-
-  PngObjectHandler png_handler;
-  png_handler.png_ptr = nullptr;
-  png_handler.row_ptr = nullptr;
-  png_handler.info_ptr = nullptr;
-  png_handler.end_info_ptr = nullptr;
-
-  png_handler.png_ptr = png_create_read_struct
-    (PNG_LIBPNG_VER_STRING, nullptr, nullptr, nullptr);
-  if (!png_handler.png_ptr) {
-    return 0;
-  }
-
-  png_handler.info_ptr = png_create_info_struct(png_handler.png_ptr);
-  if (!png_handler.info_ptr) {
-    PNG_CLEANUP
-    return 0;
-  }
-
-  png_handler.end_info_ptr = png_create_info_struct(png_handler.png_ptr);
-  if (!png_handler.end_info_ptr) {
-    PNG_CLEANUP
-    return 0;
-  }
-
-  // Use a custom allocator that fails for large allocations to avoid OOM.
-  png_set_mem_fn(png_handler.png_ptr, nullptr, limited_malloc, default_free);
-
-  png_set_crc_action(png_handler.png_ptr, PNG_CRC_QUIET_USE, PNG_CRC_QUIET_USE);
-#ifdef PNG_IGNORE_ADLER32
-  png_set_option(png_handler.png_ptr, PNG_IGNORE_ADLER32, PNG_OPTION_ON);
-#endif
-
-  // Setting up reading from buffer.
-  png_handler.buf_state = new BufState();
-  png_handler.buf_state->data = data + kPngHeaderSize;
-  png_handler.buf_state->bytes_left = size - kPngHeaderSize;
-  png_set_read_fn(png_handler.png_ptr, png_handler.buf_state, user_read_data);
-  png_set_sig_bytes(png_handler.png_ptr, kPngHeaderSize);
-
-  if (setjmp(png_jmpbuf(png_handler.png_ptr))) {
-    PNG_CLEANUP
-    return 0;
-  }
-
-  // Reading.
-  png_read_info(png_handler.png_ptr, png_handler.info_ptr);
-
-  // reset error handler to put png_deleter into scope.
-  if (setjmp(png_jmpbuf(png_handler.png_ptr))) {
-    PNG_CLEANUP
-    return 0;
-  }
-
-  png_uint_32 width, height;
-  int bit_depth, color_type, interlace_type, compression_type;
-  int filter_type;
-
-  if (!png_get_IHDR(png_handler.png_ptr, png_handler.info_ptr, &width,
-                    &height, &bit_depth, &color_type, &interlace_type,
-                    &compression_type, &filter_type)) {
-    PNG_CLEANUP
-    return 0;
-  }
-
-  // This is going to be too slow.
-  if (width && height > 100000000 / width) {
-    PNG_CLEANUP
-    return 0;
-  }
-
-  // Set several transforms that browsers typically use:
-  png_set_gray_to_rgb(png_handler.png_ptr);
-  png_set_expand(png_handler.png_ptr);
-  png_set_packing(png_handler.png_ptr);
-  png_set_scale_16(png_handler.png_ptr);
-  png_set_tRNS_to_alpha(png_handler.png_ptr);
-
-  int passes = png_set_interlace_handling(png_handler.png_ptr);
-
-  png_read_update_info(png_handler.png_ptr, png_handler.info_ptr);
-
-  png_handler.row_ptr = png_malloc(
-      png_handler.png_ptr, png_get_rowbytes(png_handler.png_ptr,
-                                            png_handler.info_ptr));
-
-  for (int pass = 0; pass < passes; ++pass) {
-    for (png_uint_32 y = 0; y < height; ++y) {
-      png_read_row(png_handler.png_ptr,
-                   static_cast<png_bytep>(png_handler.row_ptr), nullptr);
-    }
-  }
-
-  png_read_end(png_handler.png_ptr, png_handler.end_info_ptr);
-
-  PNG_CLEANUP
-
-#ifdef PNG_SIMPLIFIED_READ_SUPPORTED
-  // Simplified READ API
-  png_image image;
-  memset(&image, 0, (sizeof image));
-  image.version = PNG_IMAGE_VERSION;
-
-  if (!png_image_begin_read_from_memory(&image, data, size)) {
-    return 0;
-  }
-
-  image.format = PNG_FORMAT_RGBA;
-  std::vector<png_byte> buffer(PNG_IMAGE_SIZE(image));
-  png_image_finish_read(&image, NULL, buffer.data(), 0, NULL);
-#endif
-
-  return 0;
-}

contrib/oss-fuzz/libpng_read_fuzzer.options

@@ -1,2 +0,0 @@
-[libfuzzer]
-dict = png.dict

contrib/oss-fuzz/png.dict

@@ -1,39 +0,0 @@
-#
-# AFL dictionary for PNG images
-# -----------------------------
-#
-# Just the basic, standard-originating sections; does not include vendor
-# extensions.
-#
-# Created by Michal Zalewski <lcamtuf@google.com>
-#
-
-header_png="\x89PNG\x0d\x0a\x1a\x0a"
-
-section_IDAT="IDAT"
-section_IEND="IEND"
-section_IHDR="IHDR"
-section_PLTE="PLTE"
-section_bKGD="bKGD"
-section_cHRM="cHRM"
-section_eXIf="eXIf"
-section_fRAc="fRAc"
-section_gAMA="gAMA"
-section_gIFg="gIFg"
-section_gIFt="gIFt"
-section_gIFx="gIFx"
-section_hIST="hIST"
-section_iCCP="iCCP"
-section_iTXt="iTXt"
-section_oFFs="oFFs"
-section_pCAL="pCAL"
-section_pHYs="pHYs"
-section_sBIT="sBIT"
-section_sCAL="sCAL"
-section_sPLT="sPLT"
-section_sRGB="sRGB"
-section_sTER="sTER"
-section_tEXt="tEXt"
-section_tIME="tIME"
-section_tRNS="tRNS"
-section_zTXt="zTXt"