├── BUILD.gn.txt ├── README.md ├── color_space_data.h ├── convert_woff2ttf_fuzzer.cc ├── courgette_fuzzer.cc ├── empty_fuzzer.cc ├── flatbuffers_verifier_fuzzer.cc ├── generate_javascript_parser_proto.py ├── gfx_png_image_fuzzer.cc ├── hash_fuzzer.cc ├── javascript_parser_proto_fuzzer.cc ├── javascript_parser_proto_to_string.h ├── language_detection_fuzzer.cc ├── libpng_read_fuzzer.cc ├── libsrtp_fuzzer.cc ├── libxml_xml_read_memory_fuzzer.cc ├── libyuv_scale_fuzzer.cc ├── prtime_fuzzer.cc ├── sha1_fuzzer.cc ├── skia_image_filter_proto_fuzzer.cc ├── skia_path_common.cc ├── skia_path_common.h ├── skia_path_fuzzer.cc ├── skia_pathop_fuzzer.cc ├── snappy_compress_fuzzer.cc ├── snappy_uncompress_fuzzer.cc ├── template_url_parser_fuzzer.cc ├── url_parse_proto_fuzzer.cc ├── usrsctp_fuzzer.cc └── v8_fuzzer.cc /BUILD.gn.txt: -------------------------------------------------------------------------------- 1 | # Copyright 2015 The Chromium Authors. All rights reserved. 2 | # Use of this source code is governed by a BSD-style license that can be 3 | # found in the LICENSE file. 4 | 5 | # Individual libfuzzer tests that didn't find their home yet. 6 | 7 | import("//build/config/features.gni") 8 | import("//testing/libfuzzer/fuzzer_test.gni") 9 | import("//third_party/protobuf/proto_library.gni") 10 | 11 | # root BUILD depends on this target. Needed for package discovery 12 | group("fuzzers") { 13 | } 14 | 15 | fuzzer_test("empty_fuzzer") { 16 | sources = [ "empty_fuzzer.cc" ] 17 | additional_configs = [ "//testing/libfuzzer:no_clusterfuzz" ] 18 | } 19 | 20 | fuzzer_test("courgette_fuzzer") { 21 | sources = [ "courgette_fuzzer.cc" ] 22 | deps = [ 23 | "//base", 24 | "//courgette:courgette_lib", 25 | ] 26 | } 27 | 28 | fuzzer_test("language_detection_fuzzer") { 29 | sources = [ "language_detection_fuzzer.cc" ] 30 | deps = [ 31 | "//base", 32 | "//components/translate/core/language_detection:language_detection", 33 | ] 34 | } 35 | 36 | fuzzer_test("snappy_compress_fuzzer") { 37 | sources = [ "snappy_compress_fuzzer.cc" ] 38 | deps = [ "//third_party/snappy:snappy" ] 39 | seed_corpus = "//third_party/snappy/src/testdata" 40 | } 41 | 42 | fuzzer_test("snappy_uncompress_fuzzer") { 43 | sources = [ "snappy_uncompress_fuzzer.cc" ] 44 | deps = [ "//third_party/snappy:snappy" ] 45 | seed_corpus = "//third_party/snappy/src/testdata" 46 | } 47 | 48 | fuzzer_test("template_url_parser_fuzzer") { 49 | sources = [ "template_url_parser_fuzzer.cc" ] 50 | deps = [ 51 | "//base", 52 | "//base:i18n", 53 | "//components/search_engines", 54 | "//mojo/core/embedder", 55 | "//services/data_decoder/public/cpp", 56 | "//services/data_decoder/public/cpp:test_support", 57 | "//third_party/libxml:libxml", 58 | ] 59 | dict = "//third_party/libxml/fuzz/xml.dict" 60 | libfuzzer_options = [ "max_len=4096" ] 61 | } 62 | 63 | fuzzer_test("url_parse_proto_fuzzer") { 64 | sources = [ "url_parse_proto_fuzzer.cc" ] 65 | deps = [ 66 | ":url_proto", 67 | "//base", 68 | "//base:i18n", 69 | "//third_party/libprotobuf-mutator", 70 | "//url:url", 71 | ] 72 | } 73 | 74 | proto_library("url_proto") { 75 | sources = [ "url.proto" ] 76 | } 77 | 78 | fuzzer_test("usrsctp_fuzzer") { 79 | sources = [ "usrsctp_fuzzer.cc" ] 80 | deps = [ "//third_party/usrsctp" ] 81 | } 82 | 83 | fuzzer_test("libsrtp_fuzzer") { 84 | sources = [ "libsrtp_fuzzer.cc" ] 85 | deps = [ "//third_party/libsrtp" ] 86 | libfuzzer_options = [ "max_len=1500" ] 87 | } 88 | 89 | libpng_seed_corpuses = [ 90 | "//components/viz/test/data", 91 | "//third_party/blink/web_tests/images/png-suite/samples", 92 | "//third_party/blink/web_tests/images/resources/pngfuzz", 93 | ] 94 | 95 | fuzzer_test("gfx_png_image_fuzzer") { 96 | sources = [ "gfx_png_image_fuzzer.cc" ] 97 | deps = [ 98 | "//base", 99 | "//ui/gfx", 100 | ] 101 | dict = "dicts/png.dict" 102 | seed_corpuses = libpng_seed_corpuses 103 | } 104 | 105 | fuzzer_test("libxml_xml_read_memory_fuzzer") { 106 | sources = [ "libxml_xml_read_memory_fuzzer.cc" ] 107 | deps = [ "//third_party/libxml:libxml" ] 108 | dict = "//third_party/libxml/fuzz/xml.dict" 109 | seed_corpus = "//third_party/libxml/fuzz/seed_corpus" 110 | } 111 | 112 | fuzzer_test("libpng_progressive_read_fuzzer") { 113 | sources = [ "libpng_read_fuzzer.cc" ] 114 | deps = [ 115 | "//base", 116 | "//third_party/libpng", 117 | ] 118 | dict = "dicts/png.dict" 119 | seed_corpuses = libpng_seed_corpuses 120 | } 121 | 122 | fuzzer_test("v8_script_parser_fuzzer") { 123 | sources = [] 124 | deps = [ "//v8:parser_fuzzer" ] 125 | dict = "dicts/generated/javascript.dict" 126 | seed_corpus = "//v8/test/mjsunit/regress/" 127 | libfuzzer_options = [ "only_ascii=1" ] 128 | environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ] 129 | } 130 | 131 | fuzzer_test("v8_json_parser_fuzzer") { 132 | sources = [] 133 | deps = [ "//v8:json_fuzzer" ] 134 | dict = "dicts/json.dict" 135 | environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ] 136 | } 137 | 138 | fuzzer_test("v8_regexp_parser_fuzzer") { 139 | sources = [] 140 | deps = [ "//v8:regexp_fuzzer" ] 141 | dict = "dicts/regexp.dict" 142 | seed_corpus = "//v8/test/fuzzer/regexp/" 143 | libfuzzer_options = [ "max_len=64" ] 144 | environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ] 145 | } 146 | 147 | fuzzer_test("v8_regexp_builtins_fuzzer") { 148 | sources = [] 149 | deps = [ "//v8:regexp_builtins_fuzzer" ] 150 | environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ] 151 | } 152 | 153 | fuzzer_test("v8_multi_return_fuzzer") { 154 | sources = [] 155 | deps = [ "//v8:multi_return_fuzzer" ] 156 | asan_options = [ 157 | "allow_user_segv_handler=1", 158 | "handle_sigtrap=1", 159 | ] 160 | msan_options = [ "handle_sigtrap=1" ] 161 | ubsan_options = [ "handle_sigtrap=1" ] 162 | environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ] 163 | } 164 | 165 | fuzzer_test("v8_wasm_code_fuzzer") { 166 | sources = [] 167 | deps = [ "//v8:wasm_code_fuzzer" ] 168 | libfuzzer_options = [ "max_len=500" ] 169 | asan_options = [ 170 | "allow_user_segv_handler=1", 171 | "handle_sigtrap=1", 172 | ] 173 | msan_options = [ "handle_sigtrap=1" ] 174 | ubsan_options = [ "handle_sigtrap=1" ] 175 | environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ] 176 | } 177 | 178 | fuzzer_test("v8_wasm_compile_fuzzer") { 179 | sources = [] 180 | deps = [ "//v8:wasm_compile_fuzzer" ] 181 | libfuzzer_options = [ "max_len=500" ] 182 | asan_options = [ 183 | "allow_user_segv_handler=1", 184 | "handle_sigtrap=1", 185 | ] 186 | msan_options = [ "handle_sigtrap=1" ] 187 | ubsan_options = [ "handle_sigtrap=1" ] 188 | environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ] 189 | } 190 | 191 | fuzzer_test("v8_wasm_fuzzer") { 192 | sources = [] 193 | deps = [ "//v8:wasm_fuzzer" ] 194 | dict = "dicts/v8_wasm.dict" 195 | seed_corpus = "//v8/test/fuzzer/wasm_corpus/" 196 | libfuzzer_options = [ "max_len=500" ] 197 | asan_options = [ 198 | "allow_user_segv_handler=1", 199 | "handle_sigtrap=1", 200 | ] 201 | msan_options = [ "handle_sigtrap=1" ] 202 | ubsan_options = [ "handle_sigtrap=1" ] 203 | environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ] 204 | } 205 | 206 | fuzzer_test("v8_wasm_async_fuzzer") { 207 | sources = [] 208 | deps = [ "//v8:wasm_async_fuzzer" ] 209 | dict = "dicts/v8_wasm.dict" 210 | seed_corpus = "//v8/test/fuzzer/wasm_corpus/" 211 | libfuzzer_options = [ "max_len=500" ] 212 | asan_options = [ 213 | "allow_user_segv_handler=1", 214 | "handle_sigtrap=1", 215 | ] 216 | msan_options = [ "handle_sigtrap=1" ] 217 | ubsan_options = [ "handle_sigtrap=1" ] 218 | environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ] 219 | } 220 | 221 | fuzzer_test("convert_woff2ttf_fuzzer") { 222 | sources = [ "convert_woff2ttf_fuzzer.cc" ] 223 | deps = [ "//third_party/woff2:woff2_dec" ] 224 | seed_corpus = "//testing/libfuzzer/fuzzers/woff2_corpus" 225 | libfuzzer_options = [ "max_len=803500" ] 226 | } 227 | 228 | fuzzer_test("flatbuffers_verifier_fuzzer") { 229 | sources = [ "flatbuffers_verifier_fuzzer.cc" ] 230 | deps = [ 231 | "//third_party/flatbuffers", 232 | "//third_party/flatbuffers:flatbuffers_samplebuffer", 233 | ] 234 | libfuzzer_options = [ "max_len=1024" ] 235 | seed_corpus = "//testing/libfuzzer/fuzzers/flatbuffers_corpus" 236 | } 237 | 238 | fuzzer_test("skia_path_fuzzer") { 239 | sources = [ 240 | "skia_path_common.cc", 241 | "skia_path_common.h", 242 | "skia_path_fuzzer.cc", 243 | ] 244 | deps = [ "//skia" ] 245 | libfuzzer_options = [ "max_len=256" ] 246 | if (is_debug) { 247 | # Disabled due to crashing on SkASSERT (crbug.com/642750, crbug.com/643275). 248 | additional_configs = [ "//testing/libfuzzer:no_clusterfuzz" ] 249 | } 250 | } 251 | 252 | fuzzer_test("skia_pathop_fuzzer") { 253 | sources = [ 254 | "skia_path_common.cc", 255 | "skia_path_common.h", 256 | "skia_pathop_fuzzer.cc", 257 | ] 258 | deps = [ 259 | "//base", 260 | "//skia", 261 | ] 262 | libfuzzer_options = [ "max_len=512" ] 263 | if (is_debug) { 264 | # Disabled due to crashing on SkASSERT (crbug.com/642750, crbug.com/643275). 265 | additional_configs = [ "//testing/libfuzzer:no_clusterfuzz" ] 266 | } 267 | } 268 | 269 | fuzzer_test("prtime_fuzzer") { 270 | sources = [ "prtime_fuzzer.cc" ] 271 | deps = [ "//base" ] 272 | dict = "dicts/prtime.dict" 273 | libfuzzer_options = [ "max_len=1024" ] 274 | } 275 | 276 | fuzzer_test("angle_translator_fuzzer") { 277 | sources = [] 278 | deps = [ "//third_party/angle:translator_fuzzer" ] 279 | libfuzzer_options = [ "max_len=1000" ] 280 | dict = "dicts/webgl-glsl.dict" 281 | } 282 | 283 | if (target_cpu == "x86" || target_cpu == "x64") { 284 | fuzzer_test("swiftshader_vertex_routine_fuzzer") { 285 | sources = [] 286 | deps = [ "//third_party/swiftshader:vertex_routine_fuzzer" ] 287 | } 288 | } 289 | 290 | fuzzer_test("sha1_fuzzer") { 291 | sources = [ "sha1_fuzzer.cc" ] 292 | deps = [ "//base" ] 293 | } 294 | 295 | fuzzer_test("hash_fuzzer") { 296 | sources = [ "hash_fuzzer.cc" ] 297 | deps = [ "//base" ] 298 | } 299 | 300 | action("gen_javascript_parser_proto") { 301 | # Only targets in this file and the top-level visibility target can 302 | # depend on this. 303 | visibility = [ 304 | ":*", 305 | "//:gn_visibility", 306 | ] 307 | 308 | script = "generate_javascript_parser_proto.py" 309 | 310 | sources = [ "dicts/javascript_parser_proto.dict" ] 311 | 312 | outputs = [ 313 | "$target_gen_dir/javascript_parser.proto", 314 | "$target_gen_dir/javascript_parser_proto_to_string.cc", 315 | ] 316 | 317 | args = rebase_path(outputs, root_build_dir) + 318 | rebase_path(sources, root_build_dir) 319 | } 320 | 321 | proto_library("javascript_parser_proto") { 322 | sources = [ "$target_gen_dir/javascript_parser.proto" ] 323 | proto_deps = [ ":gen_javascript_parser_proto" ] 324 | proto_out_dir = "" 325 | } 326 | 327 | fuzzer_test("javascript_parser_proto_fuzzer") { 328 | generated_sources = [ "$target_gen_dir/javascript_parser_proto_to_string.cc" ] 329 | sources = [ 330 | "javascript_parser_proto_fuzzer.cc", 331 | "javascript_parser_proto_to_string.h", 332 | ] 333 | deps = [ 334 | ":gen_javascript_parser_proto", 335 | ":javascript_parser_proto", 336 | "//third_party/libprotobuf-mutator", 337 | "//v8:v8", 338 | "//v8:v8_libplatform", 339 | ] 340 | } 341 | 342 | fuzzer_test("v8_fully_instrumented_fuzzer") { 343 | sources = [ "v8_fuzzer.cc" ] 344 | deps = [ 345 | "//base", 346 | "//v8:v8", 347 | "//v8:v8_libplatform", 348 | ] 349 | dict = "dicts/generated/javascript.dict" 350 | asan_options = [ 351 | "allow_user_segv_handler=1", 352 | "handle_sigtrap=1", 353 | ] 354 | msan_options = [ "handle_sigtrap=1" ] 355 | ubsan_options = [ "handle_sigtrap=1" ] 356 | libfuzzer_options = [ "only_ascii=1" ] 357 | } 358 | 359 | fuzzer_test("skia_image_filter_proto_fuzzer") { 360 | sources = [ "skia_image_filter_proto_fuzzer.cc" ] 361 | 362 | deps = [ 363 | "//base", 364 | "//base/test:test_support", 365 | "//skia", 366 | "//testing/libfuzzer/proto:skia_image_filter_converter", 367 | "//testing/libfuzzer/proto:skia_image_filter_proto", 368 | "//third_party/libprotobuf-mutator", 369 | ] 370 | } 371 | 372 | fuzzer_test("libyuv_scale_fuzzer") { 373 | sources = [ "libyuv_scale_fuzzer.cc" ] 374 | 375 | deps = [ "//third_party/libyuv" ] 376 | } 377 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Awesome-Libfuzzer-Harness 2 | An awesome list of Effective and Powerful harnesses for fuzzing using libfuzzer 3 | 4 | Current harnesses : 5 | 6 | - convert_woff2ttf_fuzzer 7 | - courgette_fuzzer 8 | - empty_fuzzer 9 | - flatbuffers_verifier_fuzzer 10 | - generate_javascript_parser_proto 11 | - gfx_png_image_fuzzer 12 | - hash_fuzzer 13 | - javascript_parser_proto_fuzzer 14 | - language_detection_fuzzer 15 | - libpng_read_fuzzer 16 | - libsrtp_fuzzer 17 | - libxml_xml_read_memory_fuzzer 18 | - libyuv_scale_fuzzer 19 | - prtime_fuzzer 20 | - sha1_fuzzer 21 | - skia_image_filter_proto_fuzzer 22 | - skia_pathop_fuzzer 23 | - skia_path_fuzzer 24 | - snappy_compress_fuzzer 25 | - snappy_uncompress_fuzzer 26 | - template_url_parser_fuzzer 27 | - url_parse_proto_fuzzer 28 | - usrsctp_fuzzer 29 | - v8_fuzzer 30 | -------------------------------------------------------------------------------- /color_space_data.h: -------------------------------------------------------------------------------- 1 | // Copyright 2017 The Chromium Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | #ifndef TESTING_LIBFUZZER_FUZZERS_COLOR_SPACE_DATA_H 6 | #define TESTING_LIBFUZZER_FUZZERS_COLOR_SPACE_DATA_H 7 | 8 | static const char kSRGBData[] = { 9 | // sRGB profile with tabular gamma curves. 10 | 0x00, 0x00, 0x0c, 0x48, 0x4c, 0x69, 0x6e, 0x6f, 0x02, 0x10, 0x00, 0x00, 11 | 0x6d, 0x6e, 0x74, 0x72, 0x52, 0x47, 0x42, 0x20, 0x58, 0x59, 0x5a, 0x20, 12 | 0x07, 0xce, 0x00, 0x02, 0x00, 0x09, 0x00, 0x06, 0x00, 0x31, 0x00, 0x00, 13 | 0x61, 0x63, 0x73, 0x70, 0x4d, 0x53, 0x46, 0x54, 0x00, 0x00, 0x00, 0x00, 14 | 0x49, 0x45, 0x43, 0x20, 0x73, 0x52, 0x47, 0x42, 0x00, 0x00, 0x00, 0x00, 15 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf6, 0xd6, 16 | 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d, 0x48, 0x50, 0x20, 0x20, 17 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 18 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 19 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 20 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 21 | 0x63, 0x70, 0x72, 0x74, 0x00, 0x00, 0x01, 0x50, 0x00, 0x00, 0x00, 0x33, 22 | 0x64, 0x65, 0x73, 0x63, 0x00, 0x00, 0x01, 0x84, 0x00, 0x00, 0x00, 0x6c, 23 | 0x77, 0x74, 0x70, 0x74, 0x00, 0x00, 0x01, 0xf0, 0x00, 0x00, 0x00, 0x14, 24 | 0x62, 0x6b, 0x70, 0x74, 0x00, 0x00, 0x02, 0x04, 0x00, 0x00, 0x00, 0x14, 25 | 0x72, 0x58, 0x59, 0x5a, 0x00, 0x00, 0x02, 0x18, 0x00, 0x00, 0x00, 0x14, 26 | 0x67, 0x58, 0x59, 0x5a, 0x00, 0x00, 0x02, 0x2c, 0x00, 0x00, 0x00, 0x14, 27 | 0x62, 0x58, 0x59, 0x5a, 0x00, 0x00, 0x02, 0x40, 0x00, 0x00, 0x00, 0x14, 28 | 0x64, 0x6d, 0x6e, 0x64, 0x00, 0x00, 0x02, 0x54, 0x00, 0x00, 0x00, 0x70, 29 | 0x64, 0x6d, 0x64, 0x64, 0x00, 0x00, 0x02, 0xc4, 0x00, 0x00, 0x00, 0x88, 30 | 0x76, 0x75, 0x65, 0x64, 0x00, 0x00, 0x03, 0x4c, 0x00, 0x00, 0x00, 0x86, 31 | 0x76, 0x69, 0x65, 0x77, 0x00, 0x00, 0x03, 0xd4, 0x00, 0x00, 0x00, 0x24, 32 | 0x6c, 0x75, 0x6d, 0x69, 0x00, 0x00, 0x03, 0xf8, 0x00, 0x00, 0x00, 0x14, 33 | 0x6d, 0x65, 0x61, 0x73, 0x00, 0x00, 0x04, 0x0c, 0x00, 0x00, 0x00, 0x24, 34 | 0x74, 0x65, 0x63, 0x68, 0x00, 0x00, 0x04, 0x30, 0x00, 0x00, 0x00, 0x0c, 35 | 0x72, 0x54, 0x52, 0x43, 0x00, 0x00, 0x04, 0x3c, 0x00, 0x00, 0x08, 0x0c, 36 | 0x67, 0x54, 0x52, 0x43, 0x00, 0x00, 0x04, 0x3c, 0x00, 0x00, 0x08, 0x0c, 37 | 0x62, 0x54, 0x52, 0x43, 0x00, 0x00, 0x04, 0x3c, 0x00, 0x00, 0x08, 0x0c, 38 | 0x74, 0x65, 0x78, 0x74, 0x00, 0x00, 0x00, 0x00, 0x43, 0x6f, 0x70, 0x79, 39 | 0x72, 0x69, 0x67, 0x68, 0x74, 0x20, 0x28, 0x63, 0x29, 0x20, 0x31, 0x39, 40 | 0x39, 0x38, 0x20, 0x48, 0x65, 0x77, 0x6c, 0x65, 0x74, 0x74, 0x2d, 0x50, 41 | 0x61, 0x63, 0x6b, 0x61, 0x72, 0x64, 0x20, 0x43, 0x6f, 0x6d, 0x70, 0x61, 42 | 0x6e, 0x79, 0x00, 0x00, 0x64, 0x65, 0x73, 0x63, 0x00, 0x00, 0x00, 0x00, 43 | 0x00, 0x00, 0x00, 0x12, 0x73, 0x52, 0x47, 0x42, 0x20, 0x49, 0x45, 0x43, 44 | 0x36, 0x31, 0x39, 0x36, 0x36, 0x2d, 0x32, 0x2e, 0x31, 0x00, 0x00, 0x00, 45 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x12, 0x73, 0x52, 0x47, 46 | 0x42, 0x20, 0x49, 0x45, 0x43, 0x36, 0x31, 0x39, 0x36, 0x36, 0x2d, 0x32, 47 | 0x2e, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 48 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 49 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 50 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 51 | 0x00, 0x00, 0x00, 0x00, 0x58, 0x59, 0x5a, 0x20, 0x00, 0x00, 0x00, 0x00, 52 | 0x00, 0x00, 0xf3, 0x51, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x16, 0xcc, 53 | 0x58, 0x59, 0x5a, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 54 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x58, 0x59, 0x5a, 0x20, 55 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6f, 0xa2, 0x00, 0x00, 0x38, 0xf5, 56 | 0x00, 0x00, 0x03, 0x90, 0x58, 0x59, 0x5a, 0x20, 0x00, 0x00, 0x00, 0x00, 57 | 0x00, 0x00, 0x62, 0x99, 0x00, 0x00, 0xb7, 0x85, 0x00, 0x00, 0x18, 0xda, 58 | 0x58, 0x59, 0x5a, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0xa0, 59 | 0x00, 0x00, 0x0f, 0x84, 0x00, 0x00, 0xb6, 0xcf, 0x64, 0x65, 0x73, 0x63, 60 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x49, 0x45, 0x43, 0x20, 61 | 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x69, 62 | 0x65, 0x63, 0x2e, 0x63, 0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 63 | 0x00, 0x00, 0x00, 0x00, 0x16, 0x49, 0x45, 0x43, 0x20, 0x68, 0x74, 0x74, 64 | 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x69, 0x65, 0x63, 0x2e, 65 | 0x63, 0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 66 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 67 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 68 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 69 | 0x64, 0x65, 0x73, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2e, 70 | 0x49, 0x45, 0x43, 0x20, 0x36, 0x31, 0x39, 0x36, 0x36, 0x2d, 0x32, 0x2e, 71 | 0x31, 0x20, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x20, 0x52, 0x47, 72 | 0x42, 0x20, 0x63, 0x6f, 0x6c, 0x6f, 0x75, 0x72, 0x20, 0x73, 0x70, 0x61, 73 | 0x63, 0x65, 0x20, 0x2d, 0x20, 0x73, 0x52, 0x47, 0x42, 0x00, 0x00, 0x00, 74 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2e, 0x49, 0x45, 0x43, 75 | 0x20, 0x36, 0x31, 0x39, 0x36, 0x36, 0x2d, 0x32, 0x2e, 0x31, 0x20, 0x44, 76 | 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x20, 0x52, 0x47, 0x42, 0x20, 0x63, 77 | 0x6f, 0x6c, 0x6f, 0x75, 0x72, 0x20, 0x73, 0x70, 0x61, 0x63, 0x65, 0x20, 78 | 0x2d, 0x20, 0x73, 0x52, 0x47, 0x42, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 79 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 80 | 0x00, 0x00, 0x00, 0x00, 0x64, 0x65, 0x73, 0x63, 0x00, 0x00, 0x00, 0x00, 81 | 0x00, 0x00, 0x00, 0x2c, 0x52, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 82 | 0x65, 0x20, 0x56, 0x69, 0x65, 0x77, 0x69, 0x6e, 0x67, 0x20, 0x43, 0x6f, 83 | 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x69, 0x6e, 0x20, 0x49, 84 | 0x45, 0x43, 0x36, 0x31, 0x39, 0x36, 0x36, 0x2d, 0x32, 0x2e, 0x31, 0x00, 85 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2c, 0x52, 86 | 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x20, 0x56, 0x69, 0x65, 87 | 0x77, 0x69, 0x6e, 0x67, 0x20, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 88 | 0x6f, 0x6e, 0x20, 0x69, 0x6e, 0x20, 0x49, 0x45, 0x43, 0x36, 0x31, 0x39, 89 | 0x36, 0x36, 0x2d, 0x32, 0x2e, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 90 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 91 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0x69, 0x65, 0x77, 92 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0xa4, 0xfe, 0x00, 0x14, 0x5f, 0x2e, 93 | 0x00, 0x10, 0xcf, 0x14, 0x00, 0x03, 0xed, 0xcc, 0x00, 0x04, 0x13, 0x0b, 94 | 0x00, 0x03, 0x5c, 0x9e, 0x00, 0x00, 0x00, 0x01, 0x58, 0x59, 0x5a, 0x20, 95 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x4c, 0x09, 0x56, 0x00, 0x50, 0x00, 0x00, 96 | 0x00, 0x57, 0x1f, 0xe7, 0x6d, 0x65, 0x61, 0x73, 0x00, 0x00, 0x00, 0x00, 97 | 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 98 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x8f, 99 | 0x00, 0x00, 0x00, 0x02, 0x73, 0x69, 0x67, 0x20, 0x00, 0x00, 0x00, 0x00, 100 | 0x43, 0x52, 0x54, 0x20, 0x63, 0x75, 0x72, 0x76, 0x00, 0x00, 0x00, 0x00, 101 | 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x0a, 0x00, 0x0f, 102 | 0x00, 0x14, 0x00, 0x19, 0x00, 0x1e, 0x00, 0x23, 0x00, 0x28, 0x00, 0x2d, 103 | 0x00, 0x32, 0x00, 0x37, 0x00, 0x3b, 0x00, 0x40, 0x00, 0x45, 0x00, 0x4a, 104 | 0x00, 0x4f, 0x00, 0x54, 0x00, 0x59, 0x00, 0x5e, 0x00, 0x63, 0x00, 0x68, 105 | 0x00, 0x6d, 0x00, 0x72, 0x00, 0x77, 0x00, 0x7c, 0x00, 0x81, 0x00, 0x86, 106 | 0x00, 0x8b, 0x00, 0x90, 0x00, 0x95, 0x00, 0x9a, 0x00, 0x9f, 0x00, 0xa4, 107 | 0x00, 0xa9, 0x00, 0xae, 0x00, 0xb2, 0x00, 0xb7, 0x00, 0xbc, 0x00, 0xc1, 108 | 0x00, 0xc6, 0x00, 0xcb, 0x00, 0xd0, 0x00, 0xd5, 0x00, 0xdb, 0x00, 0xe0, 109 | 0x00, 0xe5, 0x00, 0xeb, 0x00, 0xf0, 0x00, 0xf6, 0x00, 0xfb, 0x01, 0x01, 110 | 0x01, 0x07, 0x01, 0x0d, 0x01, 0x13, 0x01, 0x19, 0x01, 0x1f, 0x01, 0x25, 111 | 0x01, 0x2b, 0x01, 0x32, 0x01, 0x38, 0x01, 0x3e, 0x01, 0x45, 0x01, 0x4c, 112 | 0x01, 0x52, 0x01, 0x59, 0x01, 0x60, 0x01, 0x67, 0x01, 0x6e, 0x01, 0x75, 113 | 0x01, 0x7c, 0x01, 0x83, 0x01, 0x8b, 0x01, 0x92, 0x01, 0x9a, 0x01, 0xa1, 114 | 0x01, 0xa9, 0x01, 0xb1, 0x01, 0xb9, 0x01, 0xc1, 0x01, 0xc9, 0x01, 0xd1, 115 | 0x01, 0xd9, 0x01, 0xe1, 0x01, 0xe9, 0x01, 0xf2, 0x01, 0xfa, 0x02, 0x03, 116 | 0x02, 0x0c, 0x02, 0x14, 0x02, 0x1d, 0x02, 0x26, 0x02, 0x2f, 0x02, 0x38, 117 | 0x02, 0x41, 0x02, 0x4b, 0x02, 0x54, 0x02, 0x5d, 0x02, 0x67, 0x02, 0x71, 118 | 0x02, 0x7a, 0x02, 0x84, 0x02, 0x8e, 0x02, 0x98, 0x02, 0xa2, 0x02, 0xac, 119 | 0x02, 0xb6, 0x02, 0xc1, 0x02, 0xcb, 0x02, 0xd5, 0x02, 0xe0, 0x02, 0xeb, 120 | 0x02, 0xf5, 0x03, 0x00, 0x03, 0x0b, 0x03, 0x16, 0x03, 0x21, 0x03, 0x2d, 121 | 0x03, 0x38, 0x03, 0x43, 0x03, 0x4f, 0x03, 0x5a, 0x03, 0x66, 0x03, 0x72, 122 | 0x03, 0x7e, 0x03, 0x8a, 0x03, 0x96, 0x03, 0xa2, 0x03, 0xae, 0x03, 0xba, 123 | 0x03, 0xc7, 0x03, 0xd3, 0x03, 0xe0, 0x03, 0xec, 0x03, 0xf9, 0x04, 0x06, 124 | 0x04, 0x13, 0x04, 0x20, 0x04, 0x2d, 0x04, 0x3b, 0x04, 0x48, 0x04, 0x55, 125 | 0x04, 0x63, 0x04, 0x71, 0x04, 0x7e, 0x04, 0x8c, 0x04, 0x9a, 0x04, 0xa8, 126 | 0x04, 0xb6, 0x04, 0xc4, 0x04, 0xd3, 0x04, 0xe1, 0x04, 0xf0, 0x04, 0xfe, 127 | 0x05, 0x0d, 0x05, 0x1c, 0x05, 0x2b, 0x05, 0x3a, 0x05, 0x49, 0x05, 0x58, 128 | 0x05, 0x67, 0x05, 0x77, 0x05, 0x86, 0x05, 0x96, 0x05, 0xa6, 0x05, 0xb5, 129 | 0x05, 0xc5, 0x05, 0xd5, 0x05, 0xe5, 0x05, 0xf6, 0x06, 0x06, 0x06, 0x16, 130 | 0x06, 0x27, 0x06, 0x37, 0x06, 0x48, 0x06, 0x59, 0x06, 0x6a, 0x06, 0x7b, 131 | 0x06, 0x8c, 0x06, 0x9d, 0x06, 0xaf, 0x06, 0xc0, 0x06, 0xd1, 0x06, 0xe3, 132 | 0x06, 0xf5, 0x07, 0x07, 0x07, 0x19, 0x07, 0x2b, 0x07, 0x3d, 0x07, 0x4f, 133 | 0x07, 0x61, 0x07, 0x74, 0x07, 0x86, 0x07, 0x99, 0x07, 0xac, 0x07, 0xbf, 134 | 0x07, 0xd2, 0x07, 0xe5, 0x07, 0xf8, 0x08, 0x0b, 0x08, 0x1f, 0x08, 0x32, 135 | 0x08, 0x46, 0x08, 0x5a, 0x08, 0x6e, 0x08, 0x82, 0x08, 0x96, 0x08, 0xaa, 136 | 0x08, 0xbe, 0x08, 0xd2, 0x08, 0xe7, 0x08, 0xfb, 0x09, 0x10, 0x09, 0x25, 137 | 0x09, 0x3a, 0x09, 0x4f, 0x09, 0x64, 0x09, 0x79, 0x09, 0x8f, 0x09, 0xa4, 138 | 0x09, 0xba, 0x09, 0xcf, 0x09, 0xe5, 0x09, 0xfb, 0x0a, 0x11, 0x0a, 0x27, 139 | 0x0a, 0x3d, 0x0a, 0x54, 0x0a, 0x6a, 0x0a, 0x81, 0x0a, 0x98, 0x0a, 0xae, 140 | 0x0a, 0xc5, 0x0a, 0xdc, 0x0a, 0xf3, 0x0b, 0x0b, 0x0b, 0x22, 0x0b, 0x39, 141 | 0x0b, 0x51, 0x0b, 0x69, 0x0b, 0x80, 0x0b, 0x98, 0x0b, 0xb0, 0x0b, 0xc8, 142 | 0x0b, 0xe1, 0x0b, 0xf9, 0x0c, 0x12, 0x0c, 0x2a, 0x0c, 0x43, 0x0c, 0x5c, 143 | 0x0c, 0x75, 0x0c, 0x8e, 0x0c, 0xa7, 0x0c, 0xc0, 0x0c, 0xd9, 0x0c, 0xf3, 144 | 0x0d, 0x0d, 0x0d, 0x26, 0x0d, 0x40, 0x0d, 0x5a, 0x0d, 0x74, 0x0d, 0x8e, 145 | 0x0d, 0xa9, 0x0d, 0xc3, 0x0d, 0xde, 0x0d, 0xf8, 0x0e, 0x13, 0x0e, 0x2e, 146 | 0x0e, 0x49, 0x0e, 0x64, 0x0e, 0x7f, 0x0e, 0x9b, 0x0e, 0xb6, 0x0e, 0xd2, 147 | 0x0e, 0xee, 0x0f, 0x09, 0x0f, 0x25, 0x0f, 0x41, 0x0f, 0x5e, 0x0f, 0x7a, 148 | 0x0f, 0x96, 0x0f, 0xb3, 0x0f, 0xcf, 0x0f, 0xec, 0x10, 0x09, 0x10, 0x26, 149 | 0x10, 0x43, 0x10, 0x61, 0x10, 0x7e, 0x10, 0x9b, 0x10, 0xb9, 0x10, 0xd7, 150 | 0x10, 0xf5, 0x11, 0x13, 0x11, 0x31, 0x11, 0x4f, 0x11, 0x6d, 0x11, 0x8c, 151 | 0x11, 0xaa, 0x11, 0xc9, 0x11, 0xe8, 0x12, 0x07, 0x12, 0x26, 0x12, 0x45, 152 | 0x12, 0x64, 0x12, 0x84, 0x12, 0xa3, 0x12, 0xc3, 0x12, 0xe3, 0x13, 0x03, 153 | 0x13, 0x23, 0x13, 0x43, 0x13, 0x63, 0x13, 0x83, 0x13, 0xa4, 0x13, 0xc5, 154 | 0x13, 0xe5, 0x14, 0x06, 0x14, 0x27, 0x14, 0x49, 0x14, 0x6a, 0x14, 0x8b, 155 | 0x14, 0xad, 0x14, 0xce, 0x14, 0xf0, 0x15, 0x12, 0x15, 0x34, 0x15, 0x56, 156 | 0x15, 0x78, 0x15, 0x9b, 0x15, 0xbd, 0x15, 0xe0, 0x16, 0x03, 0x16, 0x26, 157 | 0x16, 0x49, 0x16, 0x6c, 0x16, 0x8f, 0x16, 0xb2, 0x16, 0xd6, 0x16, 0xfa, 158 | 0x17, 0x1d, 0x17, 0x41, 0x17, 0x65, 0x17, 0x89, 0x17, 0xae, 0x17, 0xd2, 159 | 0x17, 0xf7, 0x18, 0x1b, 0x18, 0x40, 0x18, 0x65, 0x18, 0x8a, 0x18, 0xaf, 160 | 0x18, 0xd5, 0x18, 0xfa, 0x19, 0x20, 0x19, 0x45, 0x19, 0x6b, 0x19, 0x91, 161 | 0x19, 0xb7, 0x19, 0xdd, 0x1a, 0x04, 0x1a, 0x2a, 0x1a, 0x51, 0x1a, 0x77, 162 | 0x1a, 0x9e, 0x1a, 0xc5, 0x1a, 0xec, 0x1b, 0x14, 0x1b, 0x3b, 0x1b, 0x63, 163 | 0x1b, 0x8a, 0x1b, 0xb2, 0x1b, 0xda, 0x1c, 0x02, 0x1c, 0x2a, 0x1c, 0x52, 164 | 0x1c, 0x7b, 0x1c, 0xa3, 0x1c, 0xcc, 0x1c, 0xf5, 0x1d, 0x1e, 0x1d, 0x47, 165 | 0x1d, 0x70, 0x1d, 0x99, 0x1d, 0xc3, 0x1d, 0xec, 0x1e, 0x16, 0x1e, 0x40, 166 | 0x1e, 0x6a, 0x1e, 0x94, 0x1e, 0xbe, 0x1e, 0xe9, 0x1f, 0x13, 0x1f, 0x3e, 167 | 0x1f, 0x69, 0x1f, 0x94, 0x1f, 0xbf, 0x1f, 0xea, 0x20, 0x15, 0x20, 0x41, 168 | 0x20, 0x6c, 0x20, 0x98, 0x20, 0xc4, 0x20, 0xf0, 0x21, 0x1c, 0x21, 0x48, 169 | 0x21, 0x75, 0x21, 0xa1, 0x21, 0xce, 0x21, 0xfb, 0x22, 0x27, 0x22, 0x55, 170 | 0x22, 0x82, 0x22, 0xaf, 0x22, 0xdd, 0x23, 0x0a, 0x23, 0x38, 0x23, 0x66, 171 | 0x23, 0x94, 0x23, 0xc2, 0x23, 0xf0, 0x24, 0x1f, 0x24, 0x4d, 0x24, 0x7c, 172 | 0x24, 0xab, 0x24, 0xda, 0x25, 0x09, 0x25, 0x38, 0x25, 0x68, 0x25, 0x97, 173 | 0x25, 0xc7, 0x25, 0xf7, 0x26, 0x27, 0x26, 0x57, 0x26, 0x87, 0x26, 0xb7, 174 | 0x26, 0xe8, 0x27, 0x18, 0x27, 0x49, 0x27, 0x7a, 0x27, 0xab, 0x27, 0xdc, 175 | 0x28, 0x0d, 0x28, 0x3f, 0x28, 0x71, 0x28, 0xa2, 0x28, 0xd4, 0x29, 0x06, 176 | 0x29, 0x38, 0x29, 0x6b, 0x29, 0x9d, 0x29, 0xd0, 0x2a, 0x02, 0x2a, 0x35, 177 | 0x2a, 0x68, 0x2a, 0x9b, 0x2a, 0xcf, 0x2b, 0x02, 0x2b, 0x36, 0x2b, 0x69, 178 | 0x2b, 0x9d, 0x2b, 0xd1, 0x2c, 0x05, 0x2c, 0x39, 0x2c, 0x6e, 0x2c, 0xa2, 179 | 0x2c, 0xd7, 0x2d, 0x0c, 0x2d, 0x41, 0x2d, 0x76, 0x2d, 0xab, 0x2d, 0xe1, 180 | 0x2e, 0x16, 0x2e, 0x4c, 0x2e, 0x82, 0x2e, 0xb7, 0x2e, 0xee, 0x2f, 0x24, 181 | 0x2f, 0x5a, 0x2f, 0x91, 0x2f, 0xc7, 0x2f, 0xfe, 0x30, 0x35, 0x30, 0x6c, 182 | 0x30, 0xa4, 0x30, 0xdb, 0x31, 0x12, 0x31, 0x4a, 0x31, 0x82, 0x31, 0xba, 183 | 0x31, 0xf2, 0x32, 0x2a, 0x32, 0x63, 0x32, 0x9b, 0x32, 0xd4, 0x33, 0x0d, 184 | 0x33, 0x46, 0x33, 0x7f, 0x33, 0xb8, 0x33, 0xf1, 0x34, 0x2b, 0x34, 0x65, 185 | 0x34, 0x9e, 0x34, 0xd8, 0x35, 0x13, 0x35, 0x4d, 0x35, 0x87, 0x35, 0xc2, 186 | 0x35, 0xfd, 0x36, 0x37, 0x36, 0x72, 0x36, 0xae, 0x36, 0xe9, 0x37, 0x24, 187 | 0x37, 0x60, 0x37, 0x9c, 0x37, 0xd7, 0x38, 0x14, 0x38, 0x50, 0x38, 0x8c, 188 | 0x38, 0xc8, 0x39, 0x05, 0x39, 0x42, 0x39, 0x7f, 0x39, 0xbc, 0x39, 0xf9, 189 | 0x3a, 0x36, 0x3a, 0x74, 0x3a, 0xb2, 0x3a, 0xef, 0x3b, 0x2d, 0x3b, 0x6b, 190 | 0x3b, 0xaa, 0x3b, 0xe8, 0x3c, 0x27, 0x3c, 0x65, 0x3c, 0xa4, 0x3c, 0xe3, 191 | 0x3d, 0x22, 0x3d, 0x61, 0x3d, 0xa1, 0x3d, 0xe0, 0x3e, 0x20, 0x3e, 0x60, 192 | 0x3e, 0xa0, 0x3e, 0xe0, 0x3f, 0x21, 0x3f, 0x61, 0x3f, 0xa2, 0x3f, 0xe2, 193 | 0x40, 0x23, 0x40, 0x64, 0x40, 0xa6, 0x40, 0xe7, 0x41, 0x29, 0x41, 0x6a, 194 | 0x41, 0xac, 0x41, 0xee, 0x42, 0x30, 0x42, 0x72, 0x42, 0xb5, 0x42, 0xf7, 195 | 0x43, 0x3a, 0x43, 0x7d, 0x43, 0xc0, 0x44, 0x03, 0x44, 0x47, 0x44, 0x8a, 196 | 0x44, 0xce, 0x45, 0x12, 0x45, 0x55, 0x45, 0x9a, 0x45, 0xde, 0x46, 0x22, 197 | 0x46, 0x67, 0x46, 0xab, 0x46, 0xf0, 0x47, 0x35, 0x47, 0x7b, 0x47, 0xc0, 198 | 0x48, 0x05, 0x48, 0x4b, 0x48, 0x91, 0x48, 0xd7, 0x49, 0x1d, 0x49, 0x63, 199 | 0x49, 0xa9, 0x49, 0xf0, 0x4a, 0x37, 0x4a, 0x7d, 0x4a, 0xc4, 0x4b, 0x0c, 200 | 0x4b, 0x53, 0x4b, 0x9a, 0x4b, 0xe2, 0x4c, 0x2a, 0x4c, 0x72, 0x4c, 0xba, 201 | 0x4d, 0x02, 0x4d, 0x4a, 0x4d, 0x93, 0x4d, 0xdc, 0x4e, 0x25, 0x4e, 0x6e, 202 | 0x4e, 0xb7, 0x4f, 0x00, 0x4f, 0x49, 0x4f, 0x93, 0x4f, 0xdd, 0x50, 0x27, 203 | 0x50, 0x71, 0x50, 0xbb, 0x51, 0x06, 0x51, 0x50, 0x51, 0x9b, 0x51, 0xe6, 204 | 0x52, 0x31, 0x52, 0x7c, 0x52, 0xc7, 0x53, 0x13, 0x53, 0x5f, 0x53, 0xaa, 205 | 0x53, 0xf6, 0x54, 0x42, 0x54, 0x8f, 0x54, 0xdb, 0x55, 0x28, 0x55, 0x75, 206 | 0x55, 0xc2, 0x56, 0x0f, 0x56, 0x5c, 0x56, 0xa9, 0x56, 0xf7, 0x57, 0x44, 207 | 0x57, 0x92, 0x57, 0xe0, 0x58, 0x2f, 0x58, 0x7d, 0x58, 0xcb, 0x59, 0x1a, 208 | 0x59, 0x69, 0x59, 0xb8, 0x5a, 0x07, 0x5a, 0x56, 0x5a, 0xa6, 0x5a, 0xf5, 209 | 0x5b, 0x45, 0x5b, 0x95, 0x5b, 0xe5, 0x5c, 0x35, 0x5c, 0x86, 0x5c, 0xd6, 210 | 0x5d, 0x27, 0x5d, 0x78, 0x5d, 0xc9, 0x5e, 0x1a, 0x5e, 0x6c, 0x5e, 0xbd, 211 | 0x5f, 0x0f, 0x5f, 0x61, 0x5f, 0xb3, 0x60, 0x05, 0x60, 0x57, 0x60, 0xaa, 212 | 0x60, 0xfc, 0x61, 0x4f, 0x61, 0xa2, 0x61, 0xf5, 0x62, 0x49, 0x62, 0x9c, 213 | 0x62, 0xf0, 0x63, 0x43, 0x63, 0x97, 0x63, 0xeb, 0x64, 0x40, 0x64, 0x94, 214 | 0x64, 0xe9, 0x65, 0x3d, 0x65, 0x92, 0x65, 0xe7, 0x66, 0x3d, 0x66, 0x92, 215 | 0x66, 0xe8, 0x67, 0x3d, 0x67, 0x93, 0x67, 0xe9, 0x68, 0x3f, 0x68, 0x96, 216 | 0x68, 0xec, 0x69, 0x43, 0x69, 0x9a, 0x69, 0xf1, 0x6a, 0x48, 0x6a, 0x9f, 217 | 0x6a, 0xf7, 0x6b, 0x4f, 0x6b, 0xa7, 0x6b, 0xff, 0x6c, 0x57, 0x6c, 0xaf, 218 | 0x6d, 0x08, 0x6d, 0x60, 0x6d, 0xb9, 0x6e, 0x12, 0x6e, 0x6b, 0x6e, 0xc4, 219 | 0x6f, 0x1e, 0x6f, 0x78, 0x6f, 0xd1, 0x70, 0x2b, 0x70, 0x86, 0x70, 0xe0, 220 | 0x71, 0x3a, 0x71, 0x95, 0x71, 0xf0, 0x72, 0x4b, 0x72, 0xa6, 0x73, 0x01, 221 | 0x73, 0x5d, 0x73, 0xb8, 0x74, 0x14, 0x74, 0x70, 0x74, 0xcc, 0x75, 0x28, 222 | 0x75, 0x85, 0x75, 0xe1, 0x76, 0x3e, 0x76, 0x9b, 0x76, 0xf8, 0x77, 0x56, 223 | 0x77, 0xb3, 0x78, 0x11, 0x78, 0x6e, 0x78, 0xcc, 0x79, 0x2a, 0x79, 0x89, 224 | 0x79, 0xe7, 0x7a, 0x46, 0x7a, 0xa5, 0x7b, 0x04, 0x7b, 0x63, 0x7b, 0xc2, 225 | 0x7c, 0x21, 0x7c, 0x81, 0x7c, 0xe1, 0x7d, 0x41, 0x7d, 0xa1, 0x7e, 0x01, 226 | 0x7e, 0x62, 0x7e, 0xc2, 0x7f, 0x23, 0x7f, 0x84, 0x7f, 0xe5, 0x80, 0x47, 227 | 0x80, 0xa8, 0x81, 0x0a, 0x81, 0x6b, 0x81, 0xcd, 0x82, 0x30, 0x82, 0x92, 228 | 0x82, 0xf4, 0x83, 0x57, 0x83, 0xba, 0x84, 0x1d, 0x84, 0x80, 0x84, 0xe3, 229 | 0x85, 0x47, 0x85, 0xab, 0x86, 0x0e, 0x86, 0x72, 0x86, 0xd7, 0x87, 0x3b, 230 | 0x87, 0x9f, 0x88, 0x04, 0x88, 0x69, 0x88, 0xce, 0x89, 0x33, 0x89, 0x99, 231 | 0x89, 0xfe, 0x8a, 0x64, 0x8a, 0xca, 0x8b, 0x30, 0x8b, 0x96, 0x8b, 0xfc, 232 | 0x8c, 0x63, 0x8c, 0xca, 0x8d, 0x31, 0x8d, 0x98, 0x8d, 0xff, 0x8e, 0x66, 233 | 0x8e, 0xce, 0x8f, 0x36, 0x8f, 0x9e, 0x90, 0x06, 0x90, 0x6e, 0x90, 0xd6, 234 | 0x91, 0x3f, 0x91, 0xa8, 0x92, 0x11, 0x92, 0x7a, 0x92, 0xe3, 0x93, 0x4d, 235 | 0x93, 0xb6, 0x94, 0x20, 0x94, 0x8a, 0x94, 0xf4, 0x95, 0x5f, 0x95, 0xc9, 236 | 0x96, 0x34, 0x96, 0x9f, 0x97, 0x0a, 0x97, 0x75, 0x97, 0xe0, 0x98, 0x4c, 237 | 0x98, 0xb8, 0x99, 0x24, 0x99, 0x90, 0x99, 0xfc, 0x9a, 0x68, 0x9a, 0xd5, 238 | 0x9b, 0x42, 0x9b, 0xaf, 0x9c, 0x1c, 0x9c, 0x89, 0x9c, 0xf7, 0x9d, 0x64, 239 | 0x9d, 0xd2, 0x9e, 0x40, 0x9e, 0xae, 0x9f, 0x1d, 0x9f, 0x8b, 0x9f, 0xfa, 240 | 0xa0, 0x69, 0xa0, 0xd8, 0xa1, 0x47, 0xa1, 0xb6, 0xa2, 0x26, 0xa2, 0x96, 241 | 0xa3, 0x06, 0xa3, 0x76, 0xa3, 0xe6, 0xa4, 0x56, 0xa4, 0xc7, 0xa5, 0x38, 242 | 0xa5, 0xa9, 0xa6, 0x1a, 0xa6, 0x8b, 0xa6, 0xfd, 0xa7, 0x6e, 0xa7, 0xe0, 243 | 0xa8, 0x52, 0xa8, 0xc4, 0xa9, 0x37, 0xa9, 0xa9, 0xaa, 0x1c, 0xaa, 0x8f, 244 | 0xab, 0x02, 0xab, 0x75, 0xab, 0xe9, 0xac, 0x5c, 0xac, 0xd0, 0xad, 0x44, 245 | 0xad, 0xb8, 0xae, 0x2d, 0xae, 0xa1, 0xaf, 0x16, 0xaf, 0x8b, 0xb0, 0x00, 246 | 0xb0, 0x75, 0xb0, 0xea, 0xb1, 0x60, 0xb1, 0xd6, 0xb2, 0x4b, 0xb2, 0xc2, 247 | 0xb3, 0x38, 0xb3, 0xae, 0xb4, 0x25, 0xb4, 0x9c, 0xb5, 0x13, 0xb5, 0x8a, 248 | 0xb6, 0x01, 0xb6, 0x79, 0xb6, 0xf0, 0xb7, 0x68, 0xb7, 0xe0, 0xb8, 0x59, 249 | 0xb8, 0xd1, 0xb9, 0x4a, 0xb9, 0xc2, 0xba, 0x3b, 0xba, 0xb5, 0xbb, 0x2e, 250 | 0xbb, 0xa7, 0xbc, 0x21, 0xbc, 0x9b, 0xbd, 0x15, 0xbd, 0x8f, 0xbe, 0x0a, 251 | 0xbe, 0x84, 0xbe, 0xff, 0xbf, 0x7a, 0xbf, 0xf5, 0xc0, 0x70, 0xc0, 0xec, 252 | 0xc1, 0x67, 0xc1, 0xe3, 0xc2, 0x5f, 0xc2, 0xdb, 0xc3, 0x58, 0xc3, 0xd4, 253 | 0xc4, 0x51, 0xc4, 0xce, 0xc5, 0x4b, 0xc5, 0xc8, 0xc6, 0x46, 0xc6, 0xc3, 254 | 0xc7, 0x41, 0xc7, 0xbf, 0xc8, 0x3d, 0xc8, 0xbc, 0xc9, 0x3a, 0xc9, 0xb9, 255 | 0xca, 0x38, 0xca, 0xb7, 0xcb, 0x36, 0xcb, 0xb6, 0xcc, 0x35, 0xcc, 0xb5, 256 | 0xcd, 0x35, 0xcd, 0xb5, 0xce, 0x36, 0xce, 0xb6, 0xcf, 0x37, 0xcf, 0xb8, 257 | 0xd0, 0x39, 0xd0, 0xba, 0xd1, 0x3c, 0xd1, 0xbe, 0xd2, 0x3f, 0xd2, 0xc1, 258 | 0xd3, 0x44, 0xd3, 0xc6, 0xd4, 0x49, 0xd4, 0xcb, 0xd5, 0x4e, 0xd5, 0xd1, 259 | 0xd6, 0x55, 0xd6, 0xd8, 0xd7, 0x5c, 0xd7, 0xe0, 0xd8, 0x64, 0xd8, 0xe8, 260 | 0xd9, 0x6c, 0xd9, 0xf1, 0xda, 0x76, 0xda, 0xfb, 0xdb, 0x80, 0xdc, 0x05, 261 | 0xdc, 0x8a, 0xdd, 0x10, 0xdd, 0x96, 0xde, 0x1c, 0xde, 0xa2, 0xdf, 0x29, 262 | 0xdf, 0xaf, 0xe0, 0x36, 0xe0, 0xbd, 0xe1, 0x44, 0xe1, 0xcc, 0xe2, 0x53, 263 | 0xe2, 0xdb, 0xe3, 0x63, 0xe3, 0xeb, 0xe4, 0x73, 0xe4, 0xfc, 0xe5, 0x84, 264 | 0xe6, 0x0d, 0xe6, 0x96, 0xe7, 0x1f, 0xe7, 0xa9, 0xe8, 0x32, 0xe8, 0xbc, 265 | 0xe9, 0x46, 0xe9, 0xd0, 0xea, 0x5b, 0xea, 0xe5, 0xeb, 0x70, 0xeb, 0xfb, 266 | 0xec, 0x86, 0xed, 0x11, 0xed, 0x9c, 0xee, 0x28, 0xee, 0xb4, 0xef, 0x40, 267 | 0xef, 0xcc, 0xf0, 0x58, 0xf0, 0xe5, 0xf1, 0x72, 0xf1, 0xff, 0xf2, 0x8c, 268 | 0xf3, 0x19, 0xf3, 0xa7, 0xf4, 0x34, 0xf4, 0xc2, 0xf5, 0x50, 0xf5, 0xde, 269 | 0xf6, 0x6d, 0xf6, 0xfb, 0xf7, 0x8a, 0xf8, 0x19, 0xf8, 0xa8, 0xf9, 0x38, 270 | 0xf9, 0xc7, 0xfa, 0x57, 0xfa, 0xe7, 0xfb, 0x77, 0xfc, 0x07, 0xfc, 0x98, 271 | 0xfd, 0x29, 0xfd, 0xba, 0xfe, 0x4b, 0xfe, 0xdc, 0xff, 0x6d, 0xff, 0xff, 272 | }; 273 | 274 | static const char kSRGBPara[] = { 275 | // sRGB profile with parametric gamma curves. 276 | 0x00, 0x00, 0x02, 0x54, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 277 | 0x6d, 0x6e, 0x74, 0x72, 0x52, 0x47, 0x42, 0x20, 0x58, 0x59, 0x5a, 0x20, 278 | 0x07, 0xe0, 0x00, 0x0c, 0x00, 0x08, 0x00, 0x09, 0x00, 0x26, 0x00, 0x1c, 279 | 0x61, 0x63, 0x73, 0x70, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 280 | 0x47, 0x4f, 0x4f, 0x47, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 281 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf6, 0xd6, 282 | 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d, 0x47, 0x4f, 0x4f, 0x47, 283 | 0x75, 0xe1, 0xa6, 0xb1, 0x3c, 0x34, 0x37, 0x63, 0x10, 0xc8, 0xab, 0x66, 284 | 0x06, 0x32, 0xa2, 0x8a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 285 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 286 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 287 | 0x64, 0x65, 0x73, 0x63, 0x00, 0x00, 0x01, 0x08, 0x00, 0x00, 0x00, 0x40, 288 | 0x63, 0x70, 0x72, 0x74, 0x00, 0x00, 0x01, 0x48, 0x00, 0x00, 0x00, 0x5a, 289 | 0x77, 0x74, 0x70, 0x74, 0x00, 0x00, 0x01, 0xa4, 0x00, 0x00, 0x00, 0x14, 290 | 0x62, 0x6b, 0x70, 0x74, 0x00, 0x00, 0x01, 0xb8, 0x00, 0x00, 0x00, 0x14, 291 | 0x72, 0x58, 0x59, 0x5a, 0x00, 0x00, 0x01, 0xcc, 0x00, 0x00, 0x00, 0x14, 292 | 0x67, 0x58, 0x59, 0x5a, 0x00, 0x00, 0x01, 0xe0, 0x00, 0x00, 0x00, 0x14, 293 | 0x62, 0x58, 0x59, 0x5a, 0x00, 0x00, 0x01, 0xf4, 0x00, 0x00, 0x00, 0x14, 294 | 0x72, 0x54, 0x52, 0x43, 0x00, 0x00, 0x02, 0x08, 0x00, 0x00, 0x00, 0x20, 295 | 0x63, 0x68, 0x61, 0x64, 0x00, 0x00, 0x02, 0x28, 0x00, 0x00, 0x00, 0x2c, 296 | 0x62, 0x54, 0x52, 0x43, 0x00, 0x00, 0x02, 0x08, 0x00, 0x00, 0x00, 0x20, 297 | 0x67, 0x54, 0x52, 0x43, 0x00, 0x00, 0x02, 0x08, 0x00, 0x00, 0x00, 0x20, 298 | 0x6d, 0x6c, 0x75, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 299 | 0x00, 0x00, 0x00, 0x0c, 0x65, 0x6e, 0x55, 0x53, 0x00, 0x00, 0x00, 0x24, 300 | 0x00, 0x00, 0x00, 0x1c, 0x00, 0x73, 0x00, 0x52, 0x00, 0x47, 0x00, 0x42, 301 | 0x00, 0x20, 0x00, 0x49, 0x00, 0x45, 0x00, 0x43, 0x00, 0x36, 0x00, 0x31, 302 | 0x00, 0x39, 0x00, 0x36, 0x00, 0x36, 0x00, 0x2d, 0x00, 0x32, 0x00, 0x2e, 303 | 0x00, 0x31, 0x00, 0x00, 0x6d, 0x6c, 0x75, 0x63, 0x00, 0x00, 0x00, 0x00, 304 | 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0c, 0x65, 0x6e, 0x55, 0x53, 305 | 0x00, 0x00, 0x00, 0x3e, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x43, 0x00, 0x6f, 306 | 0x00, 0x70, 0x00, 0x79, 0x00, 0x72, 0x00, 0x69, 0x00, 0x67, 0x00, 0x68, 307 | 0x00, 0x74, 0x00, 0x20, 0x00, 0x28, 0x00, 0x63, 0x00, 0x29, 0x00, 0x20, 308 | 0x00, 0x32, 0x00, 0x30, 0x00, 0x31, 0x00, 0x36, 0x00, 0x20, 0x00, 0x47, 309 | 0x00, 0x6f, 0x00, 0x6f, 0x00, 0x67, 0x00, 0x6c, 0x00, 0x65, 0x00, 0x20, 310 | 0x00, 0x49, 0x00, 0x6e, 0x00, 0x63, 0x00, 0x2e, 0x00, 0x00, 0x00, 0x00, 311 | 0x58, 0x59, 0x5a, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf3, 0x51, 312 | 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x16, 0xcc, 0x58, 0x59, 0x5a, 0x20, 313 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 314 | 0x00, 0x00, 0x00, 0x00, 0x58, 0x59, 0x5a, 0x20, 0x00, 0x00, 0x00, 0x00, 315 | 0x00, 0x00, 0x6f, 0xa0, 0x00, 0x00, 0x38, 0xf5, 0x00, 0x00, 0x03, 0x90, 316 | 0x58, 0x59, 0x5a, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x62, 0x97, 317 | 0x00, 0x00, 0xb7, 0x87, 0x00, 0x00, 0x18, 0xd9, 0x58, 0x59, 0x5a, 0x20, 318 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x9f, 0x00, 0x00, 0x0f, 0x84, 319 | 0x00, 0x00, 0xb6, 0xc3, 0x70, 0x61, 0x72, 0x61, 0x00, 0x00, 0x00, 0x00, 320 | 0x00, 0x03, 0x00, 0x00, 0x00, 0x02, 0x66, 0x66, 0x00, 0x00, 0xf2, 0xa7, 321 | 0x00, 0x00, 0x0d, 0x59, 0x00, 0x00, 0x13, 0xd0, 0x00, 0x00, 0x0a, 0x5b, 322 | 0x73, 0x66, 0x33, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x0c, 0x42, 323 | 0x00, 0x00, 0x05, 0xde, 0xff, 0xff, 0xf3, 0x27, 0x00, 0x00, 0x07, 0x93, 324 | 0x00, 0x00, 0xfd, 0x90, 0xff, 0xff, 0xfb, 0xa3, 0xff, 0xff, 0xfd, 0xa4, 325 | 0x00, 0x00, 0x03, 0xdc, 0x00, 0x00, 0xc0, 0x6e, 326 | }; 327 | 328 | static const char kAdobeData[] = { 329 | // Adobe 1998 profile with gamma 2.2 curves. 330 | 0x00, 0x00, 0x02, 0x30, 0x41, 0x44, 0x42, 0x45, 0x02, 0x10, 0x00, 0x00, 331 | 0x6d, 0x6e, 0x74, 0x72, 0x52, 0x47, 0x42, 0x20, 0x58, 0x59, 0x5a, 0x20, 332 | 0x07, 0xd0, 0x00, 0x08, 0x00, 0x0b, 0x00, 0x13, 0x00, 0x33, 0x00, 0x3b, 333 | 0x61, 0x63, 0x73, 0x70, 0x41, 0x50, 0x50, 0x4c, 0x00, 0x00, 0x00, 0x00, 334 | 0x6e, 0x6f, 0x6e, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 335 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf6, 0xd6, 336 | 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d, 0x41, 0x44, 0x42, 0x45, 337 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 338 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 339 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 340 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 341 | 0x63, 0x70, 0x72, 0x74, 0x00, 0x00, 0x00, 0xfc, 0x00, 0x00, 0x00, 0x32, 342 | 0x64, 0x65, 0x73, 0x63, 0x00, 0x00, 0x01, 0x30, 0x00, 0x00, 0x00, 0x6b, 343 | 0x77, 0x74, 0x70, 0x74, 0x00, 0x00, 0x01, 0x9c, 0x00, 0x00, 0x00, 0x14, 344 | 0x62, 0x6b, 0x70, 0x74, 0x00, 0x00, 0x01, 0xb0, 0x00, 0x00, 0x00, 0x14, 345 | 0x72, 0x54, 0x52, 0x43, 0x00, 0x00, 0x01, 0xc4, 0x00, 0x00, 0x00, 0x0e, 346 | 0x67, 0x54, 0x52, 0x43, 0x00, 0x00, 0x01, 0xd4, 0x00, 0x00, 0x00, 0x0e, 347 | 0x62, 0x54, 0x52, 0x43, 0x00, 0x00, 0x01, 0xe4, 0x00, 0x00, 0x00, 0x0e, 348 | 0x72, 0x58, 0x59, 0x5a, 0x00, 0x00, 0x01, 0xf4, 0x00, 0x00, 0x00, 0x14, 349 | 0x67, 0x58, 0x59, 0x5a, 0x00, 0x00, 0x02, 0x08, 0x00, 0x00, 0x00, 0x14, 350 | 0x62, 0x58, 0x59, 0x5a, 0x00, 0x00, 0x02, 0x1c, 0x00, 0x00, 0x00, 0x14, 351 | 0x74, 0x65, 0x78, 0x74, 0x00, 0x00, 0x00, 0x00, 0x43, 0x6f, 0x70, 0x79, 352 | 0x72, 0x69, 0x67, 0x68, 0x74, 0x20, 0x32, 0x30, 0x30, 0x30, 0x20, 0x41, 353 | 0x64, 0x6f, 0x62, 0x65, 0x20, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x73, 354 | 0x20, 0x49, 0x6e, 0x63, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x65, 355 | 0x64, 0x00, 0x00, 0x00, 0x64, 0x65, 0x73, 0x63, 0x00, 0x00, 0x00, 0x00, 356 | 0x00, 0x00, 0x00, 0x11, 0x41, 0x64, 0x6f, 0x62, 0x65, 0x20, 0x52, 0x47, 357 | 0x42, 0x20, 0x28, 0x31, 0x39, 0x39, 0x38, 0x29, 0x00, 0x00, 0x00, 0x00, 358 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 359 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 360 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 361 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 362 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 363 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 364 | 0x00, 0x00, 0x00, 0x00, 0x58, 0x59, 0x5a, 0x20, 0x00, 0x00, 0x00, 0x00, 365 | 0x00, 0x00, 0xf3, 0x51, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x16, 0xcc, 366 | 0x58, 0x59, 0x5a, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 367 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x63, 0x75, 0x72, 0x76, 368 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x02, 0x33, 0x00, 0x00, 369 | 0x63, 0x75, 0x72, 0x76, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 370 | 0x02, 0x33, 0x00, 0x00, 0x63, 0x75, 0x72, 0x76, 0x00, 0x00, 0x00, 0x00, 371 | 0x00, 0x00, 0x00, 0x01, 0x02, 0x33, 0x00, 0x00, 0x58, 0x59, 0x5a, 0x20, 372 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x9c, 0x18, 0x00, 0x00, 0x4f, 0xa5, 373 | 0x00, 0x00, 0x04, 0xfc, 0x58, 0x59, 0x5a, 0x20, 0x00, 0x00, 0x00, 0x00, 374 | 0x00, 0x00, 0x34, 0x8d, 0x00, 0x00, 0xa0, 0x2c, 0x00, 0x00, 0x0f, 0x95, 375 | 0x58, 0x59, 0x5a, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x26, 0x31, 376 | 0x00, 0x00, 0x10, 0x2f, 0x00, 0x00, 0xbe, 0x9c, 377 | }; 378 | 379 | #endif // TESTING_LIBFUZZER_FUZZERS_COLOR_SPACE_DATA_H -------------------------------------------------------------------------------- /convert_woff2ttf_fuzzer.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2015 The Chromium Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | #include 6 | #include 7 | 8 | #include 9 | 10 | // Entry point for LibFuzzer. 11 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { 12 | std::string buf; 13 | woff2::WOFF2StringOut out(&buf); 14 | out.SetMaxSize(30 * 1024 * 1024); 15 | woff2::ConvertWOFF2ToTTF(data, size, &out); 16 | return 0; 17 | } -------------------------------------------------------------------------------- /courgette_fuzzer.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2015 The Chromium Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | #include 6 | #include 7 | 8 | #include "courgette/courgette.h" 9 | #include "courgette/courgette_flow.h" 10 | #include "courgette/region.h" 11 | 12 | // Entry point for LibFuzzer. 13 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { 14 | courgette::CourgetteFlow flow; 15 | courgette::RegionBuffer buffer(courgette::Region(data, size)); 16 | flow.ReadDisassemblerFromBuffer(flow.ONLY, buffer); 17 | flow.CreateAssemblyProgramFromDisassembler(flow.ONLY, false); 18 | flow.CreateEncodedProgramFromDisassemblerAndAssemblyProgram(flow.ONLY); 19 | flow.WriteSinkStreamSetFromEncodedProgram(flow.ONLY); 20 | // Not bothering to check |flow.failed()|. 21 | return 0; 22 | } -------------------------------------------------------------------------------- /empty_fuzzer.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2015 The Chromium Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | // Empty fuzzer that doesn't do anything. Used as test and documentation. 6 | 7 | #include 8 | #include 9 | 10 | // Environment is optional. 11 | struct Environment { 12 | Environment() { 13 | // Initialize your environment. 14 | } 15 | }; 16 | 17 | // Fuzzer entry point. 18 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { 19 | // Initialize environment once. 20 | static Environment env; 21 | // Run your code on data. 22 | return 0; 23 | } -------------------------------------------------------------------------------- /flatbuffers_verifier_fuzzer.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2015 The Chromium Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | #include 6 | #include 7 | 8 | #include "third_party/flatbuffers/src/tests/monster_test_generated.h" 9 | 10 | // Entry point for LibFuzzer. 11 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { 12 | flatbuffers::Verifier verifier(data, size); 13 | MyGame::Example::VerifyMonsterBuffer(verifier); 14 | return 0; 15 | } -------------------------------------------------------------------------------- /generate_javascript_parser_proto.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # Copyright 2017 The Chromium Authors. All rights reserved. 4 | # Use of this source code is governed by a BSD-style license that can be 5 | # found in the LICENSE file. 6 | 7 | """ 8 | Script for generating .proto and a conversion .cc file for a templated library 9 | based JavaScript parser fuzzer. 10 | """ 11 | 12 | import sys 13 | 14 | def ParseWord(word_string): 15 | # Every part of the word is either a string surrounded by "" or a placeholder 16 | # $. 17 | 18 | word_string = word_string.lstrip().rstrip() 19 | 20 | parts = [] 21 | while len(word_string) > 0: 22 | if word_string[0] == '"': 23 | end_ix = 1 + word_string[1:].index('"') 24 | parts.append(word_string[1:end_ix]) 25 | word_string = word_string[(end_ix + 1):] 26 | elif word_string[0] == '$': 27 | if ' ' in word_string: 28 | end_ix = word_string.index(' ') 29 | else: 30 | end_ix = len(word_string) 31 | parts.append(int(word_string[1:end_ix])) 32 | word_string = word_string[end_ix:] 33 | else: 34 | assert(False) 35 | word_string = word_string.lstrip() 36 | return parts 37 | 38 | def GenerateProtoContents(words): 39 | contents = '' 40 | for ix in range(len(words)): 41 | contents += ' token_value_' + str(ix) + ' = ' + str(ix) + ';\n' 42 | return contents 43 | 44 | def GenerateConversionContents(words): 45 | contents = '' 46 | ix = 0 47 | for word in words: 48 | contents += ' case ' + str(ix) + ':\n' 49 | max_part = -1 50 | first = True 51 | building_string = '' 52 | for part in word: 53 | if not first: 54 | building_string += ' + std::string(" ") + ' 55 | if isinstance(part, str): 56 | building_string += 'std::string("' + part + '")' 57 | else: 58 | if (part > max_part): 59 | max_part = part 60 | building_string += ('token_to_string(token.inner_tokens(' + str(part) + 61 | '), depth)') 62 | first = False 63 | if max_part >= 0: 64 | contents += (' if (token.inner_tokens().size() < ' + 65 | str(max_part + 1) + ') return std::string("");\n') 66 | contents += ' return ' + building_string + ';\n' 67 | ix += 1 68 | return contents 69 | 70 | def ReadDictionary(filename): 71 | with open(filename) as input_file: 72 | lines = input_file.readlines() 73 | words = [] 74 | for line in lines: 75 | if not line.startswith('#'): 76 | word = ParseWord(line) 77 | if len(word) > 0: 78 | words.append(word) 79 | return words 80 | 81 | def main(argv): 82 | output_proto_file = argv[1] 83 | output_cc_file = argv[2] 84 | input_dict_file = argv[3] 85 | 86 | words = ReadDictionary(input_dict_file) 87 | 88 | proto_header = ('// Generated by generate_javascript_parser_proto.py.\n' 89 | '\n' 90 | 'syntax = "proto2";\n' 91 | 'package javascript_parser_proto_fuzzer;\n' 92 | '\n' 93 | 'message Token {\n' 94 | ' enum Value {\n') 95 | 96 | 97 | proto_footer = (' }\n' 98 | ' required Value value = 1;\n' 99 | ' repeated Token inner_tokens = 2;\n' 100 | '}\n' 101 | '\n' 102 | 'message Source {\n' 103 | ' required bool is_module = 1;\n' 104 | ' repeated Token tokens = 2;\n' 105 | '}\n') 106 | 107 | proto_contents = proto_header + GenerateProtoContents(words) + proto_footer 108 | 109 | with open(output_proto_file, 'w') as f: 110 | f.write(proto_contents) 111 | 112 | conversion_header = ( 113 | '// Generated by generate_javascript_parser_proto.py.\n' 114 | '\n' 115 | '#include "testing/libfuzzer/fuzzers/' 116 | 'javascript_parser_proto_to_string.h"\n' 117 | '\n' 118 | '// Bound calls to token_to_string to prevent memory usage from growing\n' 119 | '// too much.\n' 120 | 'const int kMaxRecursiveDepth = 9;\n' 121 | '\n' 122 | 'std::string token_to_string(\n' 123 | ' const javascript_parser_proto_fuzzer::Token& token, int depth)' 124 | ' {\n' 125 | ' if (++depth == kMaxRecursiveDepth) return std::string("");\n' 126 | ' switch(token.value()) {\n') 127 | 128 | conversion_footer = (' default: break;\n' 129 | ' }\n' 130 | ' return std::string("");\n' 131 | '}\n') 132 | 133 | conversion_contents = (conversion_header + GenerateConversionContents(words) 134 | + conversion_footer) 135 | 136 | with open(output_cc_file, 'w') as f: 137 | f.write(conversion_contents) 138 | 139 | if __name__ == "__main__": 140 | main(sys.argv) -------------------------------------------------------------------------------- /gfx_png_image_fuzzer.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2015 The Chromium Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | #include 6 | #include 7 | 8 | #include "base/logging.h" 9 | #include "ui/gfx/image/image.h" 10 | 11 | 12 | struct Environment { 13 | Environment() { 14 | // Disable noisy logging. 15 | logging::SetMinLogLevel(logging::LOG_FATAL); 16 | } 17 | }; 18 | 19 | Environment* env = new Environment(); 20 | 21 | 22 | // Entry point for LibFuzzer. 23 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { 24 | gfx::Image image = gfx::Image::CreateFrom1xPNGBytes(data, size); 25 | 26 | if (image.IsEmpty()) 27 | return 0; 28 | 29 | image.ToSkBitmap(); 30 | 31 | return 0; 32 | } -------------------------------------------------------------------------------- /hash_fuzzer.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2016 The Chromium Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | #include 6 | #include 7 | 8 | #include "base/containers/span.h" 9 | #include "base/hash/hash.h" 10 | 11 | // Entry point for LibFuzzer. 12 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { 13 | base::PersistentHash(base::make_span(data, size)); 14 | base::FastHash(base::make_span(data, size)); 15 | return 0; 16 | } -------------------------------------------------------------------------------- /javascript_parser_proto_fuzzer.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2017 The Chromium Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | #include 6 | 7 | #include 8 | 9 | #include "javascript_parser.pb.h" // from out/gen 10 | #include "testing/libfuzzer/fuzzers/javascript_parser_proto_to_string.h" 11 | #include "third_party/libprotobuf-mutator/src/src/libfuzzer/libfuzzer_macro.h" 12 | 13 | #include "v8/include/libplatform/libplatform.h" 14 | #include "v8/include/v8.h" 15 | 16 | // Silence logging from the protobuf library. 17 | protobuf_mutator::protobuf::LogSilencer log_silencer; 18 | 19 | v8::Isolate* isolate = nullptr; 20 | 21 | std::string protobuf_to_string( 22 | const javascript_parser_proto_fuzzer::Source& source_protobuf) { 23 | std::string source; 24 | for (const auto& token : source_protobuf.tokens()) { 25 | source += token_to_string(token, 0) + std::string(" "); 26 | } 27 | return source; 28 | } 29 | 30 | // Explicitly specify some attributes to avoid issues with the linker dead- 31 | // stripping the following function on macOS, as it is not called directly 32 | // by fuzz target. LibFuzzer runtime uses dlsym() to resolve that function. 33 | #if V8_OS_MACOSX 34 | __attribute__((used)) __attribute__((visibility("default"))) 35 | #endif // V8_OS_MACOSX 36 | extern "C" int 37 | LLVMFuzzerInitialize(int* argc, char*** argv) { 38 | v8::V8::InitializeICUDefaultLocation((*argv)[0]); 39 | v8::V8::InitializeExternalStartupData((*argv)[0]); 40 | v8::V8::SetFlagsFromCommandLine(argc, *argv, true); 41 | 42 | // Intentionally leaked during fuzzing. 43 | v8::Platform* platform = v8::platform::NewDefaultPlatform().release(); 44 | v8::V8::InitializePlatform(platform); 45 | v8::V8::Initialize(); 46 | 47 | v8::Isolate::CreateParams create_params; 48 | create_params.array_buffer_allocator = 49 | v8::ArrayBuffer::Allocator::NewDefaultAllocator(); 50 | isolate = v8::Isolate::New(create_params); 51 | return 0; 52 | } 53 | 54 | DEFINE_BINARY_PROTO_FUZZER( 55 | const javascript_parser_proto_fuzzer::Source& source_protobuf) { 56 | v8::Isolate::Scope isolate_scope(isolate); 57 | v8::HandleScope handle_scope(isolate); 58 | v8::Local context = v8::Context::New(isolate); 59 | v8::Context::Scope context_scope(context); 60 | 61 | std::string source_string = protobuf_to_string(source_protobuf); 62 | 63 | if (getenv("LPM_DUMP_NATIVE_INPUT")) { 64 | std::cout << source_string << std::endl; 65 | std::cout << "module: " << source_protobuf.is_module() << std::endl; 66 | } 67 | v8::Local source_v8_string = 68 | v8::String::NewFromUtf8(isolate, source_string.c_str(), 69 | v8::NewStringType::kNormal) 70 | .ToLocalChecked(); 71 | 72 | { 73 | v8::TryCatch try_catch(isolate); 74 | 75 | if (source_protobuf.is_module()) { 76 | v8::Local name = 77 | v8::String::NewFromUtf8(isolate, "module.js", 78 | v8::NewStringType::kNormal) 79 | .ToLocalChecked(); 80 | 81 | v8::ScriptOrigin origin( 82 | name, v8::Local(), v8::Local(), 83 | v8::Local(), v8::Local(), 84 | v8::Local(), v8::Local(), 85 | v8::Local(), v8::True(isolate)); 86 | v8::ScriptCompiler::Source source(source_v8_string, origin); 87 | v8::MaybeLocal module = 88 | v8::ScriptCompiler::CompileModule(isolate, &source); 89 | // TODO(marja): Figure out a more elegant way to silence the warning. 90 | module.IsEmpty(); 91 | } else { 92 | v8::MaybeLocal script = 93 | v8::Script::Compile(context, source_v8_string); 94 | // TODO(marja): Figure out a more elegant way to silence the warning. 95 | script.IsEmpty(); 96 | } 97 | 98 | // TODO(crbug.com/775796): run the code once we find a way to avoid endless 99 | // loops. 100 | } 101 | } 102 | -------------------------------------------------------------------------------- /javascript_parser_proto_to_string.h: -------------------------------------------------------------------------------- 1 | // Copyright 2017 The Chromium Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | #ifndef TESTING_LIBFUZZER_FUZZERS_JAVASCRIPT_PARSER_PROTO_TO_STRING_H 6 | #define TESTING_LIBFUZZER_FUZZERS_JAVASCRIPT_PARSER_PROTO_TO_STRING_H 7 | 8 | #include "javascript_parser.pb.h" // from out/gen 9 | 10 | #include 11 | 12 | std::string token_to_string(const javascript_parser_proto_fuzzer::Token& token, 13 | int depth); 14 | 15 | #endif // TESTING_LIBFUZZER_FUZZERS_JAVASCRIPT_PARSER_PROTO_TO_STRING_H -------------------------------------------------------------------------------- /language_detection_fuzzer.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2015 The Chromium Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | #include 6 | #include 7 | 8 | #include 9 | 10 | #include "base/strings/string16.h" 11 | #include "base/strings/utf_string_conversions.h" 12 | #include "components/translate/core/language_detection/language_detection_util.h" 13 | 14 | // Entry point for LibFuzzer. 15 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { 16 | if (size == 0) { 17 | return 0; 18 | } 19 | uint8_t ch = data[0]; 20 | int lang_len = ch & 0xF; 21 | int html_lang_len = (ch >> 4) & 0xF; 22 | int text_len = static_cast(size) - lang_len - html_lang_len; 23 | if ((text_len < 0) || (text_len % 2 != 0)) { 24 | return 0; 25 | } 26 | std::string lang(reinterpret_cast(data), lang_len); 27 | std::string html_lang(reinterpret_cast(data + lang_len), 28 | html_lang_len); 29 | base::string16 text( 30 | reinterpret_cast(data + lang_len + html_lang_len), 31 | text_len / 2); 32 | std::string cld_lang; 33 | bool is_cld_reliable; 34 | translate::DeterminePageLanguage(lang, html_lang, text, &cld_lang, 35 | &is_cld_reliable); 36 | return 0; 37 | } -------------------------------------------------------------------------------- /libpng_read_fuzzer.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2015 The Chromium Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | #include 6 | #include 7 | 8 | #include 9 | 10 | #include "base/bind.h" 11 | #include "base/callback_helpers.h" 12 | #define PNG_INTERNAL 13 | #include "third_party/libpng/png.h" 14 | 15 | void* limited_malloc(png_structp, png_alloc_size_t size) { 16 | // libpng may allocate large amounts of memory that the fuzzer reports as 17 | // an error. In order to silence these errors, make libpng fail when trying 18 | // to allocate a large amount. 19 | // This number is chosen to match the default png_user_chunk_malloc_max. 20 | if (size > 8000000) 21 | return nullptr; 22 | 23 | return malloc(size); 24 | } 25 | 26 | void default_free(png_structp, png_voidp ptr) { 27 | return free(ptr); 28 | } 29 | 30 | static const int kPngHeaderSize = 8; 31 | 32 | // Entry point for LibFuzzer. 33 | // Roughly follows the libpng book example: 34 | // http://www.libpng.org/pub/png/book/chapter13.html 35 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { 36 | if (size < kPngHeaderSize) { 37 | return 0; 38 | } 39 | 40 | std::vector v(data, data + size); 41 | if (png_sig_cmp(v.data(), 0, kPngHeaderSize)) { 42 | // not a PNG. 43 | return 0; 44 | } 45 | 46 | png_structp png_ptr = png_create_read_struct 47 | (PNG_LIBPNG_VER_STRING, nullptr, nullptr, nullptr); 48 | assert(png_ptr); 49 | 50 | #ifdef MEMORY_SANITIZER 51 | // To avoid OOM with MSan (crbug.com/648073). These values are recommended as 52 | // safe settings by https://github.com/glennrp/libpng/blob/libpng16/pngusr.dfa 53 | png_set_user_limits(png_ptr, 65535, 65535); 54 | #endif 55 | 56 | // Not all potential OOM are due to images with large widths and heights. 57 | // Use a custom allocator that fails for large allocations. 58 | png_set_mem_fn(png_ptr, nullptr, limited_malloc, default_free); 59 | 60 | png_set_crc_action(png_ptr, PNG_CRC_QUIET_USE, PNG_CRC_QUIET_USE); 61 | 62 | png_infop info_ptr = png_create_info_struct(png_ptr); 63 | assert(info_ptr); 64 | 65 | base::ScopedClosureRunner struct_deleter( 66 | base::BindOnce(&png_destroy_read_struct, &png_ptr, &info_ptr, nullptr)); 67 | 68 | if (setjmp(png_jmpbuf(png_ptr))) { 69 | return 0; 70 | } 71 | 72 | png_set_progressive_read_fn(png_ptr, nullptr, nullptr, nullptr, nullptr); 73 | png_process_data(png_ptr, info_ptr, const_cast(data), size); 74 | 75 | return 0; 76 | } -------------------------------------------------------------------------------- /libsrtp_fuzzer.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2016 The Chromium Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | #include 10 | #include 11 | 12 | #include "third_party/libsrtp/include/srtp.h" 13 | #include "third_party/libsrtp/include/srtp_priv.h" 14 | #include "third_party/libsrtp/test/rtp.h" 15 | 16 | // TODO(katrielc) Also test the authenticated path, which is what 17 | // WebRTC uses. This is nontrivial because you need to bypass the MAC 18 | // check. Two options: add a UNSAFE_FUZZER_MODE flag to libsrtp (or 19 | // the chromium fork of it), or compute the HMAC of whatever gibberish 20 | // the fuzzer produces and write it into the packet manually. 21 | 22 | namespace LibSrtpFuzzer { 23 | enum CryptoPolicy { 24 | NONE, 25 | LIKE_WEBRTC, 26 | LIKE_WEBRTC_SHORT_AUTH, 27 | LIKE_WEBRTC_WITHOUT_AUTH, 28 | AES_128_GCM, 29 | AES_256_GCM, 30 | NUMBER_OF_POLICIES, 31 | }; 32 | } 33 | 34 | static size_t GetKeyLength(LibSrtpFuzzer::CryptoPolicy crypto_policy) { 35 | switch (crypto_policy) { 36 | case LibSrtpFuzzer::NUMBER_OF_POLICIES: 37 | case LibSrtpFuzzer::NONE: 38 | return 0; 39 | case LibSrtpFuzzer::LIKE_WEBRTC: 40 | case LibSrtpFuzzer::LIKE_WEBRTC_SHORT_AUTH: 41 | case LibSrtpFuzzer::LIKE_WEBRTC_WITHOUT_AUTH: 42 | return SRTP_AES_ICM_128_KEY_LEN_WSALT; 43 | case LibSrtpFuzzer::AES_128_GCM: 44 | return SRTP_AES_GCM_128_KEY_LEN_WSALT; 45 | case LibSrtpFuzzer::AES_256_GCM: 46 | return SRTP_AES_GCM_256_KEY_LEN_WSALT; 47 | } 48 | } 49 | 50 | struct Environment { 51 | srtp_policy_t GetCryptoPolicy(LibSrtpFuzzer::CryptoPolicy crypto_policy, 52 | const unsigned char* replacement_key, 53 | size_t key_length) { 54 | switch (crypto_policy) { 55 | case LibSrtpFuzzer::NUMBER_OF_POLICIES: 56 | case LibSrtpFuzzer::NONE: 57 | srtp_crypto_policy_set_null_cipher_null_auth(&policy.rtp); 58 | srtp_crypto_policy_set_null_cipher_null_auth(&policy.rtcp); 59 | break; 60 | case LibSrtpFuzzer::LIKE_WEBRTC: 61 | srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(&policy.rtp); 62 | srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(&policy.rtcp); 63 | break; 64 | case LibSrtpFuzzer::LIKE_WEBRTC_SHORT_AUTH: 65 | srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(&policy.rtp); 66 | srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(&policy.rtcp); 67 | break; 68 | case LibSrtpFuzzer::LIKE_WEBRTC_WITHOUT_AUTH: 69 | srtp_crypto_policy_set_aes_cm_128_null_auth(&policy.rtp); 70 | srtp_crypto_policy_set_aes_cm_128_null_auth(&policy.rtcp); 71 | break; 72 | case LibSrtpFuzzer::AES_128_GCM: 73 | // There was a security bug in the GCM mode in libsrtp 1.5.2. 74 | srtp_crypto_policy_set_aes_gcm_128_16_auth(&policy.rtp); 75 | srtp_crypto_policy_set_aes_gcm_128_16_auth(&policy.rtcp); 76 | break; 77 | case LibSrtpFuzzer::AES_256_GCM: 78 | // WebRTC uses AES-256-GCM by default if GCM ciphers are enabled. 79 | srtp_crypto_policy_set_aes_gcm_256_16_auth(&policy.rtp); 80 | srtp_crypto_policy_set_aes_gcm_256_16_auth(&policy.rtcp); 81 | break; 82 | } 83 | 84 | assert(static_cast(policy.rtp.cipher_key_len) == key_length); 85 | assert(static_cast(policy.rtcp.cipher_key_len) == key_length); 86 | memcpy(key, replacement_key, key_length); 87 | return policy; 88 | } 89 | 90 | Environment() { 91 | srtp_init(); 92 | 93 | memset(&policy, 0, sizeof(policy)); 94 | policy.allow_repeat_tx = 1; 95 | policy.ekt = nullptr; 96 | policy.key = key; 97 | policy.next = nullptr; 98 | policy.ssrc.type = ssrc_any_inbound; 99 | policy.ssrc.value = 0xdeadbeef; 100 | policy.window_size = 1024; 101 | } 102 | 103 | private: 104 | srtp_policy_t policy; 105 | unsigned char key[SRTP_MAX_KEY_LEN] = {0}; 106 | 107 | static void srtp_crypto_policy_set_null_cipher_null_auth( 108 | srtp_crypto_policy_t* p) { 109 | p->cipher_type = SRTP_NULL_CIPHER; 110 | p->cipher_key_len = 0; 111 | p->auth_type = SRTP_NULL_AUTH; 112 | p->auth_key_len = 0; 113 | p->auth_tag_len = 0; 114 | p->sec_serv = sec_serv_none; 115 | } 116 | }; 117 | 118 | size_t ReadLength(const uint8_t* data, size_t size) { 119 | // Read one byte of input and interpret it as a length to read from 120 | // data. Don't return more bytes than are available. 121 | size_t n = static_cast(data[0]); 122 | return std::min(n, size - 1); 123 | } 124 | 125 | Environment* env = new Environment(); 126 | 127 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { 128 | // Read one byte and use it to choose a crypto policy. 129 | if (size <= 2 + SRTP_MAX_KEY_LEN) 130 | return 0; 131 | LibSrtpFuzzer::CryptoPolicy policy = static_cast( 132 | data[0] % LibSrtpFuzzer::NUMBER_OF_POLICIES); 133 | data += 1; 134 | size -= 1; 135 | 136 | // Read some more bytes to use as a key. 137 | size_t key_length = GetKeyLength(policy); 138 | srtp_policy_t srtp_policy = env->GetCryptoPolicy(policy, data, key_length); 139 | data += SRTP_MAX_KEY_LEN; 140 | size -= SRTP_MAX_KEY_LEN; 141 | 142 | // Read one byte and use as number of encrypted header extensions. 143 | uint8_t num_encrypted_headers = data[0]; 144 | data += 1; 145 | size -= 1; 146 | if (num_encrypted_headers > 0) { 147 | // Use next bytes as extension ids. 148 | if (size <= num_encrypted_headers) 149 | return 0; 150 | srtp_policy.enc_xtn_hdr_count = static_cast(num_encrypted_headers); 151 | srtp_policy.enc_xtn_hdr = 152 | static_cast(malloc(srtp_policy.enc_xtn_hdr_count * sizeof(int))); 153 | assert(srtp_policy.enc_xtn_hdr); 154 | for (int i = 0; i < srtp_policy.enc_xtn_hdr_count; ++i) { 155 | srtp_policy.enc_xtn_hdr[i] = static_cast(data[i]); 156 | } 157 | data += srtp_policy.enc_xtn_hdr_count; 158 | size -= srtp_policy.enc_xtn_hdr_count; 159 | } 160 | 161 | srtp_t session; 162 | srtp_err_status_t error = srtp_create(&session, &srtp_policy); 163 | free(srtp_policy.enc_xtn_hdr); 164 | if (error != srtp_err_status_ok) { 165 | assert(false); 166 | return 0; 167 | } 168 | 169 | // Read one byte as a packet length N, then feed the next N bytes 170 | // into srtp_unprotect. Keep going until we run out of data. 171 | size_t packet_size; 172 | while (size > 0 && (packet_size = ReadLength(data, size)) > 0) { 173 | // One byte was used by ReadLength. 174 | data++; 175 | size--; 176 | 177 | size_t header_size = std::min(sizeof(srtp_hdr_t), packet_size); 178 | size_t body_size = packet_size - header_size; 179 | 180 | // We deliberately do not initialise this struct. MSAN will catch 181 | // usage of the uninitialised memory. 182 | rtp_msg_t message; 183 | memcpy(&message.header, data, header_size); 184 | memcpy(&message.body, data + header_size, body_size); 185 | 186 | int out_len = static_cast(packet_size); 187 | srtp_unprotect(session, &message, &out_len); 188 | 189 | // |packet_size| bytes were used above. 190 | data += packet_size; 191 | size -= packet_size; 192 | } 193 | 194 | srtp_dealloc(session); 195 | return 0; 196 | } -------------------------------------------------------------------------------- /libxml_xml_read_memory_fuzzer.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2015 The Chromium Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | #include 10 | #include 11 | #include 12 | 13 | #include "libxml/parser.h" 14 | #include "libxml/xmlsave.h" 15 | 16 | void ignore (void* ctx, const char* msg, ...) { 17 | // Error handler to avoid spam of error messages from libxml parser. 18 | } 19 | 20 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { 21 | xmlSetGenericErrorFunc(NULL, &ignore); 22 | 23 | // Test default empty options value and one random combination of flags. 24 | const std::string data_string(reinterpret_cast(data), size); 25 | const std::size_t data_hash = std::hash()(data_string); 26 | const int max_option_value = std::numeric_limits::max(); 27 | // Disable XML_PARSE_HUGE to avoid stack overflow. http://crbug.com/738947. 28 | // Disable XML_PARSE_NOENT, XML_PARSE_DTD[LOAD|ATTR|VALID] to avoid timeout 29 | // loading external entity from stdin. http://crbug.com/755142. 30 | const int random_option = data_hash & max_option_value & ~XML_PARSE_NOENT & 31 | ~XML_PARSE_DTDLOAD & ~XML_PARSE_DTDATTR & 32 | ~XML_PARSE_DTDVALID & ~XML_PARSE_HUGE; 33 | const int options[] = {0, random_option}; 34 | 35 | for (const auto option_value : options) { 36 | // Intentionally pass raw data as the API does not require trailing \0. 37 | if (auto doc = xmlReadMemory(reinterpret_cast(data), size, 38 | "noname.xml", NULL, option_value)) { 39 | auto buffer = xmlBufferCreate(); 40 | assert(buffer); 41 | 42 | auto context = xmlSaveToBuffer(buffer, NULL, 0); 43 | xmlSaveDoc(context, doc); 44 | xmlSaveClose(context); 45 | xmlFreeDoc(doc); 46 | xmlBufferFree(buffer); 47 | } 48 | } 49 | 50 | return 0; 51 | } 52 | -------------------------------------------------------------------------------- /libyuv_scale_fuzzer.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2019 The Chromium Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | #include "third_party/libyuv/include/libyuv.h" 11 | 12 | void FillBufferWithRandomData(uint8_t* dst, size_t len, std::minstd_rand0 rng) { 13 | size_t i; 14 | for (i = 0; i + 3 < len; i += 4) { 15 | *reinterpret_cast(dst) = rng(); 16 | dst += 4; 17 | } 18 | for (; i < len; ++i) { 19 | *dst++ = rng(); 20 | } 21 | } 22 | 23 | static void Scale(bool is420, 24 | int src_width, 25 | int src_height, 26 | int dst_width, 27 | int dst_height, 28 | int filter_num, 29 | std::string seed_str) { 30 | int src_width_uv, src_height_uv; 31 | if (is420) { 32 | src_width_uv = (std::abs(src_width) + 1) >> 1; 33 | src_height_uv = (std::abs(src_height) + 1) >> 1; 34 | } else { 35 | src_width_uv = (std::abs(src_width)); 36 | src_height_uv = (std::abs(src_height)); 37 | } 38 | 39 | size_t src_y_plane_size = (std::abs(src_width)) * (std::abs(src_height)); 40 | size_t src_uv_plane_size = (src_width_uv) * (src_height_uv); 41 | 42 | int src_stride_y = std::abs(src_width); 43 | int src_stride_uv = src_width_uv; 44 | 45 | uint8_t* src_y = reinterpret_cast(malloc(src_y_plane_size)); 46 | uint8_t* src_u = reinterpret_cast(malloc(src_uv_plane_size)); 47 | uint8_t* src_v = reinterpret_cast(malloc(src_uv_plane_size)); 48 | 49 | uint16_t* p_src_y_16 = 50 | reinterpret_cast(malloc(src_y_plane_size * 2)); 51 | uint16_t* p_src_u_16 = 52 | reinterpret_cast(malloc(src_uv_plane_size * 2)); 53 | uint16_t* p_src_v_16 = 54 | reinterpret_cast(malloc(src_uv_plane_size * 2)); 55 | 56 | std::seed_seq seed(seed_str.begin(), seed_str.end()); 57 | std::minstd_rand0 rng(seed); 58 | 59 | FillBufferWithRandomData(src_y, src_y_plane_size, rng); 60 | FillBufferWithRandomData(src_u, src_uv_plane_size, rng); 61 | FillBufferWithRandomData(src_v, src_uv_plane_size, rng); 62 | 63 | for (size_t i = 0; i < src_y_plane_size; ++i) { 64 | p_src_y_16[i] = src_y[i]; 65 | } 66 | for (size_t i = 0; i < src_uv_plane_size; ++i) { 67 | p_src_u_16[i] = src_u[i]; 68 | p_src_v_16[i] = src_v[i]; 69 | } 70 | 71 | int dst_width_uv, dst_height_uv; 72 | if (is420) { 73 | dst_width_uv = (dst_width + 1) >> 1; 74 | dst_height_uv = (dst_height + 1) >> 1; 75 | } else { 76 | dst_width_uv = dst_width; 77 | dst_height_uv = dst_height; 78 | } 79 | 80 | size_t dst_y_plane_size = (dst_width) * (dst_height); 81 | size_t dst_uv_plane_size = (dst_width_uv) * (dst_height_uv); 82 | 83 | int dst_stride_y = dst_width; 84 | int dst_stride_uv = dst_width_uv; 85 | 86 | uint8_t* dst_y_c = reinterpret_cast(malloc(dst_y_plane_size)); 87 | uint8_t* dst_u_c = reinterpret_cast(malloc(dst_uv_plane_size)); 88 | uint8_t* dst_v_c = reinterpret_cast(malloc(dst_uv_plane_size)); 89 | 90 | uint16_t* p_dst_y_16 = 91 | reinterpret_cast(malloc(dst_y_plane_size * 2)); 92 | uint16_t* p_dst_u_16 = 93 | reinterpret_cast(malloc(dst_uv_plane_size * 2)); 94 | uint16_t* p_dst_v_16 = 95 | reinterpret_cast(malloc(dst_uv_plane_size * 2)); 96 | 97 | if (is420) { 98 | I420Scale(src_y, src_stride_y, src_u, src_stride_uv, src_v, src_stride_uv, 99 | src_width, src_height, dst_y_c, dst_stride_y, dst_u_c, 100 | dst_stride_uv, dst_v_c, dst_stride_uv, dst_width, dst_height, 101 | static_cast(filter_num)); 102 | 103 | I420Scale_16(p_src_y_16, src_stride_y, p_src_u_16, src_stride_uv, 104 | p_src_v_16, src_stride_uv, src_width, src_height, p_dst_y_16, 105 | dst_stride_y, p_dst_u_16, dst_stride_uv, p_dst_v_16, 106 | dst_stride_uv, dst_width, dst_height, 107 | static_cast(filter_num)); 108 | } else { 109 | I444Scale(src_y, src_stride_y, src_u, src_stride_uv, src_v, src_stride_uv, 110 | src_width, src_height, dst_y_c, dst_stride_y, dst_u_c, 111 | dst_stride_uv, dst_v_c, dst_stride_uv, dst_width, dst_height, 112 | static_cast(filter_num)); 113 | 114 | I444Scale_16(p_src_y_16, src_stride_y, p_src_u_16, src_stride_uv, 115 | p_src_v_16, src_stride_uv, src_width, src_height, p_dst_y_16, 116 | dst_stride_y, p_dst_u_16, dst_stride_uv, p_dst_v_16, 117 | dst_stride_uv, dst_width, dst_height, 118 | static_cast(filter_num)); 119 | } 120 | 121 | free(src_y); 122 | free(src_u); 123 | free(src_v); 124 | 125 | free(p_src_y_16); 126 | free(p_src_u_16); 127 | free(p_src_v_16); 128 | 129 | free(dst_y_c); 130 | free(dst_u_c); 131 | free(dst_v_c); 132 | 133 | free(p_dst_y_16); 134 | free(p_dst_u_16); 135 | free(p_dst_v_16); 136 | } 137 | 138 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { 139 | FuzzedDataProvider provider(data, size); 140 | 141 | // Limit width and height for performance. 142 | int src_width = provider.ConsumeIntegralInRange(1, 256); 143 | int src_height = provider.ConsumeIntegralInRange(1, 256); 144 | 145 | int filter_num = 146 | provider.ConsumeIntegralInRange(0, libyuv::FilterMode::kFilterBox); 147 | 148 | int dst_width = provider.ConsumeIntegralInRange(1, 256); 149 | int dst_height = provider.ConsumeIntegralInRange(1, 256); 150 | 151 | std::string seed = provider.ConsumeRemainingBytesAsString(); 152 | 153 | Scale(true, src_width, src_height, dst_width, dst_height, filter_num, seed); 154 | Scale(false, src_width, src_height, dst_width, dst_height, filter_num, seed); 155 | 156 | return 0; 157 | } 158 | -------------------------------------------------------------------------------- /prtime_fuzzer.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2016 The Chromium Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | #include 6 | #include 7 | 8 | #include 9 | 10 | #include "base/third_party/nspr/prtime.h" 11 | 12 | PRTime parsed_time; 13 | 14 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { 15 | if (size < 1) 16 | return 0; 17 | 18 | const uint8_t selector = data[0]; 19 | 20 | // Using std::string instead of a (potentially faster) fixed buffer to catch 21 | // accesses beyond the end of the string. 22 | std::string str(reinterpret_cast(data+1), size - 1); 23 | PR_ParseTimeString(str.c_str(), selector & 1, &parsed_time); 24 | 25 | return 0; 26 | } -------------------------------------------------------------------------------- /sha1_fuzzer.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2016 The Chromium Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | #include 6 | #include 7 | 8 | #include "base/hash/sha1.h" 9 | 10 | // Entry point for LibFuzzer. 11 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { 12 | unsigned char sha1[base::kSHA1Length] = {}; 13 | base::SHA1HashBytes(data, size, sha1); 14 | return 0; 15 | } -------------------------------------------------------------------------------- /skia_image_filter_proto_fuzzer.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2018 The Chromium Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | // Takes an Input protobuf message from libprotobuf-mutator, converts it to an 6 | // actual skia image filter and then applies it to a canvas for the purpose of 7 | // fuzzing skia. This should uncover bugs that could be used by a compromised 8 | // renderer to exploit the browser process. 9 | 10 | #include 11 | 12 | #include 13 | #include 14 | 15 | #include "testing/libfuzzer/proto/skia_image_filter_proto_converter.h" 16 | 17 | #include "base/process/memory.h" 18 | #include "base/test/test_discardable_memory_allocator.h" 19 | #include "third_party/libprotobuf-mutator/src/src/libfuzzer/libfuzzer_macro.h" 20 | #include "third_party/skia/include/core/SkBitmap.h" 21 | #include "third_party/skia/include/core/SkCanvas.h" 22 | #include "third_party/skia/include/core/SkImageFilter.h" 23 | 24 | protobuf_mutator::protobuf::LogSilencer log_silencer; 25 | 26 | using skia_image_filter_proto_converter::Input; 27 | using skia_image_filter_proto_converter::Converter; 28 | 29 | static const int kBitmapSize = 24; 30 | 31 | struct Environment { 32 | base::TestDiscardableMemoryAllocator* discardable_memory_allocator; 33 | Environment() { 34 | base::EnableTerminationOnOutOfMemory(); 35 | discardable_memory_allocator = new base::TestDiscardableMemoryAllocator(); 36 | base::DiscardableMemoryAllocator::SetInstance(discardable_memory_allocator); 37 | } 38 | }; 39 | 40 | DEFINE_PROTO_FUZZER(const Input& input) { 41 | static Environment environment = Environment(); 42 | ALLOW_UNUSED_LOCAL(environment); 43 | 44 | static Converter converter = Converter(); 45 | std::string ipc_filter_message = converter.Convert(input); 46 | 47 | // Allow the flattened skia filter to be retrieved easily. 48 | if (getenv("LPM_DUMP_NATIVE_INPUT")) { 49 | // Don't write a newline since it will make the output invalid (so that it 50 | // cannot be fed to filter_fuzz_stub) Flush instead. 51 | std::cout << ipc_filter_message << std::flush; 52 | } 53 | 54 | sk_sp flattenable = SkImageFilter::Deserialize( 55 | ipc_filter_message.c_str(), ipc_filter_message.size()); 56 | 57 | if (!flattenable) 58 | return; 59 | 60 | SkBitmap bitmap; 61 | bitmap.allocN32Pixels(kBitmapSize, kBitmapSize); 62 | SkCanvas canvas(bitmap); 63 | canvas.clear(0x00000000); 64 | SkPaint paint; 65 | paint.setImageFilter(flattenable); 66 | canvas.save(); 67 | canvas.clipRect(SkRect::MakeXYWH(0, 0, SkIntToScalar(kBitmapSize), 68 | SkIntToScalar(kBitmapSize))); 69 | canvas.drawBitmap(bitmap, 0, 0, &paint); 70 | canvas.restore(); 71 | } 72 | -------------------------------------------------------------------------------- /skia_path_common.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2016 The Chromium Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | #include "testing/libfuzzer/fuzzers/skia_path_common.h" 6 | 7 | #include "third_party/skia/include/core/SkPath.h" 8 | 9 | // This is needed because SkPath::readFromMemory does not seem to be able to 10 | // be able to handle arbitrary input. 11 | void BuildPath(const uint8_t** data, 12 | size_t* size, 13 | SkPath* path, 14 | int last_verb) { 15 | uint8_t operation; 16 | SkScalar a, b, c, d, e, f; 17 | while (read(data, size, &operation)) { 18 | switch (operation % (last_verb + 1)) { 19 | case SkPath::Verb::kMove_Verb: 20 | if (!read(data, size, &a) || !read(data, size, &b)) 21 | return; 22 | path->moveTo(a, b); 23 | break; 24 | 25 | case SkPath::Verb::kLine_Verb: 26 | if (!read(data, size, &a) || !read(data, size, &b)) 27 | return; 28 | path->lineTo(a, b); 29 | break; 30 | 31 | case SkPath::Verb::kQuad_Verb: 32 | if (!read(data, size, &a) || 33 | !read(data, size, &b) || 34 | !read(data, size, &c) || 35 | !read(data, size, &d)) 36 | return; 37 | path->quadTo(a, b, c, d); 38 | break; 39 | 40 | case SkPath::Verb::kConic_Verb: 41 | if (!read(data, size, &a) || 42 | !read(data, size, &b) || 43 | !read(data, size, &c) || 44 | !read(data, size, &d) || 45 | !read(data, size, &e)) 46 | return; 47 | path->conicTo(a, b, c, d, e); 48 | break; 49 | 50 | case SkPath::Verb::kCubic_Verb: 51 | if (!read(data, size, &a) || 52 | !read(data, size, &b) || 53 | !read(data, size, &c) || 54 | !read(data, size, &d) || 55 | !read(data, size, &e) || 56 | !read(data, size, &f)) 57 | return; 58 | path->cubicTo(a, b, c, d, e, f); 59 | break; 60 | 61 | case SkPath::Verb::kClose_Verb: 62 | path->close(); 63 | break; 64 | 65 | case SkPath::Verb::kDone_Verb: 66 | // In this case, simply exit. 67 | return; 68 | } 69 | } 70 | } 71 | -------------------------------------------------------------------------------- /skia_path_common.h: -------------------------------------------------------------------------------- 1 | // Copyright 2016 The Chromium Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | #ifndef TESTING_LIBFUZZER_FUZZERS_SKIA_PATH_COMMON_H_ 6 | #define TESTING_LIBFUZZER_FUZZERS_SKIA_PATH_COMMON_H_ 7 | 8 | #include "third_party/skia/include/core/SkPath.h" 9 | 10 | template 11 | static bool read(const uint8_t** data, size_t* size, T* value) { 12 | if (*size < sizeof(T)) 13 | return false; 14 | 15 | *value = *reinterpret_cast(*data); 16 | *data += sizeof(T); 17 | *size -= sizeof(T); 18 | return true; 19 | } 20 | 21 | void BuildPath(const uint8_t** data, 22 | size_t* size, 23 | SkPath* path, 24 | int last_verb); 25 | 26 | #endif // TESTING_LIBFUZZER_FUZZERS_SKIA_PATH_COMMON_H_ -------------------------------------------------------------------------------- /skia_path_fuzzer.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2016 The Chromium Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | #include 6 | #include 7 | 8 | #include "testing/libfuzzer/fuzzers/skia_path_common.h" 9 | #include "third_party/skia/include/core/SkCanvas.h" 10 | #include "third_party/skia/include/core/SkPaint.h" 11 | #include "third_party/skia/include/core/SkPath.h" 12 | #include "third_party/skia/include/core/SkSurface.h" 13 | 14 | 15 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { 16 | uint8_t w, h, anti_alias; 17 | if (!read(&data, &size, &w)) 18 | return 0; 19 | if (!read(&data, &size, &h)) 20 | return 0; 21 | if (!read(&data, &size, &anti_alias)) 22 | return 0; 23 | 24 | SkScalar a, b, c, d; 25 | if (!read(&data, &size, &a)) 26 | return 0; 27 | if (!read(&data, &size, &b)) 28 | return 0; 29 | if (!read(&data, &size, &c)) 30 | return 0; 31 | if (!read(&data, &size, &d)) 32 | return 0; 33 | 34 | // In this case, we specifically don't want to include kDone_Verb. 35 | SkPath path; 36 | BuildPath(&data, &size, &path, SkPath::Verb::kClose_Verb); 37 | 38 | // Try a few potentially interesting things with our path. 39 | path.contains(a, b); 40 | path.conservativelyContainsRect(SkRect::MakeLTRB(a, b, c, d)); 41 | 42 | SkPaint paint_fill; 43 | paint_fill.setStyle(SkPaint::Style::kFill_Style); 44 | paint_fill.setAntiAlias(anti_alias & 1); 45 | 46 | SkPaint paint_stroke; 47 | paint_stroke.setStyle(SkPaint::Style::kStroke_Style); 48 | paint_stroke.setStrokeWidth(1); 49 | paint_stroke.setAntiAlias(anti_alias & 1); 50 | 51 | SkPath dst_path; 52 | paint_stroke.getFillPath(path, &dst_path, nullptr); 53 | 54 | // Width and height should never be 0. 55 | auto surface(SkSurface::MakeRasterN32Premul(w ? w : 1, h ? h : 1)); 56 | 57 | surface->getCanvas()->drawPath(path, paint_fill); 58 | surface->getCanvas()->drawPath(path, paint_stroke); 59 | 60 | return 0; 61 | } 62 | -------------------------------------------------------------------------------- /skia_pathop_fuzzer.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2016 The Chromium Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | #include 6 | #include 7 | 8 | #include "base/logging.h" 9 | #include "testing/libfuzzer/fuzzers/skia_path_common.h" 10 | #include "third_party/skia/include/core/SkPath.h" 11 | #include "third_party/skia/include/pathops/SkPathOps.h" 12 | 13 | struct Environment { 14 | Environment() { 15 | // Disable noisy logging as per "libFuzzer in Chrome" documentation: 16 | // testing/libfuzzer/getting_started.md#Disable-noisy-error-message-logging. 17 | logging::SetMinLogLevel(logging::LOG_FATAL); 18 | } 19 | }; 20 | 21 | Environment* env = new Environment(); 22 | 23 | const int kLastOp = SkPathOp::kReverseDifference_SkPathOp; 24 | 25 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { 26 | SkOpBuilder builder; 27 | while (size > 0) { 28 | SkPath path; 29 | uint8_t op; 30 | if (!read(&data, &size, &op)) 31 | break; 32 | 33 | BuildPath(&data, &size, &path, SkPath::Verb::kDone_Verb); 34 | builder.add(path, static_cast(op % (kLastOp + 1))); 35 | } 36 | 37 | SkPath result; 38 | builder.resolve(&result); 39 | return 0; 40 | } 41 | -------------------------------------------------------------------------------- /snappy_compress_fuzzer.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2018 The Chromium Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | #include "third_party/snappy/src/snappy.h" 6 | 7 | #define FUZZING_ASSERT(condition) \ 8 | if (!(condition)) { \ 9 | fprintf(stderr, "%s\n", "Fuzzing Assertion Failure: " #condition); \ 10 | abort(); \ 11 | } 12 | 13 | // Entry point for LibFuzzer. 14 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { 15 | const char* uncompressed = reinterpret_cast(data); 16 | std::string compressed; 17 | snappy::Compress(uncompressed, size, &compressed); 18 | FUZZING_ASSERT( 19 | snappy::IsValidCompressedBuffer(compressed.data(), compressed.size())); 20 | 21 | std::string uncompressed_after_compress; 22 | FUZZING_ASSERT(snappy::Uncompress(compressed.data(), compressed.size(), 23 | &uncompressed_after_compress)); 24 | FUZZING_ASSERT(uncompressed_after_compress == 25 | std::string(uncompressed, size)); 26 | 27 | return 0; 28 | } -------------------------------------------------------------------------------- /snappy_uncompress_fuzzer.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2015 The Chromium Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | #include 6 | #include 7 | 8 | #include "third_party/snappy/src/snappy-sinksource.h" 9 | #include "third_party/snappy/src/snappy.h" 10 | 11 | // Entry point for LibFuzzer. 12 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { 13 | snappy::ByteArraySource src(reinterpret_cast(data), size); 14 | uint32_t len; 15 | // Note: src is invalid after GetUncompressedLength call. 16 | if (!snappy::GetUncompressedLength(&src, &len) || (len > 1E6)) { 17 | // We have to bail out, to avoid self-crafted decompression bombs. 18 | return 0; 19 | } 20 | 21 | std::string uncompressed_str; 22 | snappy::Uncompress(reinterpret_cast(data), size, 23 | &uncompressed_str); 24 | return 0; 25 | } -------------------------------------------------------------------------------- /template_url_parser_fuzzer.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2016 The Chromium Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | #include 6 | #include 7 | 8 | #include 9 | #include 10 | 11 | #include "libxml/parser.h" 12 | 13 | #include "base/at_exit.h" 14 | #include "base/bind.h" 15 | #include "base/command_line.h" 16 | #include "base/i18n/icu_util.h" 17 | #include "base/run_loop.h" 18 | #include "base/task/single_thread_task_executor.h" 19 | #include "components/search_engines/search_terms_data.h" 20 | #include "components/search_engines/template_url.h" 21 | #include "components/search_engines/template_url_parser.h" 22 | #include "mojo/core/embedder/embedder.h" 23 | #include "services/data_decoder/public/cpp/test_support/in_process_data_decoder.h" 24 | #include "testing/libfuzzer/libfuzzer_exports.h" 25 | 26 | bool PseudoRandomFilter(std::mt19937* generator, 27 | std::uniform_int_distribution* pool, 28 | const std::string&, 29 | const std::string&) { 30 | // Return true 254/255 times, ie: as if pool only returned uint8_t. 31 | return (*pool)(*generator) % (UINT8_MAX + 1); 32 | } 33 | 34 | struct FuzzerFixedParams { 35 | uint32_t seed_; 36 | }; 37 | 38 | base::AtExitManager at_exit_manager; // used by ICU integration 39 | 40 | extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) { 41 | CHECK(base::i18n::InitializeICU()); 42 | CHECK(base::CommandLine::Init(*argc, *argv)); 43 | return 0; 44 | } 45 | 46 | void ignore(void* ctx, const char* msg, ...) { 47 | // Error handler to avoid error message spam from libxml parser. 48 | } 49 | 50 | class Env { 51 | public: 52 | Env() : executor_(base::MessagePumpType::IO) { 53 | mojo::core::Init(); 54 | xmlSetGenericErrorFunc(nullptr, &ignore); 55 | } 56 | 57 | private: 58 | base::SingleThreadTaskExecutor executor_; 59 | data_decoder::test::InProcessDataDecoder data_decoder_; 60 | }; 61 | 62 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { 63 | static Env env; 64 | if (size < sizeof(FuzzerFixedParams)) { 65 | return 0; 66 | } 67 | 68 | const FuzzerFixedParams* params = 69 | reinterpret_cast(data); 70 | size -= sizeof(FuzzerFixedParams); 71 | 72 | std::mt19937 generator(params->seed_); 73 | // Use a uint16_t here instead of uint8_t because uniform_int_distribution 74 | // does not support 8 bit types on Windows. 75 | std::uniform_int_distribution pool(0, 1); 76 | 77 | base::RunLoop run_loop; 78 | 79 | SearchTermsData search_terms_data; 80 | std::string string_data(reinterpret_cast(params + 1), size); 81 | TemplateURLParser::ParameterFilter filter = 82 | base::BindRepeating(&PseudoRandomFilter, base::Unretained(&generator), 83 | base::Unretained(&pool)); 84 | TemplateURLParser::Parse(&search_terms_data, string_data, filter, 85 | base::BindOnce( 86 | [](base::OnceClosure quit_closure, 87 | std::unique_ptr ignored) { 88 | std::move(quit_closure).Run(); 89 | }, 90 | run_loop.QuitClosure())); 91 | 92 | run_loop.Run(); 93 | 94 | return 0; 95 | } 96 | -------------------------------------------------------------------------------- /url_parse_proto_fuzzer.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2017 The Chromium Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | #include 6 | #include 7 | 8 | #include 9 | 10 | // Includes copied from url_parse_fuzzer.cc 11 | #include "base/at_exit.h" 12 | #include "base/i18n/icu_util.h" 13 | #include "url/gurl.h" 14 | 15 | // Includes *not* copied from url_parse_fuzzer.cc 16 | // Contains DEFINE_BINARY_PROTO_FUZZER, a macro we use to define our target 17 | // function. 18 | #include "third_party/libprotobuf-mutator/src/src/libfuzzer/libfuzzer_macro.h" 19 | // Header information about the Protocol Buffer Url class. 20 | #include "testing/libfuzzer/fuzzers/url.pb.h" 21 | 22 | // The code using TestCase is copied from url_parse_fuzzer.cc 23 | struct TestCase { 24 | TestCase() { 25 | CHECK(base::i18n::InitializeICU()); 26 | } 27 | // used by ICU integration. 28 | base::AtExitManager at_exit_manager; 29 | }; 30 | 31 | TestCase* test_case = new TestCase(); 32 | 33 | // Silence logging from the protobuf library. 34 | protobuf_mutator::protobuf::LogSilencer log_silencer; 35 | 36 | std::string Slash_to_string(int slash) { 37 | if (slash == url_parse_proto_fuzzer::Url::NONE) 38 | return ""; 39 | if (slash == url_parse_proto_fuzzer::Url::FORWARD) 40 | return "/"; 41 | if (slash == url_parse_proto_fuzzer::Url::BACKWARD) { 42 | return "\\"; 43 | } 44 | assert(false && "Received unexpected value for slash"); 45 | // Silence compiler warning about not returning in non-void function. 46 | return ""; 47 | } 48 | 49 | // Converts a URL in Protocol Buffer format to a url in string format. 50 | // Since protobuf is a relatively simple format, fuzzing targets that do not 51 | // accept protobufs (such as this one) will require code to convert from 52 | // protobuf to the accepted format (string in this case). 53 | std::string protobuf_to_string(const url_parse_proto_fuzzer::Url& url) { 54 | // Build url_string piece by piece from url and then return it. 55 | std::string url_string = std::string(""); 56 | 57 | if (url.has_scheme()) { // Get the scheme if Url has it. 58 | // Append the scheme to the url. This may be empty. Then append a colon 59 | // which is mandatory if there is a scheme. 60 | url_string += url.scheme() + ":"; 61 | } 62 | 63 | // Just append the slashes without doing validation, since it would be too 64 | // complex. libFuzzer will hopefully figure out good values. 65 | for (const int slash : url.slashes()) 66 | url_string += Slash_to_string(slash); 67 | 68 | // Get host. This is simple since hosts are simply strings according to our 69 | // definition. 70 | if (url.has_host()) { 71 | // Get userinfo if libFuzzer set it. Ensure that user is seperated 72 | // from the password by ":" (if a password is included) and that userinfo is 73 | // separated from the host by "@". 74 | if (url.has_userinfo()) { 75 | url_string += url.userinfo().user(); 76 | if (url.userinfo().has_password()) { 77 | url_string += ":"; 78 | url_string += url.userinfo().password(); 79 | } 80 | url_string += "@"; 81 | } 82 | url_string += url.host(); 83 | 84 | // As explained in url.proto, if libFuzzer included a port in url ensure 85 | // that it is preceded by the host and then ":". 86 | if (url.has_port()) 87 | // Convert url.port() from an unsigned 32 bit int before appending it. 88 | url_string += ":" + std::to_string(url.port()); 89 | } 90 | 91 | // Append the path segments to the url, with each segment separated by 92 | // the path_separator. 93 | bool first_segment = true; 94 | std::string path_separator = Slash_to_string(url.path_separator()); 95 | for (const std::string& path_segment : url.path()) { 96 | // There does not need to be a path, but if there is a path and a host, 97 | // ensure the path begins with "/". 98 | if (url.has_host() && first_segment) { 99 | url_string += "/" + path_segment; 100 | first_segment = false; 101 | } else 102 | url_string += path_separator + path_segment; 103 | } 104 | 105 | // Queries must be started by "?". If libFuzzer included a query in url, 106 | // ensure that it is preceded by "?". Also Seperate query components with 107 | // ampersands as is the convention. 108 | bool first_component = true; 109 | for (const std::string& query_component : url.query()) { 110 | if (first_component) { 111 | url_string += "?" + query_component; 112 | first_component = false; 113 | } else 114 | url_string += "&" + query_component; 115 | } 116 | 117 | // Fragments must be started by "#". If libFuzzer included a fragment 118 | // in url, ensure that it is preceded by "#". 119 | if (url.has_fragment()) 120 | url_string += "#" + url.fragment(); 121 | 122 | return url_string; 123 | } 124 | 125 | // The target function. This is the equivalent of LLVMFuzzerTestOneInput in 126 | // typical libFuzzer based fuzzers. It is passed our Url protobuf object that 127 | // was mutated by libFuzzer, converts it to a string and then feeds it to url() 128 | // for fuzzing. 129 | DEFINE_BINARY_PROTO_FUZZER(const url_parse_proto_fuzzer::Url& url_protobuf) { 130 | std::string url_string = protobuf_to_string(url_protobuf); 131 | 132 | // Allow native input to be retrieved easily. 133 | // Note that there will be a trailing newline that is not part of url_string. 134 | if (getenv("LPM_DUMP_NATIVE_INPUT")) 135 | std::cout << url_string << std::endl; 136 | 137 | GURL url(url_string); 138 | } 139 | -------------------------------------------------------------------------------- /usrsctp_fuzzer.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2016 The Chromium Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | #include 6 | #include 7 | 8 | #include "third_party/usrsctp/usrsctplib/usrsctplib/usrsctp.h" 9 | 10 | static int ignore1(void* addr, 11 | void* data, 12 | size_t length, 13 | uint8_t tos, 14 | uint8_t set_df) { 15 | return 0; 16 | } 17 | 18 | static void ignore2(const char* format, ...) {} 19 | 20 | struct Environment { 21 | Environment() { 22 | usrsctp_init(0, ignore1, ignore2); 23 | } 24 | }; 25 | 26 | Environment* env = new Environment(); 27 | 28 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { 29 | usrsctp_conninput(nullptr, data, size, 0); 30 | return 0; 31 | } -------------------------------------------------------------------------------- /v8_fuzzer.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2017 The Chromium Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | #include "base/compiler_specific.h" 12 | #include "v8/include/libplatform/libplatform.h" 13 | #include "v8/include/v8.h" 14 | 15 | using v8::MaybeLocal; 16 | using std::ref; 17 | using std::lock_guard; 18 | using std::mutex; 19 | using std::chrono::time_point; 20 | using std::chrono::steady_clock; 21 | using std::chrono::seconds; 22 | using std::chrono::duration_cast; 23 | 24 | static const seconds kSleepSeconds(1); 25 | 26 | // Because of the sleep we do, the actual max will be: 27 | // kSleepSeconds + kMaxExecutionSeconds. 28 | // TODO(metzman): Determine if having such a short timeout causes too much 29 | // indeterminism. 30 | static const seconds kMaxExecutionSeconds(7); 31 | 32 | // Inspired by/copied from d8 code, this allocator will return nullptr when 33 | // an allocation request is made that puts currently_allocated_ over 34 | // kAllocationLimit (1 GB). Should handle the current allocations done by V8. 35 | class MockArrayBufferAllocator : public v8::ArrayBuffer::Allocator { 36 | std::unique_ptr allocator_ = 37 | std::unique_ptr(NewDefaultAllocator()); 38 | 39 | const size_t kAllocationLimit = 1000 * 1024 * 1024; 40 | // TODO(metzman): Determine if this approach where we keep track of state 41 | // between runs is a good idea. Maybe we should simply prevent allocations 42 | // over a certain size regardless of previous allocations. 43 | size_t currently_allocated_; 44 | mutex mtx_; 45 | 46 | public: 47 | MockArrayBufferAllocator() 48 | : v8::ArrayBuffer::Allocator(), currently_allocated_(0) {} 49 | 50 | void* Allocate(size_t length) override { 51 | void* data = AllocateUninitialized(length); 52 | return data == nullptr ? data : memset(data, 0, length); 53 | } 54 | 55 | void* AllocateUninitialized(size_t length) override { 56 | lock_guard mtx_locker(mtx_); 57 | if (length + currently_allocated_ > kAllocationLimit) { 58 | return nullptr; 59 | } 60 | currently_allocated_ += length; 61 | return malloc(length); 62 | } 63 | 64 | void Free(void* ptr, size_t length) override { 65 | lock_guard mtx_locker(mtx_); 66 | currently_allocated_ -= length; 67 | // We need to free before we unlock, otherwise currently_allocated_ will 68 | // be innacurate. 69 | free(ptr); 70 | } 71 | }; 72 | 73 | void terminate_execution(v8::Isolate* isolate, 74 | mutex& mtx, 75 | bool& is_running, 76 | time_point& start_time) { 77 | while (true) { 78 | std::this_thread::sleep_for(kSleepSeconds); 79 | lock_guard mtx_locker(mtx); 80 | if (is_running) { 81 | if (duration_cast(steady_clock::now() - start_time) > 82 | kMaxExecutionSeconds) { 83 | isolate->TerminateExecution(); 84 | is_running = false; 85 | std::cout << "Terminated" << std::endl; 86 | fflush(0); 87 | } 88 | } 89 | } 90 | } 91 | 92 | struct Environment { 93 | Environment() { 94 | platform_ = v8::platform::NewDefaultPlatform( 95 | 0, v8::platform::IdleTaskSupport::kDisabled, 96 | v8::platform::InProcessStackDumping::kDisabled, nullptr); 97 | 98 | v8::V8::InitializePlatform(platform_.get()); 99 | v8::V8::Initialize(); 100 | v8::Isolate::CreateParams create_params; 101 | 102 | create_params.array_buffer_allocator = &mock_arraybuffer_allocator; 103 | isolate = v8::Isolate::New(create_params); 104 | terminator_thread = std::thread(terminate_execution, isolate, ref(mtx), 105 | ref(is_running), ref(start_time)); 106 | } 107 | MockArrayBufferAllocator mock_arraybuffer_allocator; 108 | mutex mtx; 109 | std::thread terminator_thread; 110 | v8::Isolate* isolate; 111 | std::unique_ptr platform_; 112 | time_point start_time; 113 | bool is_running = true; 114 | }; 115 | 116 | // Explicitly specify some attributes to avoid issues with the linker dead- 117 | // stripping the following function on macOS, as it is not called directly 118 | // by fuzz target. LibFuzzer runtime uses dlsym() to resolve that function. 119 | extern "C" __attribute__((used)) __attribute__((visibility("default"))) int 120 | LLVMFuzzerInitialize(int* argc, char*** argv) { 121 | v8::V8::InitializeICUDefaultLocation((*argv)[0]); 122 | v8::V8::InitializeExternalStartupData((*argv)[0]); 123 | v8::V8::SetFlagsFromCommandLine(argc, *argv, true); 124 | return 0; 125 | } 126 | 127 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { 128 | static Environment* env = new Environment(); 129 | 130 | if (size < 1) 131 | return 0; 132 | 133 | v8::Isolate::Scope isolate_scope(env->isolate); 134 | v8::HandleScope handle_scope(env->isolate); 135 | v8::Local context = v8::Context::New(env->isolate); 136 | v8::Context::Scope context_scope(context); 137 | 138 | std::string source_string = 139 | std::string(reinterpret_cast(data), size); 140 | 141 | MaybeLocal source_v8_string = v8::String::NewFromUtf8( 142 | env->isolate, source_string.c_str(), v8::NewStringType::kNormal); 143 | 144 | if (source_v8_string.IsEmpty()) 145 | return 0; 146 | 147 | v8::TryCatch try_catch(env->isolate); 148 | MaybeLocal script = 149 | v8::Script::Compile(context, source_v8_string.ToLocalChecked()); 150 | 151 | if (script.IsEmpty()) 152 | return 0; 153 | 154 | auto local_script = script.ToLocalChecked(); 155 | env->mtx.lock(); 156 | env->start_time = steady_clock::now(); 157 | env->mtx.unlock(); 158 | 159 | ALLOW_UNUSED_LOCAL(local_script->Run(context)); 160 | 161 | lock_guard mtx_locker(env->mtx); 162 | env->is_running = false; 163 | return 0; 164 | } 165 | --------------------------------------------------------------------------------