fuzz: initial integration

- Adds initial fuzz_target for image decoders. - Adds jazzer.js as dev-dependency. - Adds a .eslintrc rule to ignore import/no-unresolved error.
2025-04-20 15:18:08 +02:00 · 2023-11-26 04:54:21 +05:30 · 2023-11-26 04:54:21 +05:30 · 8bb8070116
commit 8bb8070116
parent 6b3ae4492e
7 changed files with 1036 additions and 10 deletions
--- a/test/fuzz/.eslintrc
+++ b/test/fuzz/.eslintrc
@ -0,0 +1,9 @@
+{
+  "extends": [
+    "../.eslintrc"
+  ],
+
+  "rules": {
+    "import/no-unresolved": ["error", { "ignore": [".*/build/image_decoders/.*"] }],
+  },
+}
--- a/test/fuzz/README.md
+++ b/test/fuzz/README.md
@ -0,0 +1,42 @@
+# Fuzz Testing
+
+Fuzz testing is:
+
+> An automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a program.
+
+We use coverage guided fuzz testing to automatically discover bugs in PDF.js.
+
+This `fuzz/` directory contains the configuration and the fuzz tests for PDF.js.
+To generate and run fuzz tests, we use the [Jazzer.js](https://github.com/CodeIntelligenceTesting/jazzer.js/) library.
+
+## Running a fuzzer
+
+This directory contains fuzzers like for example `jpeg_image.fuzz`. You can run it with:
+
+Generate image decoders:
+```sh
+$ gulp image_decoders
+```
+
+Run fuzz target:
+```sh
+$ npx jazzer fuzz/jpeg_image.fuzz --sync
+```
+
+You should see output that looks something like this:
+
+```
+#2      INITED exec/s: 0 rss: 128Mb
+#65536  pulse  corp: 1/1b lim: 652 exec/s: 32768 rss: 140Mb
+#131072 pulse  corp: 1/1b lim: 1300 exec/s: 32768 rss: 140Mb
+#262144 pulse  corp: 1/1b lim: 2611 exec/s: 32768 rss: 140Mb
+#524288 pulse  corp: 1/1b lim: 4096 exec/s: 30840 rss: 140Mb
+#1048576        pulse  corp: 1/1b lim: 4096 exec/s: 29959 rss: 140Mb
+#2097152        pulse  corp: 1/1b lim: 4096 exec/s: 29537 rss: 140Mb
+```
+
+It will continue to generate random inputs forever, until it finds a
+bug or is terminated. The testcases for bugs it finds can be seen in
+the form of `crash-*` or `timeout-*` at the place from where command is run.
+You can rerun the fuzzer on a single input by passing it on the
+command line `npx jazzer fuzz/jpeg_image.fuzz /path/to/testcase`.
--- a/test/fuzz/jbig2_image.fuzz.js
+++ b/test/fuzz/jbig2_image.fuzz.js
@ -0,0 +1,22 @@
+import { Jbig2Image } from "../../build/image_decoders/pdf.image_decoders.mjs";
+
+const ignored = ["Cannot read properties", "JBIG2 error"];
+
+function ignoredError(error) {
+  return ignored.some(message => error.message.includes(message));
+}
+
+/**
+ * @param {Buffer} data
+ */
+function fuzz(data) {
+  try {
+    new Jbig2Image().parse(new Uint8Array(data));
+  } catch (error) {
+    if (error.message && !ignoredError(error)) {
+      throw error;
+    }
+  }
+}
+
+export { fuzz };
--- a/test/fuzz/jpeg_image.fuzz.js
+++ b/test/fuzz/jpeg_image.fuzz.js
@ -0,0 +1,22 @@
+import { JpegImage } from "../../build/image_decoders/pdf.image_decoders.mjs";
+
+const ignored = ["Cannot read properties", "JPEG error"];
+
+function ignoredError(error) {
+  return ignored.some(message => error.message.includes(message));
+}
+
+/**
+ * @param {Buffer} data
+ */
+function fuzz(data) {
+  try {
+    new JpegImage().parse(new Uint8Array(data));
+  } catch (error) {
+    if (error.message && !ignoredError(error)) {
+      throw error;
+    }
+  }
+}
+
+export { fuzz };
--- a/test/fuzz/jpx_image.fuzz.js
+++ b/test/fuzz/jpx_image.fuzz.js
@ -0,0 +1,22 @@
+import { JpxImage } from "../../build/image_decoders/pdf.image_decoders.mjs";
+
+const ignored = ["Cannot read properties", "JPX error"];
+
+function ignoredError(error) {
+  return ignored.some(message => error.message.includes(message));
+}
+
+/**
+ * @param {Buffer} data
+ */
+function fuzz(data) {
+  try {
+    new JpxImage().parse(new Uint8Array(data));
+  } catch (error) {
+    if (error.message && !ignoredError(error)) {
+      throw error;
+    }
+  }
+}
+
+export { fuzz };