harness-suite: add zune-image and patch goblin, bzip2, naga issues

CISPA-SysSec · Feb 24, 2025 · b1d9a7f · b1d9a7f
1 parent 690c729
commit b1d9a7f
Show file tree

Hide file tree

Showing 29 changed files with 435 additions and 45 deletions.
diff --git a/harness-suite/crashes/goblin-parse.bin b/harness-suite/crashes/goblin-parse.bin
diff --git a/harness-suite/crashes/libbzip2-rs-compress.bin b/harness-suite/crashes/libbzip2-rs-compress.bin
diff --git a/harness-suite/crashes/libbzip2-rs-decompress.bin b/harness-suite/crashes/libbzip2-rs-decompress.bin
diff --git a/harness-suite/crashes/naga-ir.bin b/harness-suite/crashes/naga-ir.bin
diff --git a/harness-suite/crashes/naga-wgsl_parser.bin b/harness-suite/crashes/naga-wgsl_parser.bin
diff --git a/...ss-suite/crashes/rust-analyzer-parser.bin → ...e/crashes/rust-analyzer-syntax-parser.bin b/...ss-suite/crashes/rust-analyzer-parser.bin → ...e/crashes/rust-analyzer-syntax-parser.bin
diff --git a/...s-suite/crashes/rust-analyzer-reparse.bin → .../crashes/rust-analyzer-syntax-reparse.bin b/...s-suite/crashes/rust-analyzer-reparse.bin → .../crashes/rust-analyzer-syntax-reparse.bin
diff --git a/harness-suite/crashes/naga-glsl_parser.bin → harness-suite/crashes/wgpu-glsl_parser.bin b/harness-suite/crashes/naga-glsl_parser.bin → harness-suite/crashes/wgpu-glsl_parser.bin
diff --git a/harness-suite/crashes/wgpu-ir.bin b/harness-suite/crashes/wgpu-ir.bin
@@ -0,0 +1 @@
+("((((("((�穥�����((
diff --git a/harness-suite/crashes/naga-spv_parser.bin → harness-suite/crashes/wgpu-spv_parser.bin b/harness-suite/crashes/naga-spv_parser.bin → harness-suite/crashes/wgpu-spv_parser.bin
diff --git a/harness-suite/crashes/zune-image-zune-bmp-decode_buffer.bin b/harness-suite/crashes/zune-image-zune-bmp-decode_buffer.bin
diff --git a/harness-suite/crashes/zune-image-zune-png-decode_buffer.bin b/harness-suite/crashes/zune-image-zune-png-decode_buffer.bin
diff --git a/harness-suite/crashes/zune-image-zune-png-roundtrip.bin b/harness-suite/crashes/zune-image-zune-png-roundtrip.bin
diff --git a/harness-suite/crashes/zune-image-zune-ppm-decode_buffer.bin b/harness-suite/crashes/zune-image-zune-ppm-decode_buffer.bin
@@ -0,0 +1,17 @@
+PF
+
+
+
+
+
+
+
+
+
+
+
+
+
+9998
+8958.9994529999
+8OOOOOOOOOOOO899989�
diff --git a/harness-suite/crashes/zune-image-zune-psd-decode_buffer.bin b/harness-suite/crashes/zune-image-zune-psd-decode_buffer.bin
diff --git a/harness-suite/crashes/zune-image-zune-qoi-decode_buffer.bin b/harness-suite/crashes/zune-image-zune-qoi-decode_buffer.bin
diff --git a/harness-suite/projects-rust/goblin/fix-32-bit-overflows.patch b/harness-suite/projects-rust/goblin/fix-32-bit-overflows.patch
@@ -0,0 +1,78 @@
+diff --git a/src/elf/mod.rs b/src/elf/mod.rs
+index 70c4914..a30ebb5 100644
+--- a/src/elf/mod.rs
++++ b/src/elf/mod.rs
+@@ -363,7 +363,7 @@ if_sylvan! {
+                     .chain(pltrelocs.iter())
+                     .fold(0, |num, reloc| cmp::max(num, reloc.r_sym));
+                 if max_reloc_sym != 0 {
+-                    num_syms = cmp::max(num_syms, max_reloc_sym + 1);
++                    num_syms = cmp::max(num_syms, max_reloc_sym.saturating_add(1));
+                 }
+                 dynsyms = Symtab::parse(bytes, dyn_info.symtab, num_syms, ctx)?;
+             }
+@@ -433,10 +433,10 @@ if_sylvan! {
+                                                        buckets_num, min_chain, bloom_size)));
+         }
+         // Find the last bucket.
+-        let buckets_offset = offset + 16 + bloom_size * if ctx.container.is_big() { 8 } else { 4 };
++        let buckets_offset = (offset + 16).saturating_add(bloom_size.saturating_mul(if ctx.container.is_big() { 8 } else { 4 }));
+         let mut max_chain = 0;
+         for bucket in 0..buckets_num {
+-            let chain = bytes.pread_with::<u32>(buckets_offset + bucket * 4, ctx.le)? as usize;
++            let chain = bytes.pread_with::<u32>(buckets_offset.saturating_add(bucket * 4), ctx.le)? as usize;
+             if max_chain < chain {
+                 max_chain = chain;
+             }
+@@ -445,7 +445,7 @@ if_sylvan! {
+             return Ok(0);
+         }
+         // Find the last chain within the bucket.
+-        let mut chain_offset = buckets_offset + buckets_num * 4 + (max_chain - min_chain) * 4;
++        let mut chain_offset = (buckets_offset + buckets_num * 4).saturating_add((max_chain.saturating_sub(min_chain)).saturating_mul(4));
+         loop {
+             let hash = bytes.pread_with::<u32>(chain_offset, ctx.le)?;
+             max_chain += 1;
+diff --git a/src/pe/debug.rs b/src/pe/debug.rs
+index 948840f..518df53 100644
+--- a/src/pe/debug.rs
++++ b/src/pe/debug.rs
+@@ -184,7 +184,7 @@ impl<'a> DebugData<'a> {
+                 })?;
+
+         // Ensure that the offset and size do not exceed the length of the bytes slice
+-        if offset + dd.size as usize > bytes.len() {
++        if offset.saturating_add(dd.size as usize) > bytes.len() {
+             return Err(error::Error::Malformed(format!(
+                 "ImageDebugDirectory offset {:#x} and size {:#x} exceeds the bounds of the bytes size {:#x}",
+                 offset, dd.size, bytes.len()
+@@ -729,13 +729,14 @@ impl<'a> POGOInfo<'a> {
+             return Ok(None);
+         }
+
+-        if offset + idd.size_of_data as usize - POGO_SIGNATURE_SIZE > bytes.len() {
++        let size_of_data = (idd.size_of_data as usize).saturating_sub(POGO_SIGNATURE_SIZE);
++        if offset.saturating_add(size_of_data) > bytes.len() {
+             return Err(error::Error::Malformed(format!(
+                     "ImageDebugDirectory offset {:#x} and size {:#x} exceeds the bounds of the bytes size {:#x}",
+                     offset, idd.size_of_data, bytes.len()
+                 )));
+         }
+-        let data = &bytes[offset..offset + idd.size_of_data as usize - POGO_SIGNATURE_SIZE];
++        let data = &bytes[offset..offset + size_of_data];
+         Ok(Some(POGOInfo { signature, data }))
+     }
+
+diff --git a/src/pe/tls.rs b/src/pe/tls.rs
+index 005b41a..512439e 100644
+--- a/src/pe/tls.rs
++++ b/src/pe/tls.rs
+@@ -227,7 +227,7 @@ impl<'a> TlsData<'a> {
+                         rva
+                     ))
+                 })?;
+-            if offset + size as usize > bytes.len() {
++            if offset.saturating_add(size as usize) > bytes.len() {
+                 return Err(error::Error::Malformed(format!(
+                     "tls raw data offset ({:#x}) and size ({:#x}) greater than byte slice len ({:#x})",
+                     offset, size, bytes.len()
diff --git a/harness-suite/projects-rust/goblin/prepare.sh b/harness-suite/projects-rust/goblin/prepare.sh
@@ -1,2 +1,3 @@
 set -e
 git clone-rev.sh https://github.com/m4b/goblin.git "$PROJECT/repo" ac1fabdd2100bae949607a320fe5d8087c1e784a
+git -C "$PROJECT/repo" apply "$PROJECT/fix-32-bit-overflows.patch"
diff --git a/harness-suite/projects-rust/libbzip2-rs/harnesses-handle-outbuff-full.patch b/harness-suite/projects-rust/libbzip2-rs/harnesses-handle-outbuff-full.patch
@@ -0,0 +1,151 @@
+diff --git a/fuzz/fuzz_targets/compress.rs b/fuzz/fuzz_targets/compress.rs
+index 1d7f548..ccb10db 100644
+--- a/fuzz/fuzz_targets/compress.rs
++++ b/fuzz/fuzz_targets/compress.rs
+@@ -1,8 +1,8 @@
+ #![no_main]
+-use libbz2_rs_sys::BZ_OK;
++use libbz2_rs_sys::{BZ_OK, BZ_OUTBUFF_FULL};
+ use libfuzzer_sys::fuzz_target;
+
+-fuzz_target!(|data: String| {
++fuzz_target!(|data: &[u8]| {
+     let length = 8 * 1024;
+     let mut deflated = vec![0; length as usize];
+     let mut length = length as _;
+@@ -16,11 +16,15 @@ fuzz_target!(|data: String| {
+         )
+     };
+
++    if error == BZ_OUTBUFF_FULL {
++        return;
++    }
++
+     assert_eq!(error, BZ_OK);
+
+     deflated.truncate(length as usize);
+
+-    let mut output = [0u8; 1 << 10];
++    let mut output = vec![0u8; data.len()];
+     let mut output_len = output.len() as _;
+     let error = unsafe {
+         test_libbz2_rs_sys::decompress_rs(
+@@ -31,13 +35,12 @@ fuzz_target!(|data: String| {
+         )
+     };
+     assert_eq!(error, BZ_OK);
+-    let output = &output[..output_len as usize];
+
+-    if output != data.as_bytes() {
++    if output != data {
+         let path = std::env::temp_dir().join("compressed.txt");
+         std::fs::write(&path, &data).unwrap();
+         eprintln!("saved input file to {path:?}");
+     }
+
+-    assert_eq!(output, data.as_bytes());
++    assert_eq!(output, data);
+ });
+diff --git a/fuzz/fuzz_targets/decompress.rs b/fuzz/fuzz_targets/decompress.rs
+index 10bd30d..797740f 100644
+--- a/fuzz/fuzz_targets/decompress.rs
++++ b/fuzz/fuzz_targets/decompress.rs
+@@ -1,5 +1,5 @@
+ #![no_main]
+-use libbz2_rs_sys::BZ_OK;
++use libbz2_rs_sys::{BZ_OK, BZ_OUTBUFF_FULL};
+ use libfuzzer_sys::fuzz_target;
+
+ fn decompress_help(input: &[u8]) -> Vec<u8> {
+@@ -22,7 +22,7 @@ fn decompress_help(input: &[u8]) -> Vec<u8> {
+     dest_vec
+ }
+
+-fuzz_target!(|data: String| {
++fuzz_target!(|data: &[u8]| {
+     let mut length = 8 * 1024;
+     let mut deflated = vec![0; length as usize];
+
+@@ -36,17 +36,21 @@ fuzz_target!(|data: String| {
+         )
+     };
+
++    if error == BZ_OUTBUFF_FULL {
++        return;
++    }
++
+     assert_eq!(error, BZ_OK);
+
+     deflated.truncate(length as _);
+
+     let output = decompress_help(&deflated);
+
+-    if output != data.as_bytes() {
++    if output != data {
+         let path = std::env::temp_dir().join("deflate.txt");
+         std::fs::write(&path, &data).unwrap();
+         eprintln!("saved input file to {path:?}");
+     }
+
+-    assert_eq!(output, data.as_bytes());
++    assert_eq!(output, data);
+ });
+diff --git a/fuzz/fuzz_targets/decompress_chunked.rs b/fuzz/fuzz_targets/decompress_chunked.rs
+index 40c0d4e..44d6a05 100644
+--- a/fuzz/fuzz_targets/decompress_chunked.rs
++++ b/fuzz/fuzz_targets/decompress_chunked.rs
+@@ -1,5 +1,5 @@
+ #![no_main]
+-use libbz2_rs_sys::{BZ_FINISH, BZ_OK, BZ_STREAM_END};
++use libbz2_rs_sys::{BZ_FINISH, BZ_OK, BZ_OUTBUFF_FULL, BZ_STREAM_END};
+ use libfuzzer_sys::fuzz_target;
+
+ fn compress_c(data: &[u8]) -> Vec<u8> {
+@@ -45,14 +45,14 @@ fn compress_c(data: &[u8]) -> Vec<u8> {
+     deflated
+ }
+
+-fuzz_target!(|input: (String, usize)| {
++fuzz_target!(|input: (&[u8], usize)| {
+     let (data, chunk_size) = input;
+
+     if chunk_size == 0 {
+         return;
+     }
+
+-    let deflated = compress_c(data.as_bytes());
++    let deflated = compress_c(data);
+
+     let mut stream = libbz2_rs_sys::bz_stream::zeroed();
+
+@@ -73,6 +73,9 @@ fuzz_target!(|input: (String, usize)| {
+         match err {
+             BZ_OK => continue,
+             BZ_STREAM_END => continue,
++            BZ_OUTBUFF_FULL => {
++                panic!("output buffer is full");
++            }
+             _ => {
+                 panic!("{err}");
+             }
+@@ -84,7 +87,6 @@ fuzz_target!(|input: (String, usize)| {
+             .try_into()
+             .unwrap(),
+     );
+-    let output = String::from_utf8(output).unwrap();
+
+     unsafe {
+         let err = libbz2_rs_sys::BZ2_bzDecompressEnd(&mut stream);
+diff --git a/fuzz/fuzz_targets/decompress_random_input.rs b/fuzz/fuzz_targets/decompress_random_input.rs
+index e896496..987a7a2 100644
+--- a/fuzz/fuzz_targets/decompress_random_input.rs
++++ b/fuzz/fuzz_targets/decompress_random_input.rs
+@@ -2,7 +2,7 @@
+ use libbz2_rs_sys::BZ_OK;
+ use libfuzzer_sys::fuzz_target;
+
+-fuzz_target!(|source: Vec<u8>| {
++fuzz_target!(|source: &[u8]| {
+     let mut dest_c = vec![0u8; 1 << 16];
+     let mut dest_rs = vec![0u8; 1 << 16];
+
diff --git a/harness-suite/projects-rust/libbzip2-rs/prepare.sh b/harness-suite/projects-rust/libbzip2-rs/prepare.sh
@@ -1,2 +1,3 @@
 set -e
 git clone-rev.sh https://github.com/trifectatechfoundation/libbzip2-rs "$PROJECT/repo" 2f68c2eb48ad1a60d4906d2cec98e0a5309ff14a
+git -C "$PROJECT/repo" apply "$PROJECT/harnesses-handle-outbuff-full.patch"
diff --git a/harness-suite/projects-rust/naga/prepare.sh b/harness-suite/projects-rust/naga/prepare.sh
diff --git a/harness-suite/projects-rust/naga/build.sh → harness-suite/projects-rust/wgpu/build.sh b/harness-suite/projects-rust/naga/build.sh → harness-suite/projects-rust/wgpu/build.sh
diff --git a/harness-suite/projects-rust/wgpu/huh.patch b/harness-suite/projects-rust/wgpu/huh.patch
@@ -0,0 +1,88 @@
+diff --git a/Cargo.toml b/Cargo.toml
+index 32461ed..677d560 100644
+--- a/Cargo.toml
++++ b/Cargo.toml
+@@ -11,7 +11,6 @@ members = [
+     "lock-analyzer",
+     "naga-cli",
+     "naga",
+-    "naga/fuzz",
+     "naga/hlsl-snapshots",
+     "player",
+     "tests",
+@@ -22,7 +21,7 @@ members = [
+     "wgpu-types",
+     "wgpu",
+ ]
+-exclude = []
++exclude = ["naga/fuzz"]
+ default-members = [
+     "benches",
+     "examples/features",
+@@ -30,7 +29,6 @@ default-members = [
+     "lock-analyzer",
+     "naga-cli",
+     "naga",
+-    "naga/fuzz",
+     "naga/hlsl-snapshots",
+     "player",
+     "tests",
+diff --git a/naga/Cargo.toml b/naga/Cargo.toml
+index 4458405..0a28e01 100644
+--- a/naga/Cargo.toml
++++ b/naga/Cargo.toml
+@@ -74,7 +74,7 @@ hlsl-out-if-target-windows = []
+ compact = []
+
+ [dependencies]
+-arbitrary = { version = "1.4", features = ["derive"], optional = true }
++arbitrary = { git = "https://github.com/rust-fuzz/arbitrary.git", rev = "ef80790c5bbcd24f342967e2388aa14f2c0d4a6b", features = ["derive"], optional = true }
+ arrayvec.workspace = true
+ bitflags.workspace = true
+ bit-set.workspace = true
+diff --git a/naga/fuzz/Cargo.toml b/naga/fuzz/Cargo.toml
+index 5d8647f..e44f3e4 100644
+--- a/naga/fuzz/Cargo.toml
++++ b/naga/fuzz/Cargo.toml
+@@ -10,18 +10,18 @@ build = "build.rs"
+ [package.metadata]
+ cargo-fuzz = true
+
+-[target.'cfg(not(any(target_arch = "wasm32", target_os = "ios")))'.dependencies]
++[dependencies]
+ arbitrary = { version = "1.4.1", features = ["derive"] }
+ # See https://github.com/rust-fuzz/libfuzzer/issues/126
+ libfuzzer-sys = ">0.4.0,<=0.4.7"
+
+-[target.'cfg(not(any(target_arch = "wasm32", target_os = "ios", target_os = "visionos")))'.dependencies.naga]
++[dependencies.naga]
+ path = ".."
+ version = "24.0.0"
+ features = ["arbitrary", "spv-in", "wgsl-in", "glsl-in"]
+
+ [build-dependencies]
+-cfg_aliases.workspace = true
++cfg_aliases = "*"
+
+ [[bin]]
+ name = "spv_parser"
+@@ -53,3 +53,7 @@ doc = false
+
+ [lints.clippy]
+ disallowed_types = "allow"
++
++# Prevent this from interfering with workspaces
++[workspace]
++members = ["."]
+diff --git a/naga/fuzz/build.rs b/naga/fuzz/build.rs
+index 9ad00f5..b7a9ae4 100644
+--- a/naga/fuzz/build.rs
++++ b/naga/fuzz/build.rs
+@@ -1,6 +1,6 @@
+ fn main() {
+     cfg_aliases::cfg_aliases! {
+-        fuzzable_platform: { not(any(target_arch = "wasm32", target_os = "ios", all(windows, target_arch = "aarch64"))) },
++        fuzzable_platform: { not(false) },
+     }
+     // This cfg provided by cargo-fuzz
+     println!("cargo::rustc-check-cfg=cfg(fuzzing)");
diff --git a/harness-suite/projects-rust/wgpu/prepare.sh b/harness-suite/projects-rust/wgpu/prepare.sh
@@ -0,0 +1,3 @@
+set -e
+git clone-rev.sh https://github.com/gfx-rs/wgpu.git "$PROJECT/repo" d8833d079833c62b4fd00325d0ba08ec0c8bc309
+git -C "$PROJECT/repo" apply "$PROJECT/huh.patch"
diff --git a/harness-suite/projects-rust/zune-image/build.sh b/harness-suite/projects-rust/zune-image/build.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+set -e +x
+source set-buildflags.sh
+build-rust-harness.py
diff --git a/harness-suite/projects-rust/zune-image/prepare.sh b/harness-suite/projects-rust/zune-image/prepare.sh
@@ -0,0 +1,4 @@
+set -e
+git clone-rev.sh https://github.com/etemesi254/zune-image "$PROJECT/repo" c9f333dd3f725e5fd044e0e6af37f2807485d35e
+git -C "$PROJECT/repo" apply "$PROJECT/wasm.patch"
+