Add buffer with args fuzzer

[dloebl]

For reference: #4095
Allows the fuzzer to vary option_string and suffix.
option_string and suffix are appended at the beginning. For example:

[n=-1]
.jpg[Q=85]
<image-data>

I started to add new inputs to the seed corpus, but some loaders/savers are still missing

[kleisauke]

Great idea! I made an attempt to simplify this with commit kleisauke@0c80427.

[dloebl]

Thanks Kleis! I've added your commit to this PR

[dloebl]

The new fuzzer is still crashing within a couple of seconds when fuzzing locally (with ASAN):

$ python3 infra/helper.py run_fuzzer libvips generic_buffer_with_args
[..]
==14==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 1296 byte(s) in 1 object(s) allocated from:
    #0 0x56296b629ad8 in calloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:77:3
    #1 0x56296c1fa633 in WebPAnimEncoderNewInternal /src/libwebp/src/mux/anim_encode.c:250:27
    #2 0x56296b79958a in WebPAnimEncoderNew /work/include/webp/mux.h:481:10
    #3 0x56296b79958a in vips_foreign_save_webp_init_anim_enc /src/libvips/build/../libvips/foreign/webpsave.c:658:14
    #4 0x56296b798c63 in vips_foreign_save_webp_build /src/libvips/build/../libvips/foreign/webpsave.c:780:7
    #5 0x56296b79c5c1 in vips_foreign_save_webp_target_build /src/libvips/build/../libvips/foreign/webpsave.c:979:6

Looks like there is a leak in webpsave. I'll prepare a PR

[kleisauke]

FWIW, here are instructions for testing this locally using OSS-Fuzz's Docker images:

Details

Apply this patch:

--- a/projects/libvips/Dockerfile
+++ b/projects/libvips/Dockerfile
@@ -34,7 +34,7 @@ RUN mkdir afl-testcases
 RUN curl https://lcamtuf.coredump.cx/afl/demo/afl_testcases.tgz | tar xzC afl-testcases
 RUN mkdir pdfium-latest
 RUN curl -L https://github.com/bblanchon/pdfium-binaries/releases/latest/download/pdfium-linux-x64.tgz | tar xzC pdfium-latest
-RUN git clone --depth 1 https://github.com/libvips/libvips.git
+RUN git clone -b add-generic-args-fuzzer --depth 1 https://github.com/dloebl/libvips.git
 RUN git clone --depth 1 https://github.com/madler/zlib.git
 RUN git clone --depth 1 https://github.com/libexif/libexif.git
 RUN git clone --depth 1 https://github.com/mm2/Little-CMS.git lcms

Run the fuzzer for a maximum of 30 minutes:

$ python infra/helper.py build_fuzzers libvips > build_log.txt
$ mkdir -p tmp
$ python infra/helper.py run_fuzzer --corpus-dir=$PWD/tmp/ libvips generic_buffer_with_args_fuzzer -- -max_total_time=1800

[dloebl]

Ready for review as soon as #4105 and #4107 have been merged into master

[dloebl]

Oh.. another leak:

==13==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 1552 byte(s) in 2 object(s) allocated from:
    #0 0x55d12b7bb8ee in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x55d12c876154 in aom_memalign /src/aom/aom_mem/aom_mem.c:59:22
    #2 0x55d12c8743f9 in img_alloc_helper /src/aom/aom/src/aom_image.c:155:34
    #3 0x55d12c873b46 in aom_img_alloc /src/aom/aom/src/aom_image.c:198:10
    #4 0x55d12c7fe4f2 in aom_encode_image(void*, heif_image const*, heif_image_input_class) /src/libheif/libheif/plugins/encoder_aom.cc:802:8
    #5 0x55d12c7bf889 in ImageItem_AVIF::encode(std::__1::shared_ptr<HeifPixelImage> const&, heif_encoder*, heif_encoding_options const&, heif_image_input_class) /src/libheif/libheif/codecs/avif.cc:580:27
    #6 0x55d12c5cc9b3 in ImageItem::encode_to_bitstream_and_boxes(std::__1::shared_ptr<HeifPixelImage> const&, heif_encoder*, heif_encoding_options const&, heif_image_input_class) /src/libheif/libheif/codecs/image_item.cc:187:52
    #7 0x55d12c5d2bc8 in ImageItem::encode_to_item(HeifContext*, std::__1::shared_ptr<HeifPixelImage> const&, heif_encoder*, heif_encoding_options const&, heif_image_input_class) /src/libheif/libheif/codecs/image_item.cc:333:41
    #8 0x55d12c72ca38 in HeifContext::encode_image(std::__1::shared_ptr<HeifPixelImage> const&, heif_encoder*, heif_encoding_options const&, heif_image_input_class, std::__1::shared_ptr<ImageItem>&) /src/libheif/libheif/context.cc:1081:27
    #9 0x55d12c5a93d4 in heif_context_encode_image /src/libheif/libheif/api/libheif/heif.cc:3148:25
    #10 0x55d12b938464 in vips_foreign_save_heif_write_page /src/libvips/build/../libvips/foreign/heifsave.c:318:11
    #11 0x55d12b938464 in vips_foreign_save_heif_write_block /src/libvips/build/../libvips/foreign/heifsave.c:470:8
    #12 0x55d12b815999 in wbuffer_write /src/libvips/build/../libvips/iofuncs/sinkdisc.c:174:25
    #13 0x55d12b815999 in wbuffer_write_thread /src/libvips/build/../libvips/iofuncs/sinkdisc.c:199:3
    #14 0x55d12bbe56e3 in vips_threadset_work /src/libvips/build/../libvips/iofuncs/threadset.c:134:3
    #15 0x55d12b7fb1d0 in vips_thread_run /src/libvips/build/../libvips/iofuncs/thread.c:148:11
    #16 0x55d12bc136f0 in g_thread_proxy (/out/generic_buffer_with_args_fuzzer+0xbe26f0)

DEDUP_TOKEN: __interceptor_malloc--aom_memalign--img_alloc_helper
SUMMARY: AddressSanitizer: 1552 byte(s) leaked in 2 allocation(s).

INFO: a leak has been found in the initial corpus.

I'm not sure yet if it's in vips, libheif or aom. I'll create an issue

[dloebl]

The checks should pass again as soon as all the recent fixes have been merged back into master and I rebased this PR. I guess merging 8.15 into master is planned after the next release?

[kleisauke]

We regularly merge the 8.x branches back into the master branch whenever fixes are made in those branches, see e.g. commit cdea0dd.

FWIW, the issue mentioned in #4110 (comment) occurs also frequently on this fuzzer.

[kleisauke]

... I just ran this fuzzer locally with -max_total_time=28800 and PR #4119 cherry-picked. Let's see if it still finds anything interesting. :)

[dloebl]

Sounds good! I'm still amazed at how many bugs were found already - 6, if I haven't lost count. I'm curious to see what OSS-Fuzz will find once it has been running for a few days

[jcupitt]

Yes, let's brace ourselves for the oss-fuzz flood. Thank you for doing all this work @dloebl !