Add comprehensive OSS-Fuzz integration

test/fuzz/ccitt_stream.fuzz.js

@@ -0,0 +1,83 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+/**
+ * Fuzzer for CCITT fax stream decoding (Group 3 and Group 4).
+ * Used for fax-encoded images in PDFs.
+ */
+
+const MAX_INPUT_SIZE = 128 * 1024; // 128KB limit
+
+let CCITTFaxDecoder = null;
+
+async function init() {
+  if (CCITTFaxDecoder) return;
+  const ccittModule = await import("../../build/lib-legacy/core/ccitt.js");
+  CCITTFaxDecoder = ccittModule.CCITTFaxDecoder;
+}
+
+/**
+ * @param { Buffer } data
+ */
+module.exports.fuzz = async function (data) {
+  await init();
+
+  if (data.length < 4 || data.length > MAX_INPUT_SIZE) {
+    return;
+  }
+
+  // Use first 4 bytes to derive decoder parameters
+  const params = {
+    K: (data[0] % 3) - 1, // -1, 0, or 1
+    EndOfLine: !!(data[1] & 0x01),
+    EncodedByteAlign: !!(data[1] & 0x02),
+    Columns: ((data[2] << 8) | data[3]) % 4096 + 1,
+    Rows: 0,
+    EndOfBlock: !!(data[1] & 0x04),
+    BlackIs1: !!(data[1] & 0x08),
+  };
+
+  try {
+    const source = {
+      next: (function() {
+        let pos = 4;
+        return function() {
+          if (pos >= data.length) {
+            return -1;
+          }
+          return data[pos++];
+        };
+      })()
+    };
+
+    const decoder = new CCITTFaxDecoder(source, params);
+
+    // Try to decode some data
+    let bytesRead = 0;
+    const maxBytes = 1024 * 1024; // 1MB output limit
+    let byte;
+    while ((byte = decoder.readNextChar()) !== -1 && bytesRead < maxBytes) {
+      bytesRead++;
+    }
+  } catch (e) {
+    // Expected exceptions for malformed CCITT data
+    if (e.message && (
+      e.message.includes("out of memory") ||
+      e.message.includes("Maximum call stack") ||
+      e.message.includes("allocation failed")
+    )) {
+      throw e;
+    }
+  }
+};

test/fuzz/cff_parser.fuzz.js

@@ -0,0 +1,78 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+/**
+ * Fuzzer for CFF (Compact Font Format) parsing.
+ * CFF fonts are complex with charstring bytecode interpretation.
+ */
+
+const MAX_INPUT_SIZE = 256 * 1024; // 256KB limit
+
+let CFFParser = null;
+
+async function init() {
+  if (CFFParser) return;
+  const cffModule = await import("../../build/lib-legacy/core/cff_parser.js");
+  CFFParser = cffModule.CFFParser;
+}
+
+/**
+ * @param { Buffer } data
+ */
+module.exports.fuzz = async function (data) {
+  await init();
+
+  if (data.length < 4 || data.length > MAX_INPUT_SIZE) {
+    return;
+  }
+
+  try {
+    const bytes = new Uint8Array(data);
+    const parser = new CFFParser(
+      {
+        getBytes: () => bytes,
+        pos: 0,
+        length: bytes.length,
+      },
+      {}, // properties
+      true // isCIDFont - try both modes
+    );
+
+    const cff = parser.parse();
+
+    // Try to access font data
+    if (cff) {
+      // Access charstrings if available
+      if (cff.charStrings) {
+        const count = Math.min(cff.charStrings.count || 0, 10);
+        for (let i = 0; i < count; i++) {
+          try {
+            cff.charStrings.get(i);
+          } catch (e) {
+            // Individual charstring errors expected
+          }
+        }
+      }
+    }
+  } catch (e) {
+    // Expected exceptions for malformed CFF data
+    if (e.message && (
+      e.message.includes("out of memory") ||
+      e.message.includes("Maximum call stack") ||
+      e.message.includes("allocation failed")
+    )) {
+      throw e;
+    }
+  }
+};

test/fuzz/cmap_parser.fuzz.js

@@ -0,0 +1,68 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+/**
+ * Fuzzer for CMap (Character Map) parsing.
+ * CMaps define character code to glyph mappings.
+ */
+
+const MAX_INPUT_SIZE = 128 * 1024; // 128KB limit
+
+let CMapFactory = null;
+
+async function init() {
+  if (CMapFactory) return;
+  const cmapModule = await import("../../build/lib-legacy/core/cmap.js");
+  CMapFactory = cmapModule.CMapFactory;
+}
+
+/**
+ * @param { Buffer } data
+ */
+module.exports.fuzz = async function (data) {
+  await init();
+
+  if (data.length === 0 || data.length > MAX_INPUT_SIZE) {
+    return;
+  }
+
+  try {
+    // Create a minimal fetch function that returns our data
+    const fetchBuiltInCMap = async () => ({
+      cMapData: new Uint8Array(data),
+      compressionType: 0,
+    });
+
+    const cmap = await CMapFactory.create({
+      encoding: { name: "Identity-H" },
+      fetchBuiltInCMap,
+      useCMap: null,
+    });
+
+    // Try to use the cmap
+    if (cmap) {
+      cmap.lookup(0x0041);
+      cmap.lookup(0x3000);
+    }
+  } catch (e) {
+    // Expected exceptions for malformed CMap data
+    if (e.message && (
+      e.message.includes("out of memory") ||
+      e.message.includes("Maximum call stack") ||
+      e.message.includes("allocation failed")
+    )) {
+      throw e;
+    }
+  }
+};

test/fuzz/colorspace.fuzz.js

@@ -0,0 +1,80 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+/**
+ * Fuzzer for Colorspace parsing including ICC profiles.
+ */
+
+const MAX_INPUT_SIZE = 128 * 1024; // 128KB limit
+
+let ColorSpace = null;
+let Name = null;
+let Dict = null;
+
+async function init() {
+  if (ColorSpace) return;
+  const colorspaceModule = await import("../../build/lib-legacy/core/colorspace.js");
+  const primitivesModule = await import("../../build/lib-legacy/core/primitives.js");
+  ColorSpace = colorspaceModule.ColorSpace;
+  Name = primitivesModule.Name;
+  Dict = primitivesModule.Dict;
+}
+
+/**
+ * @param { Buffer } data
+ */
+module.exports.fuzz = async function (data) {
+  await init();
+
+  if (data.length < 4 || data.length > MAX_INPUT_SIZE) {
+    return;
+  }
+
+  try {
+    // Create a mock XRef and resources
+    const xref = {
+      fetch: () => null,
+      fetchIfRef: (obj) => obj,
+    };
+    const resources = new Dict(xref);
+
+    // Construct colorspace name from first byte
+    const csTypes = [
+      "DeviceGray", "DeviceRGB", "DeviceCMYK",
+      "CalGray", "CalRGB", "Lab",
+      "ICCBased", "Indexed", "Pattern", "Separation"
+    ];
+    const csType = csTypes[data[0] % csTypes.length];
+    const csName = Name.get(csType);
+
+    ColorSpace.parse({
+      cs: csName,
+      xref,
+      resources,
+      pdfFunctionFactory: {
+        create: () => ({ parse: () => null }),
+      },
+      localColorSpaceCache: new Map(),
+    });
+  } catch (e) {
+    // Expected exceptions for malformed colorspace data
+    if (e.message && (
+      e.message.includes("out of memory") ||
+      e.message.includes("Maximum call stack") ||
+      e.message.includes("allocation failed")
+    )) {
+      throw e;
+    }
+  }
+};

test/fuzz/corpus/cmap_parser/identity.cmap

@@ -0,0 +1,14 @@
+/CIDInit /ProcSet findresource begin
+12 dict begin
+begincmap
+/CIDSystemInfo
+<< /Registry (Adobe) /Ordering (Identity) /Supplement 0 >> def
+/CMapName /Identity-H def
+/CMapType 1 def
+1 begincodespacerange
+<0000> <FFFF>
+endcodespacerange
+endcmap
+CMapName currentdict /CMap defineresource pop
+end
+end

test/fuzz/corpus/formcalc_parser/complex.fc

@@ -0,0 +1,29 @@
+// Complex FormCalc script
+var total = 0
+var count = 0
+var avg = 0
+
+func Calculate(a, b, c)
+  var sum = a + b + c
+  return sum / 3
+endfunc
+
+for i = 1 upto 10 step 1 do
+  total = total + i
+  count = count + 1
+endfor
+
+if (count > 0) then
+  avg = total / count
+  if (avg > 5) then
+    avg = Round(avg, 2)
+  endif
+endif
+
+foreach item in (1, 2, 3, 4, 5) do
+  total = total + item
+endfor
+
+while (count < 20) do
+  count = count + 1
+endwhile

test/fuzz/corpus/formcalc_parser/functions.fc

@@ -0,0 +1,7 @@
+func Add(a, b)
+  return a + b
+endfunc
+
+var result = Add(10, 20)
+var text = Concat("Hello ", "World")
+var len = Len(text)

test/fuzz/corpus/formcalc_parser/simple.fc

@@ -0,0 +1,5 @@
+var x = 1 + 2
+var y = x * 3
+if (y > 5) then
+  y = y - 1
+endif

test/fuzz/corpus/jbig2_image/minimal.jbig2

@@ -0,0 +1,2 @@
+�JB2
+

test/fuzz/corpus/type1_parser/minimal.pfa

@@ -0,0 +1,11 @@
+%!PS-AdobeFont-1.0: TestFont 001.000
+%%CreationDate: 1/1/2024
+11 dict begin
+/FontType 1 def
+/FontName /TestFont def
+/FontMatrix [0.001 0 0 0.001 0 0] def
+/FontBBox {0 0 1000 1000} def
+/Encoding StandardEncoding def
+/UniqueID 1000000 def
+/PaintType 0 def
+currentdict end