for (input_pixel, output_pixel) in input.pixels().zip(output.pixels_mut())and then accessing the
input_pixel.0. I'm wondering if there's a better way?
hey sorry for basically abandoning the fuzz fixes pull request for... far too long
anyways, i implemented the IFD cycle checking
read_ifd have a new error state where if we ever see an IFD offset twice, we return it.
I've not set any form of limit on the size of the hashmap, so it can grow unbounded, but every entry we add must actually exist in the file (as in, a file can't add thousands of entries to the hashmap while only being hundreds of bytes long, unlike OOMs where we allocate a buffer of a specific size given by the file), so this might be fine?
one open question is if we should be using
for _ in 0..128 in the fuzzer
i think you said earlier to make it limited, but I'd argue that clients probably will be reading off images as an iterator without any form of limit, so if we constantly return valid images, they'll get stuck in loops
or in other words, an infinite loop of valid images is our bug
loop, and at least with the default settings of 4KB max input size, seems to not fail at all anymore
IMO the limit there that they have should only be for limiting the amount of real images they care about
we should have a finite number of images in a valid file, if there's an infinite amount the file is invalid (and we report an error in that case)
doesn't protect against internal infinite loops (and ultimately, an infinite loop and a panic is the same, just infinite loops take longer to trigger the timeout)
uhhh I don't think libfuzzer has a config file
I could make a shell script that calls
cargo +nightly fuzz decode_image -- -timeout=5 or whatever
--minimum-throughput=4kB/sto dynamically adjust the timeout based on its guess of maximum length.
also, i'm not entirely sure how useful the shell script that just sets the timeout is
since often when i'm running fuzzers i want to change the number of processes it runs / sanitisers
I could add a copy-pastable command line in the readme in the root (or a new README.md in the
fuzz/ directory), but I'm not entirely sure how useful the shell script would be directly