test/oss-fuzz: add openexr_exrgaps_fuzzer (#2401)

* test/oss-fuzz: add openexr_exrgaps_fuzzer

Adds a third oss-fuzz fuzzer that complements the existing two
(openexr_exrcheck_fuzzer and openexr_exrcorecheck_fuzzer) by
exercising API surfaces those two cannot reach:

- TiledInputPart::readTile with adversarial coordinate sequencing,
  stressing the tile cache and ripmap level resolution beyond what
  checkOpenEXRFile()'s lexicographic loop covers.
- TiledInputPart::readTiles with attacker-controlled (dx1,dx2,dy1,dy2)
  ranges rather than the natural full-image range.
- DeepTiledInputPart::readTile with attacker-controlled coordinates.
- MultiPartInputFile::header(p) iteration in reverse part order, with
  per-attribute name lookup, exercising the part-cache and the
  typed-attribute path.

The harness shares the same plain LLVMFuzzerTestOneInput pattern as
the existing fuzzers, the same BSD-3-Clause header, and links against
the same OpenEXR / OpenEXRUtil targets via the existing foreach loop
in CMakeLists.txt.

Signed-off-by: Anthony Hurtado <amhurtado@pm.me>

* test/oss-fuzz: address Copilot review on openexr_exrgaps_fuzzer

Six fixes from the Copilot review of #2401:

1. read_u32(): cast each byte to uint32_t before shifting/ORing.
   The previous form left-shifted promoted-to-int values, which is
   undefined behavior in C++ when the shifted value would set the sign
   bit.

2. write_temp(): handle short writes and EINTR. The single write()
   call could legally return early or be interrupted, causing valid
   inputs to be silently dropped. Loop until the full buffer is
   written, retrying on EINTR.

3. Add explicit #include <algorithm> for std::min, which was
   previously relying on transitive inclusion. Also add <cerrno>.

4. Mode 0 (test_tiled_random_coords): replace
   `if (hdr.find("type") != hdr.end()) continue;` with a check on
   the actual type value. MultiPartInputFile auto-synthesizes a
   "type" attribute when missing, so the previous check effectively
   skipped every part. Mirror the fix in test_deep_tiled to require
   hdr.type() == DEEPTILE explicitly. Use Imf::DEEPTILE constants
   from ImfPartType.h.

5. Mode 1 (test_tiled_range): clamp the (dx2-dx1+1)*(dy2-dy1+1)
   product so a single readTiles() call requests at most
   kMaxRangeSide^2 = 64 tiles, down from the prior 32x32 = 1024.
   Improves fuzz throughput on valid tiled inputs without losing
   coverage of small-range and boundary cases.

6. CMakeLists.txt: replace the duplicated fuzzer list in the
   oss_fuzz custom target's DEPENDS with ${OPENEXR_FUZZERS}, so the
   list is maintained in one place.

Signed-off-by: Anthony Hurtado <amhurtado@pm.me>

* test/oss-fuzz: refresh exrgaps fuzzer header comment

Drop the now-stale "companion to exrcheck/exrcorecheck" framing since
more fuzzers have landed since this was written, and reword the leading
sentence to refer to all checkOpenEXRFile-based fuzzers collectively.

Signed-off-by: Anthony Hurtado <amhurtado@pm.me>

---------

Signed-off-by: Anthony Hurtado <amhurtado@pm.me>

Author: jortles

src/test/oss-fuzz/CMakeLists.txt

@@ -24,9 +24,9 @@ message(status "CXX_FLAGS=$ENV{CXX_FLAGS}")
 message(status "CC=$ENV{CC}")
 message(status "CC_FLAGS=$ENV{CC_FLAGS}")
 
-set(OPENEXR_FUZZERS openexr_exrcheck_fuzzer openexr_exrcorecheck_fuzzer openexr_encoding_fuzzer openexr_attribute_fuzzer openexr_htj2k_fuzzer openexr_roundtrip_fuzzer)
+set(OPENEXR_FUZZERS openexr_exrcheck_fuzzer openexr_exrcorecheck_fuzzer openexr_encoding_fuzzer openexr_attribute_fuzzer openexr_htj2k_fuzzer openexr_roundtrip_fuzzer openexr_exrgaps_fuzzer)
 add_custom_target(oss_fuzz ALL
-  DEPENDS openexr_exrcheck_fuzzer openexr_exrcorecheck_fuzzer openexr_encoding_fuzzer openexr_attribute_fuzzer openexr_htj2k_fuzzer openexr_roundtrip_fuzzer
+  DEPENDS ${OPENEXR_FUZZERS}
 )
 
 if ($ENV{FUZZING_ENGINE} STREQUAL "afl")

src/test/oss-fuzz/openexr_exrgaps_fuzzer.cc

@@ -0,0 +1,296 @@
+//
+// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) Contributors to the OpenEXR Project.
+//
+
+//
+// The Imf::checkOpenEXRFile()-based fuzzers iterate
+// parts and tiles in linear order with in-bounds coordinates. This fuzzer
+// targets four paths that complementary code coverage misses:
+//
+//   Mode 0: TiledInputPart::readTile(dx, dy, lx, ly) with adversarial
+//           coordinate sequencing, stressing tile-cache eviction and
+//           ripmap level resolution.
+//   Mode 1: TiledInputPart::readTiles(dx1, dx2, dy1, dy2, lx, ly) with
+//           attacker-controlled ranges (rather than the natural
+//           (0..numXTiles-1, 0..numYTiles-1) range).
+//   Mode 2: DeepTiledInputPart::readTile(dx, dy, lx, ly) with
+//           attacker-controlled coordinates.
+//   Mode 3: MultiPartInputFile::header(p) iteration in reverse part
+//           order, with per-attribute name lookup, exercising the
+//           part-cache and the typed-attribute path.
+//
+// The harness writes the input to a temporary file because the public
+// C++ MultiPartInputFile/TiledInputPart API operates on file paths.
+//
+
+#include <algorithm>
+#include <cerrno>
+#include <cstdint>
+#include <cstddef>
+#include <cstdio>
+#include <cstdlib>
+#include <cstring>
+#include <string>
+
+#include <unistd.h>
+
+#include <ImfMultiPartInputFile.h>
+#include <ImfTiledInputPart.h>
+#include <ImfDeepTiledInputPart.h>
+#include <ImfHeader.h>
+#include <ImfFrameBuffer.h>
+#include <ImfDeepFrameBuffer.h>
+#include <ImfTileDescriptionAttribute.h>
+#include <ImfPartType.h>
+
+namespace IMF = OPENEXR_IMF_NAMESPACE;
+
+namespace {
+
+constexpr size_t kMaxInput          = 4 * 1024 * 1024;
+constexpr int    kMaxTilesPerCall   = 16;
+constexpr int    kMaxParts          = 8;
+// Bound on (dx2-dx1+1)*(dy2-dy1+1) for readTiles() to avoid pathological
+// 1024-tile calls slowing fuzz throughput. 8x8 = 64 tiles per call covers
+// boundary and small-range cases without burning iteration time.
+constexpr int    kMaxRangeSide      = 8;
+
+std::string write_temp (const uint8_t* data, size_t size)
+{
+    char path[] = "/tmp/exr_gaps_XXXXXX";
+    int  fd     = mkstemp (path);
+    if (fd < 0) return std::string ();
+    size_t total = 0;
+    while (total < size)
+    {
+        ssize_t n = write (fd, data + total, size - total);
+        if (n < 0)
+        {
+            if (errno == EINTR) continue;
+            close (fd);
+            unlink (path);
+            return std::string ();
+        }
+        if (n == 0) break;
+        total += static_cast<size_t> (n);
+    }
+    close (fd);
+    if (total != size)
+    {
+        unlink (path);
+        return std::string ();
+    }
+    return std::string (path);
+}
+
+uint32_t read_u32 (const uint8_t* p, size_t size, size_t off)
+{
+    if (off + 4 > size) return 0;
+    return static_cast<uint32_t> (p[off])
+         | (static_cast<uint32_t> (p[off + 1]) << 8)
+         | (static_cast<uint32_t> (p[off + 2]) << 16)
+         | (static_cast<uint32_t> (p[off + 3]) << 24);
+}
+
+void
+test_tiled_random_coords (
+    const std::string& path, const uint8_t* params, size_t param_size)
+{
+    if (param_size < 8) return;
+    try
+    {
+        IMF::MultiPartInputFile mpif (path.c_str ());
+        int n_parts = std::min (mpif.parts (), kMaxParts);
+        for (int p = 0; p < n_parts; p++)
+        {
+            const IMF::Header& hdr = mpif.header (p);
+            if (!hdr.hasTileDescription ()) continue;
+            // TiledInputPart is for non-deep tiled parts. Mode 2 covers
+            // deep tiled. MultiPartInputFile auto-synthesizes a "type"
+            // attribute, so we must check the value rather than presence.
+            if (hdr.hasType () && hdr.type () == IMF::DEEPTILE) continue;
+            try
+            {
+                IMF::TiledInputPart tip (mpif, p);
+                IMF::FrameBuffer    fb;
+                tip.setFrameBuffer (fb);
+                for (int t = 0; t < kMaxTilesPerCall; t++)
+                {
+                    uint32_t r =
+                        read_u32 (params, param_size, (t * 8) % param_size);
+                    uint32_t s =
+                        read_u32 (params, param_size, ((t * 8) + 4) % param_size);
+                    int dx = r & 0xff;
+                    int dy = (r >> 8) & 0xff;
+                    int lx = s & 0x0f;
+                    int ly = (s >> 4) & 0x0f;
+                    try
+                    {
+                        tip.readTile (dx, dy, lx, ly);
+                    }
+                    catch (...)
+                    {
+                    }
+                }
+            }
+            catch (...)
+            {
+            }
+        }
+    }
+    catch (...)
+    {
+    }
+}
+
+void
+test_tiled_range (
+    const std::string& path, const uint8_t* params, size_t param_size)
+{
+    if (param_size < 8) return;
+    try
+    {
+        IMF::MultiPartInputFile mpif (path.c_str ());
+        int n_parts = std::min (mpif.parts (), kMaxParts);
+        for (int p = 0; p < n_parts; p++)
+        {
+            const IMF::Header& hdr = mpif.header (p);
+            if (!hdr.hasTileDescription ()) continue;
+            try
+            {
+                IMF::TiledInputPart tip (mpif, p);
+                IMF::FrameBuffer    fb;
+                tip.setFrameBuffer (fb);
+                uint32_t r   = read_u32 (params, param_size, 0);
+                uint32_t s   = read_u32 (params, param_size, 4);
+                int      dx1 = r & 0xff;
+                int      dy1 = (r >> 16) & 0xff;
+                // Clamp range size so total tile count stays <= kMaxRangeSide^2.
+                int      dx2 = dx1 + (((r >> 8) & 0x1f) % kMaxRangeSide);
+                int      dy2 = dy1 + (((r >> 24) & 0x1f) % kMaxRangeSide);
+                int      lx  = s & 0x0f;
+                int      ly  = (s >> 4) & 0x0f;
+                try
+                {
+                    tip.readTiles (dx1, dx2, dy1, dy2, lx, ly);
+                }
+                catch (...)
+                {
+                }
+            }
+            catch (...)
+            {
+            }
+        }
+    }
+    catch (...)
+    {
+    }
+}
+
+void
+test_deep_tiled (
+    const std::string& path, const uint8_t* params, size_t param_size)
+{
+    if (param_size < 4) return;
+    try
+    {
+        IMF::MultiPartInputFile mpif (path.c_str ());
+        int n_parts = std::min (mpif.parts (), kMaxParts);
+        for (int p = 0; p < n_parts; p++)
+        {
+            const IMF::Header& hdr = mpif.header (p);
+            // DeepTiledInputPart only accepts deep tiled parts.
+            if (!hdr.hasType () || hdr.type () != IMF::DEEPTILE) continue;
+            try
+            {
+                IMF::DeepTiledInputPart dtip (mpif, p);
+                IMF::DeepFrameBuffer    fb;
+                dtip.setFrameBuffer (fb);
+                for (int t = 0; t < kMaxTilesPerCall; t++)
+                {
+                    uint32_t r =
+                        read_u32 (params, param_size, (t * 4) % param_size);
+                    int dx = r & 0xff;
+                    int dy = (r >> 8) & 0xff;
+                    int lx = (r >> 16) & 0x0f;
+                    int ly = (r >> 20) & 0x0f;
+                    try
+                    {
+                        dtip.readTile (dx, dy, lx, ly);
+                    }
+                    catch (...)
+                    {
+                    }
+                }
+            }
+            catch (...)
+            {
+            }
+        }
+    }
+    catch (...)
+    {
+    }
+}
+
+void
+test_part_iteration (
+    const std::string& path, const uint8_t* params, size_t param_size)
+{
+    (void) params;
+    (void) param_size;
+    try
+    {
+        IMF::MultiPartInputFile mpif (path.c_str ());
+        int n_parts = std::min (mpif.parts (), kMaxParts);
+        for (int p = n_parts - 1; p >= 0; p--)
+        {
+            const IMF::Header& hdr = mpif.header (p);
+            for (auto it = hdr.begin (); it != hdr.end (); ++it)
+            {
+                (void) it.name ();
+                try
+                {
+                    (void) hdr.findTypedAttribute<
+                        IMF::TileDescriptionAttribute> (it.name ());
+                }
+                catch (...)
+                {
+                }
+            }
+        }
+    }
+    catch (...)
+    {
+    }
+}
+
+}  // namespace
+
+extern "C" int LLVMFuzzerTestOneInput (const uint8_t* data, size_t size)
+{
+    if (size < 4 || size > kMaxInput) return 0;
+
+    uint8_t mode      = data[0] % 4;
+    size_t  param_len = std::min<size_t> (32, size - 1);
+    const uint8_t* params = data + 1;
+    if (size < 1 + param_len + 256) return 0;
+    const uint8_t* exr_blob = data + 1 + param_len;
+    size_t         exr_size = size - 1 - param_len;
+
+    std::string path = write_temp (exr_blob, exr_size);
+    if (path.empty ()) return 0;
+
+    switch (mode)
+    {
+        case 0: test_tiled_random_coords (path, params, param_len); break;
+        case 1: test_tiled_range (path, params, param_len); break;
+        case 2: test_deep_tiled (path, params, param_len); break;
+        case 3: test_part_iteration (path, params, param_len); break;
+    }
+
+    unlink (path.c_str ());
+    return 0;
+}