test/oss-fuzz: address Copilot review on openexr_exrgaps_fuzzer

jortles · jortles · commit 8835db0242c3 · 2026-05-11T09:27:23.000-05:00
Six fixes from the Copilot review of #2401: 1. read_u32(): cast each byte to uint32_t before shifting/ORing. The previous form left-shifted promoted-to-int values, which is undefined behavior in C++ when the shifted value would set the sign bit. 2. write_temp(): handle short writes and EINTR. The single write() call could legally return early or be interrupted, causing valid inputs to be silently dropped. Loop until the full buffer is written, retrying on EINTR. 3. Add explicit #include <algorithm> for std::min, which was previously relying on transitive inclusion. Also add <cerrno>. 4. Mode 0 (test_tiled_random_coords): replace `if (hdr.find("type") != hdr.end()) continue;` with a check on the actual type value. MultiPartInputFile auto-synthesizes a "type" attribute when missing, so the previous check effectively skipped every part. Mirror the fix in test_deep_tiled to require hdr.type() == DEEPTILE explicitly. Use Imf::DEEPTILE constants from ImfPartType.h. 5. Mode 1 (test_tiled_range): clamp the (dx2-dx1+1)*(dy2-dy1+1) product so a single readTiles() call requests at most kMaxRangeSide^2 = 64 tiles, down from the prior 32x32 = 1024. Improves fuzz throughput on valid tiled inputs without losing coverage of small-range and boundary cases. 6. CMakeLists.txt: replace the duplicated fuzzer list in the oss_fuzz custom target's DEPENDS with ${OPENEXR_FUZZERS}, so the list is maintained in one place. Signed-off-by: Anthony Hurtado <amhurtado@pm.me>
diff --git a/src/test/oss-fuzz/CMakeLists.txt b/src/test/oss-fuzz/CMakeLists.txt
@@ -26,7 +26,7 @@ message(status "CC_FLAGS=$ENV{CC_FLAGS}")
 
 set(OPENEXR_FUZZERS openexr_exrcheck_fuzzer openexr_exrcorecheck_fuzzer openexr_encoding_fuzzer openexr_attribute_fuzzer openexr_htj2k_fuzzer openexr_roundtrip_fuzzer openexr_exrgaps_fuzzer)
 add_custom_target(oss_fuzz ALL
-  DEPENDS openexr_exrcheck_fuzzer openexr_exrcorecheck_fuzzer openexr_encoding_fuzzer openexr_attribute_fuzzer openexr_htj2k_fuzzer openexr_roundtrip_fuzzer openexr_exrgaps_fuzzer
+  DEPENDS ${OPENEXR_FUZZERS}
 )
 
 if ($ENV{FUZZING_ENGINE} STREQUAL "afl")
diff --git a/src/test/oss-fuzz/openexr_exrgaps_fuzzer.cc b/src/test/oss-fuzz/openexr_exrgaps_fuzzer.cc
@@ -26,6 +26,8 @@
 // C++ MultiPartInputFile/TiledInputPart API operates on file paths.
 //
 
+#include <algorithm>
+#include <cerrno>
 #include <cstdint>
 #include <cstddef>
 #include <cstdio>
@@ -42,23 +44,41 @@
 #include <ImfFrameBuffer.h>
 #include <ImfDeepFrameBuffer.h>
 #include <ImfTileDescriptionAttribute.h>
+#include <ImfPartType.h>
 
 namespace IMF = OPENEXR_IMF_NAMESPACE;
 
 namespace {
 
-constexpr size_t kMaxInput      = 4 * 1024 * 1024;
-constexpr int    kMaxTilesPerCall = 16;
-constexpr int    kMaxParts        = 8;
+constexpr size_t kMaxInput          = 4 * 1024 * 1024;
+constexpr int    kMaxTilesPerCall   = 16;
+constexpr int    kMaxParts          = 8;
+// Bound on (dx2-dx1+1)*(dy2-dy1+1) for readTiles() to avoid pathological
+// 1024-tile calls slowing fuzz throughput. 8x8 = 64 tiles per call covers
+// boundary and small-range cases without burning iteration time.
+constexpr int    kMaxRangeSide      = 8;
 
 std::string write_temp (const uint8_t* data, size_t size)
 {
     char path[] = "/tmp/exr_gaps_XXXXXX";
     int  fd     = mkstemp (path);
     if (fd < 0) return std::string ();
-    ssize_t n = write (fd, data, size);
+    size_t total = 0;
+    while (total < size)
+    {
+        ssize_t n = write (fd, data + total, size - total);
+        if (n < 0)
+        {
+            if (errno == EINTR) continue;
+            close (fd);
+            unlink (path);
+            return std::string ();
+        }
+        if (n == 0) break;
+        total += static_cast<size_t> (n);
+    }
     close (fd);
-    if (n != static_cast<ssize_t> (size))
+    if (total != size)
     {
         unlink (path);
         return std::string ();
@@ -69,7 +89,10 @@ std::string write_temp (const uint8_t* data, size_t size)
 uint32_t read_u32 (const uint8_t* p, size_t size, size_t off)
 {
     if (off + 4 > size) return 0;
-    return p[off] | (p[off + 1] << 8) | (p[off + 2] << 16) | (p[off + 3] << 24);
+    return static_cast<uint32_t> (p[off])
+         | (static_cast<uint32_t> (p[off + 1]) << 8)
+         | (static_cast<uint32_t> (p[off + 2]) << 16)
+         | (static_cast<uint32_t> (p[off + 3]) << 24);
 }
 
 void
@@ -85,8 +108,10 @@ test_tiled_random_coords (
         {
             const IMF::Header& hdr = mpif.header (p);
             if (!hdr.hasTileDescription ()) continue;
-            auto type_it = hdr.find ("type");
-            if (type_it != hdr.end ()) continue;
+            // TiledInputPart is for non-deep tiled parts. Mode 2 covers
+            // deep tiled. MultiPartInputFile auto-synthesizes a "type"
+            // attribute, so we must check the value rather than presence.
+            if (hdr.hasType () && hdr.type () == IMF::DEEPTILE) continue;
             try
             {
                 IMF::TiledInputPart tip (mpif, p);
@@ -142,9 +167,10 @@ test_tiled_range (
                 uint32_t r   = read_u32 (params, param_size, 0);
                 uint32_t s   = read_u32 (params, param_size, 4);
                 int      dx1 = r & 0xff;
-                int      dx2 = dx1 + ((r >> 8) & 0x1f);
                 int      dy1 = (r >> 16) & 0xff;
-                int      dy2 = dy1 + ((r >> 24) & 0x1f);
+                // Clamp range size so total tile count stays <= kMaxRangeSide^2.
+                int      dx2 = dx1 + (((r >> 8) & 0x1f) % kMaxRangeSide);
+                int      dy2 = dy1 + (((r >> 24) & 0x1f) % kMaxRangeSide);
                 int      lx  = s & 0x0f;
                 int      ly  = (s >> 4) & 0x0f;
                 try
@@ -176,9 +202,9 @@ test_deep_tiled (
         int n_parts = std::min (mpif.parts (), kMaxParts);
         for (int p = 0; p < n_parts; p++)
         {
-            const IMF::Header& hdr     = mpif.header (p);
-            auto               type_it = hdr.find ("type");
-            if (type_it == hdr.end ()) continue;
+            const IMF::Header& hdr = mpif.header (p);
+            // DeepTiledInputPart only accepts deep tiled parts.
+            if (!hdr.hasType () || hdr.type () != IMF::DEEPTILE) continue;
             try
             {
                 IMF::DeepTiledInputPart dtip (mpif, p);

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ message(status "CC_FLAGS=$ENV{CC_FLAGS}")`
`26`	`26`
`27`	`27`	`set(OPENEXR_FUZZERS openexr_exrcheck_fuzzer openexr_exrcorecheck_fuzzer openexr_encoding_fuzzer openexr_attribute_fuzzer openexr_htj2k_fuzzer openexr_roundtrip_fuzzer openexr_exrgaps_fuzzer)`
`28`	`28`	`add_custom_target(oss_fuzz ALL`
`29`		`- DEPENDS openexr_exrcheck_fuzzer openexr_exrcorecheck_fuzzer openexr_encoding_fuzzer openexr_attribute_fuzzer openexr_htj2k_fuzzer openexr_roundtrip_fuzzer openexr_exrgaps_fuzzer`
	`29`	`+ DEPENDS ${OPENEXR_FUZZERS}`
`30`	`30`	`)`
`31`	`31`
`32`	`32`	`if ($ENV{FUZZING_ENGINE} STREQUAL "afl")`