feat(fuzz): add egfx PDU decoder fuzz target

Greg Lamberson · Greg Lamberson · commit 962182a150a7 · 2026-05-13T13:58:42.000-05:00
Adds a byte-stream fuzz target for the Display Pipeline Virtual Channel
Extension (MS-RDPEGFX) PDU decoders in `ironrdp-egfx`. Matches the pattern
of the existing six fuzz targets in `fuzz/fuzz_targets/`: the libFuzzer
target dispatches `&amp;[u8]` input to a single oracle function in
`ironrdp-fuzzing::oracles`.

The new oracle `egfx_pdu_decode` exercises:
- `GfxPdu` (umbrella enum covering all 23 EGFX message types)
- `CacheToSurfacePdu` (sole sub-PDU with an independent Decode impl)
- `CapabilitySet`
- `Avc420BitmapStream&lt;'_&gt;` and `Avc444BitmapStream&lt;'_&gt;`
- `QuantQuality`, `Point`, `Color`

`ironrdp-egfx` was the only Core-Tier-by-behavior crate in the workspace
without a dedicated fuzz target, leaving the Core Tier "must be fuzzed"
invariant unsatisfied for graphics-pipeline DVC parsing. EGFX is parsed
both client-side (server-sent frames, capability acks) and server-side
(client-sent capability acks, frame acks); the new target exercises both
paths since it operates at the PDU layer.

Changes:
- Add `ironrdp-egfx` path dependency to `ironrdp-fuzzing/Cargo.toml`
- Add `egfx_pdu_decode` oracle function
- Add `fuzz/fuzz_targets/egfx_pdu_decoding.rs`
- Register the new bin in `fuzz/Cargo.toml`
- Regenerate `fuzz/Cargo.lock` and root `Cargo.lock`

Verification:
- `cargo xtask check fmt | lints | locks | typos | tests` all pass
- `cargo check --manifest-path fuzz/Cargo.toml` builds the new target
- Net diff: +46 lines across 5 files plus 1 new file
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/ironrdp-fuzzing/Cargo.toml b/crates/ironrdp-fuzzing/Cargo.toml
@@ -19,6 +19,7 @@ ironrdp-rdpdr.path = "../ironrdp-rdpdr"
 ironrdp-rdpsnd.path = "../ironrdp-rdpsnd"
 ironrdp-cliprdr-format.path = "../ironrdp-cliprdr-format"
 ironrdp-displaycontrol.path = "../ironrdp-displaycontrol"
+ironrdp-egfx.path = "../ironrdp-egfx"
 ironrdp-svc.path = "../ironrdp-svc"
 
 [lints]
diff --git a/crates/ironrdp-fuzzing/src/oracles/mod.rs b/crates/ironrdp-fuzzing/src/oracles/mod.rs
@@ -12,6 +12,29 @@
 
 use crate::generators::BitmapInput;
 
+/// Decodes EGFX (MS-RDPEGFX) PDUs from the given bytes.
+///
+/// Exercises the `GfxPdu` umbrella decoder plus the individually-decodable
+/// sub-PDU and bitmap-stream types in `ironrdp-egfx`. Catches panics, sanitizer
+/// findings, and any other runtime failures the decoder may produce on
+/// attacker-controlled input. Matches the byte-stream oracle pattern used by
+/// `pdu_decode` and `channel_process`.
+pub fn egfx_pdu_decode(data: &[u8]) {
+    use ironrdp_core::decode;
+    use ironrdp_egfx::pdu::{
+        Avc420BitmapStream, Avc444BitmapStream, CacheToSurfacePdu, CapabilitySet, Color, GfxPdu, Point, QuantQuality,
+    };
+
+    let _ = decode::<GfxPdu>(data);
+    let _ = decode::<CacheToSurfacePdu>(data);
+    let _ = decode::<CapabilitySet>(data);
+    let _ = decode::<Avc420BitmapStream<'_>>(data);
+    let _ = decode::<Avc444BitmapStream<'_>>(data);
+    let _ = decode::<QuantQuality>(data);
+    let _ = decode::<Point>(data);
+    let _ = decode::<Color>(data);
+}
+
 pub fn pdu_decode(data: &[u8]) {
     use ironrdp_core::decode;
     use ironrdp_pdu::mcs::{ConnectInitial, ConnectResponse, McsMessage};
diff --git a/fuzz/Cargo.lock b/fuzz/Cargo.lock
diff --git a/fuzz/Cargo.toml b/fuzz/Cargo.toml
@@ -55,3 +55,10 @@ test = false
 doc = false
 bench = false
 
+[[bin]]
+name = "egfx_pdu_decoding"
+path = "fuzz_targets/egfx_pdu_decoding.rs"
+test = false
+doc = false
+bench = false
+
diff --git a/fuzz/fuzz_targets/egfx_pdu_decoding.rs b/fuzz/fuzz_targets/egfx_pdu_decoding.rs
@@ -0,0 +1,7 @@
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+
+fuzz_target!(|data: &[u8]| {
+    ironrdp_fuzzing::oracles::egfx_pdu_decode(data);
+});
