librsvg source for verification 2026-05-22

2026-05-22 16:45:08 +08:00
commit 75af7ac721
2138 changed files with 161177 additions and 0 deletions
--- a/fuzz/.gitignore
+++ b/fuzz/.gitignore
@@ -0,0 +1,4 @@
+target
+corpus
+artifacts
+coverage
--- a/fuzz/Cargo.toml
+++ b/fuzz/Cargo.toml
@@ -0,0 +1,29 @@
+[package]
+name = "rsvg-fuzz"
+version = "0.0.0"
+publish = false
+edition = "2024"
+license.workspace = true
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies]
+cairo-rs.workspace = true
+glib.workspace = true
+gio.workspace = true
+libfuzzer-sys = "0.4"
+librsvg = { path = "../rsvg" }
+
+# Prevent this from interfering with workspaces
+# [workspace]
+# members = ["."]
+
+[profile.release]
+debug = 1
+
+[[bin]]
+name = "render_document"
+path = "fuzz_targets/render_document.rs"
+test = false
+doc = false
--- a/fuzz/README.md
+++ b/fuzz/README.md
@@ -0,0 +1,62 @@
+# Fuzzing with cargo-fuzz
+
+=======================
+
+* `cargo install cargo-fuzz`
+
+* `rustup default nightly` - cargo-fuzz requires the nightly compiler,
+  unfortunately.
+
+* `cargo fuzz run render_document`
+
+## Configuring fuzzer runs
+
+To pass options to the fuzzer, do it after `--`, for example:
+
+```sh
+cargo fuzz run render_document -- -seed_inputs=corpus1.svg,corpus2.svg,corpus3.svg -only_ascii=1
+```
+
+To get a list of available options, `cargo fuzz run render_document -- -help=1`
+
+### Using dictionaries
+
+There are existing SVG, XML, and CSS dictionaries that can be used with fuzz
+targets:
+
+```sh
+curl https://raw.githubusercontent.com/google/fuzzing/master/dictionaries/{css,svg,xml}.dict > combined.dict
+
+cargo fuzz run render_document corpus/ -- -dict=combined.dict
+```
+
+## Reproducing a failure
+
+You can reproduce a failure by supplying a path to the fuzzed data:
+
+`cargo fuzz run render_document fuzzed.svg`
+
+Fuzz targets can also be run inside of a debugger for further debugging
+information:
+
+```bash
+FUZZ_TARGET=$(find ./target/*/release/ -type f -name render_document)
+gdb --args "$FUZZ_TARGET" fuzzed.svg
+```
+
+## Suppressing leak reports
+
+You can suppress spurious leak reports by specifying a suppressions file via the
+`LSAN_OPTIONS` environment variable:
+
+```bash
+LSAN_OPTIONS="suppressions=../tools/lsan.supp" cargo fuzz run render_document fuzzed.svg
+```
+
+## Related documents
+
+See `../afl-fuzz/README.md` for a to-do list for people who want to help with
+fuzzing.
+
+See `../devel-docs/oss_fuzz.rst` for an overview of librsvg's integration with
+OSS-Fuzz.
--- a/fuzz/fuzz_targets/render_document.rs
+++ b/fuzz/fuzz_targets/render_document.rs
@@ -0,0 +1,28 @@
+#![no_main]
+
+use cairo;
+use glib;
+use libfuzzer_sys::{Corpus, fuzz_target};
+use rsvg;
+
+fuzz_target!(|data: &[u8]| -> Corpus {
+    let width = 96.;
+    let height = 96.;
+
+    let bytes = glib::Bytes::from(data);
+    let stream = gio::MemoryInputStream::from_bytes(&bytes);
+    let handle =
+        rsvg::Loader::new().read_stream(&stream, None::<&gio::File>, None::<&gio::Cancellable>);
+    if let Ok(handle) = handle {
+        let renderer = rsvg::CairoRenderer::new(&handle);
+
+        let surface =
+            cairo::ImageSurface::create(cairo::Format::ARgb32, width as i32, height as i32)
+                .unwrap();
+        let cr = cairo::Context::new(&surface).unwrap();
+        let _ = renderer.render_document(&cr, &cairo::Rectangle::new(0.0, 0.0, width, height));
+        return Corpus::Keep;
+    }
+
+    Corpus::Reject
+});