failed test with oss-fuzz

[canpool]

We need to run fuzz test cases on ImageMagicK6. These test cases come from oss-fuzz. The fuzz test cases were originally used to test ImageMagicK7. We port them to ImageMagicK6.
google/oss-fuzz@6813e36#diff-624cf98e0975957fdc7e8043c5405930c60a31070add4bbdd0da31648f69bedd
During the test, we found that these fuzz use cases would fail to execute, take huffman_decode_fuzzer.cc as an example:

`#include

#include <Magick++/Blob.h>
#include <Magick++/Image.h>

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
const Magick::Blob blob(Data, Size);
Magick::Image image;
try {
image.read(blob);
} catch (Magick::Exception &e) {
return 0;
}
Magick::ExceptionInfo ex;
auto res = HuffmanDecodeImage(image.image(), &ex);
return 0;
}`

TEST RESULTS:
src/imagemagick/Magick++/lib/Exception.cpp:199^M
NEW_FUNC[2/9]: 0x6ab180 in InterpretDelegateProperties /src/imagemagick/magick/delegate.c:926^M
#3637 NEW cov: 1724 ft: 3236 corp: 97/400b lim: 6 exec/s: 606 rss: 104Mb L: 6/6 MS: 1 CMP- DE: "HTML"-^M
#3650 NEW cov: 1724 ft: 3237 corp: 98/406b lim: 6 exec/s: 608 rss: 104Mb L: 6/6 MS: 3 ChangeByte-ChangeBit-ChangeBit-^M
huffman_decode_fuzzer: magick/blob.c:3291: int ReadBlobByte(Image *): Assertion `image->blob->type != UndefinedStream' failed.^M
AddressSanitizer:DEADLYSIGNAL^M

================================================================
^[[1m^[[31m==13==ERROR: AddressSanitizer: ABRT on unknown address 0x00000000000d (pc 0x7f40054e7428 bp 0x000000b797e0 sp 0x7ffe3c47be28 T0)
^[[1m^[[0mSCARINESS: 10 (signal)
#0 0x7f40054e7428 in raise (/lib/x86_64-linux-gnu/libc.so.6+0x35428)
#1 0x7f40054e9029 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x37029)
#2 0x7f40054dfbd6 (/lib/x86_64-linux-gnu/libc.so.6+0x2dbd6)
#3 0x7f40054dfc81 in __assert_fail (/lib/x86_64-linux-gnu/libc.so.6+0x2dc81)
#4 0x631aed in ReadBlobByte /src/imagemagick/magick/blob.c:3291:3
#5 0x692138 in HuffmanDecodeImage /src/imagemagick/magick/compress.c:501:4
#6 0x4ca365 in LLVMFuzzerTestOneInput /src/huffman_decode_fuzzer.cc:15:14
#7 0x5168a6 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:556:15
#8 0x512ea0 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:470:3
#9 0x5182ef in fuzzer::Fuzzer::MutateAndTestOne() /src/libfuzzer/FuzzerLoop.cpp:698:19
#10 0x51b22d in fuzzer::Fuzzer::Loop(std::__1::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocatorfuzzer::SizedFile >&) /src/libfuzzer/FuzzerLoop.cpp:832:5
#11 0x4d860f in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:826:6
#12 0x4ca5d7 in main /src/libfuzzer/FuzzerMain.cpp:19:10
#13 0x7f40054d282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#14 0x41f5a8 in _start (/out/huffman_decode_fuzzer+0x41f5a8)

[canpool]

We changed the test case to:
`
#include

#include <Magick++/Image.h>

#include "utils.cc"

namespace MagickCore
{
extern "C" void AttachBlob(BlobInfo *,const void *,const size_t);
}

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
Magick::Image image;
MagickCore::AttachBlob(image.image()->blob,(const void *) Data,Size);

(void) HuffmanDecodeImage(image.image());
return 0;
}
`
reference to: ImageMagick/ImageMagick@0ac26cc#diff-7a0cc9439b5d644938229efdc74b7000f51483dea1c5edaeb15a8308f9e21313

TEST RESULTS:
huffman_decode_fuzzer: magick/blob.c:208: void AttachBlob(BlobInfo *, const void *, const size_t): Assertion `blob_info != (BlobInfo *) NULL' failed

But, we use gdb print image.image()->blob that's value is not NULL

It's so weird!!
@dlemstra

DEBUG RESULTS：
(gdb) p image
$1 = {_vptr$Image = 0x10add50 <vtable for Magick::Image+16>, _imgRef = 0x606000000140}
(gdb) p image.image()
$2 = (Image *&) @0x606000000140: 0x627000000100
(gdb) p image.image()->blob
$3 = (BlobInfo *) 0x6120000004c0
(gdb) p ((Image *)0x627000000100)->blob
$4 = (BlobInfo *) 0x0
(gdb) p *((Image *)0x627000000100)
$5 = {storage_class = DirectClass, colorspace = sRGBColorspace, compression = UndefinedCompression, quality = 0, orientation = UndefinedOrientation, taint = MagickFalse,
matte = MagickFalse, columns = 0, rows = 0, depth = 16, colors = 0, colormap = 0x0, background_color = {blue = -nan(0x7fffff), green = 9.18340949e-41, red = -3.22637152e+19,
opacity = 8.03098163e-41}, border_color = {blue = -0.0926470533, green = 6.80652703e-41, red = -2, opacity = 1.72727263}, matte_color = {blue = 2, green = 1.78499997,
red = 3.68934881e+19, opacity = 1.66499996}, gamma = 0.029999999329447746, chromaticity = {red_primary = {x = 0.30000001192092896, y = 0.60000002384185791, z = 0.10000000149011612},
green_primary = {x = 0.15000000596046448, y = 0.059999998658895493, z = 0.79000002145767212}, blue_primary = {x = 0.31270000338554382, y = 0.32899999618530273,
z = 0.35830000042915344}, white_point = {x = 9.8813129168249309e-324, y = 0, z = 0}}, rendering_intent = UndefinedIntent, profiles = 0x0, units = UndefinedResolution,
montage = 0x0, directory = 0x0, geometry = 0x0, offset = 0, x_resolution = 0, y_resolution = 0, page = {width = 0, height = 0, x = 0, y = 0}, extract_info = {width = 0, height = 0,
x = 0, y = 0}, tile_info = {width = 0, height = 0, x = 4607182418800017408, y = 0}, bias = 2.1219957909652723e-314, blur = 0, fuzz = 1.9762625833649862e-322,
filter = UndefinedFilter, interlace = UndefinedInterlace, endian = UndefinedEndian, gravity = UndefinedGravity, compose = UndefinedCompositeOp, dispose = UnrecognizedDispose,
clip_mask = 0x64, scene = 0, delay = 0, ticks_per_second = 0, iterations = 0, total_colors = 0, start_loop = 0, error = {mean_error_per_pixel = 0.029999999999999999,
normalized_mean_error = 0, normalized_maximum_error = 0}, timer = {user = {start = 1485582.5058219249, stop = 0, total = 0}, elapsed = {start = 9.8813129168249309e-324,
stop = 1.4230180444814092e-314, total = 0}, state = UndefinedTimerState, signature = 108095736906048}, progress_monitor = 0x0, client_data = 0x0, cache = 0x6120000004c0,
attributes = 0x0, ascii85 = 0x0, blob = 0x0, filename = '\000' <repeats 4095 times>, magick_filename = '\000' <repeats 4073 times>..., magick = '\000' <repeats 4095 times>,
magick_columns = 0, magick_rows = 0, exception = {severity = 992, error_number = 24672, reason = 0x0, description = 0x60d000000600 "", exceptions = 0xabacadab,
relinquish = MagickFalse, semaphore = 0x1, signature = 106446469470208}, debug = MagickFalse, reference_count = 0, semaphore = 0x0, color_profile = {name = 0x0, length = 0,
info = 0x0, signature = 0}, iptc_profile = {name = 0x0, length = 0, info = 0x0, signature = 2880220587}, generic_profile = 0x0, generic_profiles = 0, signature = 0, previous = 0x0,
list = 0xffff000000000000, next = 0x0, interpolate = UndefinedInterpolatePixel, black_point_compensation = MagickFalse, transparent_color = {blue = 0, green = 0, red = 0,
opacity = 0}, mask = 0x0, tile_offset = {width = 0, height = 0, x = 4294967296, y = 0}, properties = 0x0, artifacts = 0x0, type = 1605167192, dither = MagickFalse, extent = 0,
ping = MagickFalse, channels = 0, timestamp = 0, intensity = UndefinedPixelIntensityMethod, duration = 0, tietz_offset = 0}
(gdb) p *image.image()
$6 = {storage_class = DirectClass, colorspace = sRGBColorspace, compression = UndefinedCompression, quality = 0, orientation = UndefinedOrientation, taint = MagickFalse,
matte = MagickFalse, columns = 0, rows = 0, depth = 16, colors = 0, colormap = 0x0, background_color = {blue = 65535, green = 65535, red = 65535, opacity = 0}, border_color = {
blue = 57311, green = 57311, red = 57311, opacity = 0}, matte_color = {blue = 48573, green = 48573, red = 48573, opacity = 0}, gamma = 0.45454543828964233, chromaticity = {
red_primary = {x = 0.63999998569488525, y = 0.33000001311302185, z = 0.029999999329447746}, green_primary = {x = 0.30000001192092896, y = 0.60000002384185791,
z = 0.10000000149011612}, blue_primary = {x = 0.15000000596046448, y = 0.059999998658895493, z = 0.79000002145767212}, white_point = {x = 0.31270000338554382,
y = 0.32899999618530273, z = 0.35830000042915344}}, rendering_intent = PerceptualIntent, profiles = 0x0, units = UndefinedResolution, montage = 0x0, directory = 0x0,
geometry = 0x0, offset = 0, x_resolution = 0, y_resolution = 0, page = {width = 0, height = 0, x = 0, y = 0}, extract_info = {width = 0, height = 0, x = 0, y = 0}, tile_info = {
width = 0, height = 0, x = 0, y = 0}, bias = 0, blur = 1, fuzz = 0, filter = UndefinedFilter, interlace = NoInterlace, endian = UndefinedEndian, gravity = UndefinedGravity,
compose = OverCompositeOp, dispose = UnrecognizedDispose, clip_mask = 0x0, scene = 0, delay = 0, ticks_per_second = 100, iterations = 0, total_colors = 0, start_loop = 0, error = {
mean_error_per_pixel = 0, normalized_mean_error = 0, normalized_maximum_error = 0}, timer = {user = {start = 0.029999999999999999, stop = 0, total = 0}, elapsed = {
start = 1485582.5058219249, stop = 0, total = 0}, state = RunningTimerState, signature = 2880220587}, progress_monitor = 0x0, client_data = 0x0, cache = 0x625000000140,
attributes = 0x0, ascii85 = 0x0, blob = 0x6120000004c0, filename = '\000' <repeats 4095 times>, magick_filename = '\000' <repeats 4095 times>,
magick = "\000IFF", '\000' <repeats 4091 times>, magick_columns = 0, magick_rows = 0, exception = {severity = UndefinedException, error_number = 0, reason = 0x0, description = 0x0,
exceptions = 0x6060000003e0, relinquish = MagickFalse, semaphore = 0x60d000000600, signature = 2880220587}, debug = MagickFalse, reference_count = 1, semaphore = 0x60d000001800,
color_profile = {name = 0x0, length = 0, info = 0x0, signature = 0}, iptc_profile = {name = 0x0, length = 0, info = 0x0, signature = 0}, generic_profile = 0x0, generic_profiles = 0,
signature = 2880220587, previous = 0x0, list = 0x0, next = 0x0, interpolate = UndefinedInterpolatePixel, black_point_compensation = MagickFalse, transparent_color = {blue = 0,
green = 0, red = 0, opacity = 65535}, mask = 0x0, tile_offset = {width = 0, height = 0, x = 0, y = 0}, properties = 0x0, artifacts = 0x0, type = UndefinedType, dither = MagickTrue,
extent = 0, ping = MagickFalse, channels = 0, timestamp = 1605167192, intensity = UndefinedPixelIntensityMethod, duration = 0, tietz_offset = 0}
(gdb)

[canpool]

I have solved it.
Change the -DMAGICKCORE_HDRI_ENABLE=1 to -DMAGICKCORE_HDRI_ENABLE=0 in ImageMagick6 build.sh

……
for f in $SRC/*_fuzzer.cc; do
fuzzer=$(basename "$f" _fuzzer.cc)
# encoder_fuzzer is special
if [ "$fuzzer" = "encoder" ]; then
continue
fi
$CXX $CXXFLAGS -std=c++11 -I"$WORK/include/ImageMagick-6"
"$f" -o "$OUT/${fuzzer}_fuzzer"
-DMAGICKCORE_HDRI_ENABLE=0 -DMAGICKCORE_QUANTUM_DEPTH=16
-lFuzzingEngine "$WORK/lib/libMagick++-6.Q16.a"
"$WORK/lib/libMagickWand-6.Q16.a" "$WORK/lib/libMagickCore-6.Q16.a" -lpthread
done
……

[urban-warrior]

Correct. The default build for ImageMagick 7 series is to enable HDRI. However, for the V6 series, the default is non-HDRI.