demonstrate undefined behaviour in opj_decompress

src/bin/common/color.c

@@ -1072,6 +1072,8 @@ void color_esycc_to_rgb(opj_image_t *image)
     int y, cb, cr, sign1, sign2, val;
     unsigned int w, h, max, i;
     int flip_value = (1 << (image->comps[0].prec - 1));
+    // runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
+    // runtime error: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int'
     int max_value = (1 << image->comps[0].prec) - 1;
 
     if (

src/lib/openjp2/ht_dec.c

@@ -1192,6 +1192,7 @@ OPJ_BOOL opj_t1_ht_decode_cblk(opj_t1_t *t1,
         cblkdata = t1->cblkdatabuffer;
         cblk_len = 0;
         for (i = 0; i < cblk->numchunks; i++) {
+            assert(cblkdata!=NULL && "memcpy on NULL is undefined behaviour");
             memcpy(cblkdata + cblk_len, cblk->chunks[i].data, cblk->chunks[i].len);
             cblk_len += cblk->chunks[i].len;
         }

src/lib/openjp2/j2k.c

@@ -7817,6 +7817,11 @@ OPJ_BOOL opj_j2k_setup_encoder(opj_j2k_t *p_j2k,
                                        image->comps[0].h * image->comps[0].prec) /
                                       ((double)parameters->tcp_rates[parameters->tcp_numlayers - 1] * 8 *
                                        image->comps[0].dx * image->comps[0].dy));
+            // this is problematic because INT_MAX is converted to float, but
+            // it can not represent that value (2147483647) exactly, instead it
+            // becomes 2147483648.0f which means the else clause may be hit with
+            // the value 2147483648.0f. that can not be represented as an int,
+            // so the assignment to int is undefined behaviour
             if (temp_size > INT_MAX) {
                 parameters->max_cs_size = INT_MAX;
             } else {

src/lib/openjp2/tcd.c

@@ -2324,6 +2324,7 @@ static OPJ_BOOL opj_tcd_dc_level_shift_decode(opj_tcd_t *p_tcd)
                                                    l_max);
                     ++l_current_ptr;
                 }
+                assert(l_current_ptr!=NULL && "pointer arithmetic on null pointer is undefined behaviour");
                 l_current_ptr += l_stride;
             }
         } else {
@@ -2342,6 +2343,7 @@ static OPJ_BOOL opj_tcd_dc_level_shift_decode(opj_tcd_t *p_tcd)
                     }
                     ++l_current_ptr;
                 }
+                assert(l_current_ptr!=NULL && "pointer arithmetic on null pointer is undefined behaviour");
                 l_current_ptr += l_stride;
             }
         }

tests/fuzzers/afl/.gitignore

@@ -0,0 +1 @@
+build-*/

tests/fuzzers/afl/build-afl.sh

@@ -0,0 +1,56 @@
+#/bin/sh
+#
+# this creates builds which can be used to fuzz with afl
+#
+# by Paul Dreik 20220825
+
+set -eux
+
+here=$(dirname $0)
+gitroot=$(git -C $here rev-parse --show-toplevel)
+
+
+###################################
+# afl clang
+export AFL_USE_ASAN=1
+export AFL_USE_UBSAN=1
+
+target=$here/build-afl-clang
+
+cmake \
+-DCMAKE_C_COMPILER=afl-clang-fast \
+-S $gitroot -B $target
+
+cmake --build $target -j $(nproc)
+
+###################################
+# afl clang, with asserts disabled
+
+target=$here/build-afl-clang-ndebug
+
+cmake \
+-DCMAKE_C_COMPILER=afl-clang-fast \
+-DCMAKE_C_FLAGS="-g -DNDEBUG" \
+-S $gitroot -B $target
+
+cmake --build $target  -j $(nproc)
+
+###################################
+# sanitizer build with asserts disabled
+target=$here/build-clang-release-replay
+cmake \
+-DCMAKE_C_COMPILER=clang-14 \
+-DCMAKE_C_FLAGS="-g -fsanitize=address,undefined -O3 -DNDEBUG" \
+-S $gitroot -B $target
+
+cmake --build $target -j $(nproc)
+
+###################################
+# sanitizer build with asserts enabled
+target=$here/build-clang-debug-replay
+cmake \
+-DCMAKE_C_COMPILER=clang-14 \
+-DCMAKE_C_FLAGS="-g -fsanitize=address,undefined -O3" \
+-S $gitroot -B $target
+
+cmake --build $target -j $(nproc)