You can not select more than 25 topics
			Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
		
		
		
		
		
			
		
			
				
					
					
						
							171 lines
						
					
					
						
							3.6 KiB
						
					
					
				
			
		
		
	
	
							171 lines
						
					
					
						
							3.6 KiB
						
					
					
				| <html>
 | |
| <!--
 | |
| 
 | |
|   american fuzzy lop - <canvas> harness
 | |
|   -------------------------------------
 | |
|  
 | |
|   Written and maintained by Michal Zalewski <lcamtuf@google.com>
 | |
|  
 | |
|   Copyright 2013, 2014 Google LLC All rights reserved.
 | |
|  
 | |
|   Licensed under the Apache License, Version 2.0 (the "License");
 | |
|   you may not use this file except in compliance with the License.
 | |
|   You may obtain a copy of the License at:
 | |
|  
 | |
|     http://www.apache.org/licenses/LICENSE-2.0
 | |
|  
 | |
|   A simple harness for going through afl-generated test cases, rendering them in
 | |
|   the browser environment, and discovering the use of uninitialized memory and
 | |
|   similar bugs. This code led to the discovery of a fair number of library and
 | |
|   browser security bugs!
 | |
| 
 | |
|   The url_list[] array is a placeholder; for this to work properly, it needs to
 | |
|   be initialized with web-reachable paths to individual test cases. This can
 | |
|   be done manually or with a simple script.
 | |
| 
 | |
| -->
 | |
| 
 | |
| <body onload="set_images()">
 | |
| 
 | |
| <div id="status"></div>
 | |
| 
 | |
| <div id="image_div"></div>
 | |
| 
 | |
| <canvas height=64 width=64 id=cvs></canvas>
 | |
| 
 | |
| <h2>Results</h2>
 | |
| 
 | |
| <ul id="output"></ul>
 | |
| 
 | |
| <script>
 | |
| 
 | |
| var c = document.getElementById('cvs');
 | |
| var ctx = c.getContext('2d');
 | |
| 
 | |
| var url_list = [
 | |
|   "images/id:000000,[...].jpg",
 | |
|   "images/id:000001,[...].jpg",
 | |
|   /* ... */
 | |
|   null
 | |
| ];
 | |
| 
 | |
| var USE_IMAGES = 50;
 | |
| var cur_image = 0;
 | |
| 
 | |
| if (location.hash) cur_image = parseInt(location.hash.substr(1));
 | |
| 
 | |
| var loaded = 0;
 | |
| var image_obj = [];
 | |
| 
 | |
| var msie_cleanup;
 | |
| 
 | |
| function check_results() {
 | |
| 
 | |
|   var uniques = [];
 | |
| 
 | |
|   clearTimeout(msie_cleanup);
 | |
| 
 | |
|   ctx.clearRect(0, 0, 64, 64);
 | |
| 
 | |
|   uniques.push(image_obj[0].imgdata);
 | |
| 
 | |
|   for (var i = 1; i < USE_IMAGES; i++) {
 | |
| 
 | |
|     if (!image_obj[i].imgdata) continue;
 | |
| 
 | |
|     if (image_obj[0].imgdata != image_obj[i].imgdata) {
 | |
| 
 | |
|       for (var j = 1; j < uniques.length; j++)
 | |
|         if (uniques[j] == image_obj[i].imgdata) break;
 | |
| 
 | |
|       if (j == uniques.length) uniques.push(image_obj[i].imgdata);
 | |
| 
 | |
| 
 | |
|     }
 | |
| 
 | |
|   }
 | |
| 
 | |
|   if (uniques.length > 1) {
 | |
| 
 | |
|     var str = '<li> Image ' + url_list[cur_image] + ' has ' + uniques.length + ' variants: ';
 | |
| 
 | |
|     for (var i = 0; i < uniques.length; i++)
 | |
|       str += '<img src="' + uniques[i] + '">';
 | |
| 
 | |
|     document.getElementById('output').innerHTML += str;
 | |
| 
 | |
|   }
 | |
| 
 | |
|   cur_image++;
 | |
|   set_images();
 | |
| }
 | |
| 
 | |
| 
 | |
| function count_image() {
 | |
| 
 | |
|   if (!this.complete || this.counted) return;
 | |
| 
 | |
|   this.counted = true;
 | |
| 
 | |
|   loaded++;
 | |
| 
 | |
|   ctx.clearRect(0, 0, 64, 64);
 | |
| 
 | |
|   try {
 | |
|     ctx.drawImage(this, 0, 0, 64, 64);
 | |
|   } catch (e) { }
 | |
| 
 | |
|   this.imgdata = c.toDataURL();
 | |
| 
 | |
|   if (loaded == USE_IMAGES) check_results();
 | |
| }
 | |
| 
 | |
| 
 | |
| function set_images() {
 | |
| 
 | |
|   loaded = 0;
 | |
| 
 | |
|   document.getElementById('status').innerHTML = 'Now processing ' + cur_image + '...';
 | |
|   location.hash = '#' + cur_image;
 | |
| 
 | |
|   if (url_list[cur_image] == null) {
 | |
|     alert('Done!');
 | |
|     return;
 | |
|   }
 | |
| 
 | |
|   restart_images();
 | |
| 
 | |
|   msie_cleanup = setTimeout(check_results, 5000);
 | |
| 
 | |
|   for (var i = 0; i < USE_IMAGES; i++)
 | |
|     image_obj[i].src = url_list[cur_image] + '?' + Math.random();
 | |
| 
 | |
| }
 | |
| 
 | |
| 
 | |
| function restart_images() {
 | |
| 
 | |
|   for (var i = 0; i < USE_IMAGES; i++) 
 | |
|     if (image_obj[i]) image_obj[i].counted = true;
 | |
| 
 | |
|   document.getElementById('image_div').innerHTML = '';
 | |
|   image_obj = [];
 | |
| 
 | |
|   for (var i = 0; i < USE_IMAGES; i++) {
 | |
| 
 | |
|     image_obj[i] = new Image();
 | |
|     image_obj[i].height = 64;
 | |
|     image_obj[i].width = 64;
 | |
|     image_obj[i].onerror = count_image;
 | |
|     image_obj[i].onload = count_image;
 | |
| 
 | |
|     document.getElementById('image_div').appendChild(image_obj[i]);
 | |
| 
 | |
|   }
 | |
| 
 | |
| }
 | |
| 
 | |
| </script>
 | |
| 
 | |
| <iframe src='http://www.cnn.com/'></iframe>
 |