<html>
<!--
american fuzzy lop - <canvas> harness
-------------------------------------
Written and maintained by Michal Zalewski <[email protected]>
Copyright 2013, 2014 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0
A simple harness for going through afl-generated test cases, rendering them in
the browser environment, and discovering the use of uninitialized memory and
similar bugs. This code led to the discovery of a fair number of library and
browser security bugs!
The url_list[] array is a placeholder; for this to work properly, it needs to
be initialized with web-reachable paths to individual test cases. This can
be done manually or with a simple script.
-->
<body onload="set_images()">
<div id="status"></div>
<div id="image_div"></div>
<canvas height=64 width=64 id=cvs></canvas>
<h2>Results</h2>
<ul id="output"></ul>
<script>
var c = document.getElementById('cvs');
var ctx = c.getContext('2d');
var url_list = [
"images/id:000000,[...].jpg",
"images/id:000001,[...].jpg",
/* ... */
null
];
var USE_IMAGES = 50;
var cur_image = 0;
if (location.hash) cur_image = parseInt(location.hash.substr(1));
var loaded = 0;
var image_obj = [];
var msie_cleanup;
function check_results() {
var uniques = [];
clearTimeout(msie_cleanup);
ctx.clearRect(0, 0, 64, 64);
uniques.push(image_obj[0].imgdata);
for (var i = 1; i < USE_IMAGES; i++) {
if (!image_obj[i].imgdata) continue;
if (image_obj[0].imgdata != image_obj[i].imgdata) {
for (var j = 1; j < uniques.length; j++)
if (uniques[j] == image_obj[i].imgdata) break;
if (j == uniques.length) uniques.push(image_obj[i].imgdata);
}
}
if (uniques.length > 1) {
var str = '<li> Image ' + url_list[cur_image] + ' has ' + uniques.length + ' variants: ';
for (var i = 0; i < uniques.length; i++)
str += '<img src="' + uniques[i] + '">';
document.getElementById('output').innerHTML += str;
}
cur_image++;
set_images();
}
function count_image() {
if (!this.complete || this.counted) return;
this.counted = true;
loaded++;
ctx.clearRect(0, 0, 64, 64);
try {
ctx.drawImage(this, 0, 0, 64, 64);
} catch (e) { }
this.imgdata = c.toDataURL();
if (loaded == USE_IMAGES) check_results();
}
function set_images() {
loaded = 0;
document.getElementById('status').innerHTML = 'Now processing ' + cur_image + '...';
location.hash = '#' + cur_image;
if (url_list[cur_image] == null) {
alert('Done!');
return;
}
restart_images();
msie_cleanup = setTimeout(check_results, 5000);
for (var i = 0; i < USE_IMAGES; i++)
image_obj[i].src = url_list[cur_image] + '?' + Math.random();
}
function restart_images() {
for (var i = 0; i < USE_IMAGES; i++)
if (image_obj[i]) image_obj[i].counted = true;
document.getElementById('image_div').innerHTML = '';
image_obj = [];
for (var i = 0; i < USE_IMAGES; i++) {
image_obj[i] = new Image();
image_obj[i].height = 64;
image_obj[i].width = 64;
image_obj[i].onerror = count_image;
image_obj[i].onload = count_image;
document.getElementById('image_div').appendChild(image_obj[i]);
}
}
</script>
<iframe src='http://www.cnn.com/'></iframe>
Codebase Browser
chromium