From 624858e5585632cdef584543f84bffeddaaa061c Mon Sep 17 00:00:00 2001 From: Roshan Sah Date: Wed, 21 May 2025 21:31:45 +0530 Subject: [PATCH] Update fuzz_exif.py --- Tests/oss-fuzz/fuzz_exif.py | 74 ++++++++----------------------------- 1 file changed, 16 insertions(+), 58 deletions(-) diff --git a/Tests/oss-fuzz/fuzz_exif.py b/Tests/oss-fuzz/fuzz_exif.py index 751340b29..8271ad91f 100644 --- a/Tests/oss-fuzz/fuzz_exif.py +++ b/Tests/oss-fuzz/fuzz_exif.py @@ -1,17 +1,11 @@ -# Enhanced Fuzz Target for Pillow: EXIF Metadata Fuzzing - -This fuzz target focuses on testing the EXIF metadata handling capabilities of Pillow, which is an area not specifically targeted by the existing fuzzers. - -```python #!/usr/bin/env python3 - # Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # -# http://www.apache.org/licenses/LICENSE-2.0 +# http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, @@ -19,90 +13,54 @@ This fuzz target focuses on testing the EXIF metadata handling capabilities of P # See the License for the specific language governing permissions and # limitations under the License. +import sys +import io + import atheris from atheris.import_hook import instrument_imports with instrument_imports(): - import io - import sys - from PIL import Image, ExifTags + from PIL import ExifTags, Image + def TestOneInput(data): - if len(data) < 10: # Skip inputs that are too small + if len(data) < 10: return try: - # Create a BytesIO object from the fuzzer data image_io = io.BytesIO(data) - # Try to open the image with Image.open(image_io) as img: - # Test EXIF extraction try: exif = img._getexif() if exif: - # Process EXIF data for tag_id, value in exif.items(): - # Try to get the tag name tag_name = ExifTags.TAGS.get(tag_id, tag_id) - - # Try to convert GPS info - if tag_id == 34853: # GPSInfo tag + if tag_id == 34853: # GPSInfo for gps_tag, gps_value in value.items(): gps_tag_name = ExifTags.GPSTAGS.get(gps_tag, gps_tag) except Exception: - # Catch exceptions from EXIF processing pass - # Test thumbnail extraction from EXIF try: - if hasattr(img, 'getexif'): + if hasattr(img, "getexif"): exif = img.getexif() - if exif: - # Try to extract thumbnail if present - if hasattr(exif, 'get_thumbnail'): - thumbnail = exif.get_thumbnail() - if thumbnail: - # Try to open the thumbnail - thumb_img = Image.open(io.BytesIO(thumbnail)) - thumb_img.load() + if exif and hasattr(exif, "get_thumbnail"): + thumbnail = exif.get_thumbnail() + if thumbnail: + thumb_img = Image.open(io.BytesIO(thumbnail)) + thumb_img.load() except Exception: - # Catch exceptions from thumbnail extraction pass except Exception: - # Catch all other exceptions pass + def main(): atheris.Setup(sys.argv, TestOneInput) atheris.Fuzz() + if __name__ == "__main__": main() -``` - -## Features - -This fuzz target specifically tests: - -1. EXIF metadata extraction from images -2. Processing of EXIF tags and values -3. GPS information handling -4. Thumbnail extraction from EXIF data - -## Integration - -To integrate this fuzz target: - -1. Save it as `fuzz_exif.py` in the `Tests/oss-fuzz/` directory -2. Update the `build.sh` script to include this target in the build process -3. Test locally to ensure it works correctly -4. Submit as part of a pull request to the Pillow repository - -## Expected Benefits - -- Increased coverage of EXIF metadata handling code -- Potential discovery of bugs in metadata parsing -- Better handling of malformed EXIF data -- Improved security for applications processing images with metadata