Add OSS-Fuzz integration with 10 fuzz targets

.github/workflows/fuzz.yml

@@ -0,0 +1,107 @@
+name: Fuzz Testing
+
+on:
+  push:
+    branches: [master, main]
+  pull_request:
+    branches: [master, main]
+  schedule:
+    # Run weekly on Sunday at midnight
+    - cron: '0 0 * * 0'
+
+jobs:
+  fuzz:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        fuzzer:
+          - pdf_parser
+          - pdf_modify
+          - pdf_form
+          - jpeg_embed
+          - png_embed
+          - stream_decode
+          - object_parser
+          - pdf_string
+          - xref_stream
+          - page_embed
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Install fuzzing dependencies
+        run: npm install --no-save @jazzer.js/core esbuild
+
+      - name: Build fuzzer
+        run: |
+          npx esbuild fuzz/${{ matrix.fuzzer }}.fuzz.ts \
+            --bundle \
+            --platform=node \
+            --target=node18 \
+            --outfile=fuzz/${{ matrix.fuzzer }}.fuzz.js \
+            --format=cjs
+
+      - name: Run fuzzer regression test
+        run: |
+          npx jazzer fuzz/${{ matrix.fuzzer }}.fuzz.js \
+            --mode regression \
+            --corpus fuzz/corpus/pdf_parser \
+            --timeout 30
+
+      - name: Run short fuzz session
+        run: |
+          timeout 60 npx jazzer fuzz/${{ matrix.fuzzer }}.fuzz.js \
+            --corpus fuzz/corpus/pdf_parser \
+            --max_total_time 30 \
+            || true
+
+  coverage:
+    runs-on: ubuntu-latest
+    needs: fuzz
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Install fuzzing dependencies
+        run: npm install --no-save @jazzer.js/core esbuild
+
+      - name: Build all fuzzers
+        run: |
+          for fuzzer in pdf_parser pdf_modify pdf_form jpeg_embed png_embed stream_decode object_parser pdf_string xref_stream page_embed; do
+            npx esbuild fuzz/${fuzzer}.fuzz.ts --bundle --platform=node --target=node18 --outfile=fuzz/${fuzzer}.fuzz.js --format=cjs
+          done
+
+      - name: Generate combined coverage report
+        run: |
+          for fuzzer in pdf_parser pdf_modify pdf_form jpeg_embed png_embed stream_decode object_parser pdf_string xref_stream page_embed; do
+            echo "Running coverage for ${fuzzer}..."
+            npx jazzer fuzz/${fuzzer}.fuzz.js \
+              --corpus fuzz/corpus/pdf_parser \
+              --coverage \
+              --mode regression \
+              || true
+          done
+
+      - name: Upload coverage
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-report
+          path: coverage/

fuzz/README.md

@@ -0,0 +1,109 @@
+# pdf-lib Fuzzing
+
+This directory contains fuzz targets for [OSS-Fuzz](https://github.com/google/oss-fuzz) integration.
+
+## Fuzz Targets
+
+| Fuzzer | Target | Description |
+|--------|--------|-------------|
+| `pdf_parser` | PDF parsing | Main PDF document parsing via `PDFDocument.load()` |
+| `pdf_modify` | PDF modification | Loading, modifying, and saving PDFs |
+| `pdf_form` | Form parsing | AcroForm field parsing and manipulation |
+| `jpeg_embed` | JPEG embedding | JPEG image parsing via `embedJpg()` |
+| `png_embed` | PNG embedding | PNG image parsing via `embedPng()` |
+| `stream_decode` | Stream decoders | FlateStream, LZWStream, Ascii85, AsciiHex, RunLength |
+| `object_parser` | Object parsing | Individual PDF object parsing (dicts, arrays, strings) |
+| `pdf_string` | String parsing | PDFString/PDFHexString escape sequences and encoding |
+| `xref_stream` | XRef streams | Cross-reference stream parsing |
+| `page_embed` | Page embedding | PDF page embedding and copying |
+
+## Running Locally
+
+### Prerequisites
+
+```bash
+npm install
+npm install --no-save @jazzer.js/core esbuild
+```
+
+### Build a Fuzzer
+
+```bash
+npx esbuild fuzz/pdf_parser.fuzz.ts \
+  --bundle \
+  --platform=node \
+  --target=node18 \
+  --outfile=fuzz/pdf_parser.fuzz.js \
+  --format=cjs
+```
+
+### Run a Fuzzer
+
+```bash
+# Run with seed corpus
+npx jazzer fuzz/pdf_parser.fuzz.js --corpus fuzz/corpus/pdf_parser
+
+# Run for 60 seconds
+npx jazzer fuzz/pdf_parser.fuzz.js --max_total_time 60
+
+# Regression test (run corpus without fuzzing)
+npx jazzer fuzz/pdf_parser.fuzz.js --mode regression --corpus fuzz/corpus/pdf_parser
+```
+
+## Directory Structure
+
+```
+fuzz/
+├── *.fuzz.ts          # Fuzz target source files
+├── *.dict             # Dictionaries (PDF, JPEG, PNG tokens)
+├── *.options          # Fuzzer options (timeouts, memory limits)
+├── corpus/            # Seed corpora
+│   ├── pdf_parser/    # PDF samples
+│   ├── pdf_modify/    # PDF samples
+│   ├── pdf_form/      # Form PDFs
+│   ├── jpeg_embed/    # JPEG images
+│   └── png_embed/     # PNG images
+└── README.md          # This file
+```
+
+## OSS-Fuzz Integration
+
+The OSS-Fuzz configuration is in `oss-fuzz/` at the repository root:
+
+- `Dockerfile` - Build environment
+- `build.sh` - Build script
+- `project.yaml` - Project metadata
+
+## Adding New Fuzzers
+
+1. Create `fuzz/new_fuzzer.fuzz.ts`:
+
+```typescript
+export async function fuzz(data: Buffer): Promise<void> {
+  if (data.length === 0 || data.length > MAX_SIZE) return;
+
+  try {
+    // Your fuzzing logic here
+  } catch (e) {
+    // Expected for malformed input
+  }
+}
+```
+
+2. Add dictionary if needed: `fuzz/new_fuzzer.dict`
+3. Add seed corpus: `fuzz/corpus/new_fuzzer/`
+4. Add options file if needed: `fuzz/new_fuzzer.options`
+5. Update `oss-fuzz/build.sh` to include the new fuzzer
+
+## Coverage
+
+To generate coverage reports:
+
+```bash
+npx jazzer fuzz/pdf_parser.fuzz.js \
+  --corpus fuzz/corpus/pdf_parser \
+  --coverage \
+  --mode regression
+```
+
+Reports are generated in `./coverage/`.

fuzz/corpus/stream_decode/ascii85_test.bin

@@ -0,0 +1 @@
+Gb"0E\!

fuzz/corpus/stream_decode/asciihex_hello.bin

@@ -0,0 +1 @@
+48656C6C6F>

fuzz/corpus/stream_decode/lzw_minimal.bin

@@ -0,0 +1 @@
+
�����

fuzz/corpus/stream_decode/runlength_test.bin

@@ -0,0 +1 @@
+Hello

fuzz/jpeg.dict

@@ -0,0 +1,72 @@
+# JPEG dictionary for fuzzing
+# JPEG markers (using hex)
+"\xff\xd8"
+"\xff\xd9"
+"\xff\xe0"
+"\xff\xe1"
+"\xff\xdb"
+"\xff\xc0"
+"\xff\xc2"
+"\xff\xc4"
+"\xff\xda"
+"\xff\xdd"
+"\xff\xfe"
+
+# JFIF header
+"JFIF\x00"
+
+# EXIF header
+"Exif\x00\x00"
+
+# APP segments
+"\xff\xe0\x00\x10"
+"\xff\xe1\x00\x08"
+
+# Common segment lengths
+"\x00\x02"
+"\x00\x04"
+"\x00\x08"
+"\x00\x10"
+"\x00\x40"
+"\x00\x80"
+
+# SOF markers
+"\xff\xc0"
+"\xff\xc1"
+"\xff\xc2"
+"\xff\xc3"
+
+# Huffman table marker
+"\xff\xc4"
+
+# Quantization table marker
+"\xff\xdb"
+
+# SOS marker
+"\xff\xda"
+
+# RST markers
+"\xff\xd0"
+"\xff\xd1"
+"\xff\xd2"
+"\xff\xd3"
+"\xff\xd4"
+"\xff\xd5"
+"\xff\xd6"
+"\xff\xd7"
+
+# Common dimensions
+"\x00\x01"
+"\x00\x64"
+"\x01\x00"
+"\x02\x00"
+"\x04\x00"
+
+# Bits per sample
+"\x08"
+"\x0c"
+
+# Number of components
+"\x01"
+"\x03"
+"\x04"

fuzz/jpeg_embed.fuzz.ts

@@ -0,0 +1,45 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import PDFDocument from '../src/api/PDFDocument';
+
+export async function fuzz(data: Buffer): Promise<void> {
+  // Skip empty or too large inputs
+  if (data.length === 0 || data.length > 512 * 1024) {
+    return;
+  }
+
+  try {
+    const pdfDoc = await PDFDocument.create();
+    const jpgImage = await pdfDoc.embedJpg(data);
+
+    // Exercise the embedded image
+    jpgImage.width;
+    jpgImage.height;
+    jpgImage.scale(0.5);
+    jpgImage.scaleToFit(100, 100);
+
+    // Draw the image on a page
+    const page = pdfDoc.addPage();
+    page.drawImage(jpgImage, {
+      x: 0,
+      y: 0,
+      width: Math.min(jpgImage.width, 100),
+      height: Math.min(jpgImage.height, 100),
+    });
+
+  } catch (e) {
+    // Expected for malformed JPEG data
+  }
+}

fuzz/jpeg_embed.options

@@ -0,0 +1,3 @@
+[libfuzzer]
+max_len = 524288
+timeout = 30

fuzz/object_parser.fuzz.ts

@@ -0,0 +1,49 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+/**
+ * Fuzzer for PDFObjectParser - parses individual PDF objects directly.
+ * Targets: hex strings, literal strings, arrays, dictionaries, streams, numbers, names.
+ *
+ * This fuzzer directly targets the low-level parser for maximum efficiency,
+ * avoiding the overhead of building and parsing full PDF documents.
+ */
+
+import PDFObjectParser from '../src/core/parser/PDFObjectParser';
+import PDFContext from '../src/core/PDFContext';
+
+export async function fuzz(data: Buffer): Promise<void> {
+  // Skip empty or too large inputs
+  // Using 256KB limit matching options file
+  if (data.length === 0 || data.length > 256 * 1024) {
+    return;
+  }
+
+  try {
+    const context = PDFContext.create();
+
+    // Parse directly using PDFObjectParser - no PDF wrapper needed
+    const parser = PDFObjectParser.forBytes(
+      new Uint8Array(data),
+      context,
+      false // capNumbers
+    );
+
+    // Try to parse an object from the fuzz data
+    parser.parseObject();
+
+  } catch (e) {
+    // Expected for malformed object data
+  }
+}