← All libraries
Image · C
How to fuzz libvips
libvips parallelises image processing via a lazy pipeline — race-prone and worth fuzzing.
libvips evaluates image operations lazily through a directed pipeline graph, deferring allocation and freeing regions as tiles are computed. This model makes memory lifetime tricky to reason about, and its many loader plugins (JPEG, PNG, HEIF, TIFF, WebP, SVG) each introduce unique parsing attack surfaces.
Common bug classes
- •Use-after-free in pipeline region reference counting
- •Heap buffer overflow in format-specific loader tile assembly
- •Integer overflow in image dimension metadata from loader
- •Double-free in error-path cleanup of partially loaded images
- •Out-of-bounds read in ICC colour profile embedding
Recommended setup
Fuzzers
- → AFL++
- → libFuzzer
Sanitizers
- → ASan
- → UBSan
- → TSan
Harness scaffold
#include <stdint.h>
#include <stddef.h>
#include <vips/vips.h>
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
if (size == 0) return 0;
VipsImage *image = NULL;
vips_jpegload_buffer((void *)data, size, &image, NULL);
if (!image)
vips_pngload_buffer((void *)data, size, &image, NULL);
if (!image)
vips_webpload_buffer((void *)data, size, &image, NULL);
if (image) g_object_unref(image);
vips_error_clear();
return 0;
}Save this as fuzz_target.cc, build with your compiler + sanitizer flags, and you have a working starting point.
Push the harness above + a Dockerfile. First month 50% off.