Image · C

How to fuzz libwebp

Google's WebP codec — a single critical bug here puts billions of devices at risk.

CVE-2023-4863 demonstrated that libwebp ships in Chrome, Safari, Firefox, Android, and countless Electron apps — a single heap overflow becomes a universal RCE primitive. The Huffman table parser and VP8L bitstream reader are both complex and performance-sensitive, creating fertile ground for boundary bugs.

Common bug classes

•Heap buffer overflow in Huffman code length parsing (VP8L)
•Out-of-bounds read in colour cache lookup
•Integer overflow in canvas dimension arithmetic
•Heap corruption in backward reference copy
•Out-of-bounds write in colour transform decoding

Recommended setup

Fuzzers

→ AFL++
→ libFuzzer
→ Honggfuzz
→ Centipede

Sanitizers

→ ASan
→ UBSan
→ MSan

Harness scaffold

#include <stdint.h>
#include <stddef.h>
#include <webp/decode.h>

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  WebPDecoderConfig config;
  if (!WebPInitDecoderConfig(&config)) return 0;
  config.options.use_threads = 0;
  config.output.colorspace = MODE_RGBA;
  WebPDecode(data, size, &config);
  WebPFreeDecBuffer(&config.output);
  return 0;
}

Save this as fuzz_target.cc, build with your compiler + sanitizer flags, and you have a working starting point.

Notable CVEs found by fuzzing

→ CVE-2023-4863

Start fuzzing libwebp on Fuzze.rs →

Push the harness above + a Dockerfile. First month 50% off.