4 releases (2 breaking)
0.5.1 | Oct 31, 2023 |
---|---|
0.5.0 | Oct 22, 2023 |
0.4.0 | Oct 17, 2023 |
0.3.2 | Oct 8, 2023 |
#386 in Images
4,524 downloads per month
145KB
3K
SLoC
webpsan
A Rust WebP format "sanitizer".
The sanitizer currently simply checks the validity of a WebP file input, so that passing malformed files to an unsafe parser can be avoided.
Usage
The main entry points to the sanitizer are sanitize
, which take a Read
+ Skip
input. The Skip
trait
represents a subset of the Seek
trait; an input stream which can be skipped forward, but not necessarily seeked to
arbitrary positions.
let example_input = b"RIFF\x14\0\0\0WEBPVP8L\x08\0\0\0\x2f\0\0\0\0\x88\x88\x08";
webpsan::sanitize(std::io::Cursor::new(example_input)).unwrap();
The parse
module also contains a less stable and undocumented API which can be used to parse individual WebP chunk
types.
API Documentation
Private Documentation
Contributing Bug Reports
GitHub is the project's bug tracker. Please search for similar existing issues before submitting a new one.
Testing
libwebp
-based verification of webpsan tests can be enabled using the webpsan-test/libwebp
feature. libwebp
is
linked statically, so does not need to be installed for the tests.
The test_data
integration test runs on sample data files in the private
test-data
submodule. If you have access to this repo, you may check out the submodule manually:
$ git submodule update --init --checkout
Fuzz Testing
Fuzz testing via both cargo afl
and cargo fuzz
is supported. See the Rust Fuzz Book for more details. To run AFL-based fuzzing:
$ cargo install cargo-afl
$ cd fuzz-afl
$ ./fuzz $num_cpus
To run libFuzzer-based fuzzing:
$ cargo +nightly install cargo-fuzz
$ cargo +nightly fuzz run sanitize -- -dict=fuzz/webp.dict -seed_inputs=fuzz/input/smallest-possible.webp
OSS-Fuzz
Continuous fuzz testing is also provided by OSS-Fuzz.
Build Status
Code Coverage
Bugs Found
License
Licensed under MIT.
Dependencies
~2–3MB
~57K SLoC