•   2 min read

MozJPEG Fuzzing

This blog post details the steps I took to set up AFL fuzzer to target MozJPEG. I did this using the base image that was set up in the post on fuzzing XPDF. This post is written to document how to fuzz something like an image parser.

Install prerequisites

These are required in addition to anything inherited from the previous blog post.

sudo apt-get install nasm autoreconf libtool

Prepare MozJPEG

cd ~/Downloads
wget "https://github.com/mozilla/mozjpeg/releases/download/v3.1/mozjpeg-3.1-release-source.tar.gz"
tar -xf mozjpeg-3.1-release-source.tar.gz
cd mozjpeg
# Running `autoreconf` is required to avoid some errors.
autoreconf -f -i
# Instrument MozJPEG using AFL
CC=~/bin/afl/afl-gcc ./configure --disable-shared
make clean all AFL_HARDEN=1

Prepare ramdisk

This code is used to set up a ramdisk, which should hopefully speed up reads and writes.

cat << EOF > ~/bin/set-up-ramdisk.sh
if grep -qs '/tmp/afl-ramdisk' /proc/mounts; then
    sudo umount /tmp/afl-ramdisk
    rm -rf /tmp/afl-ramdisk
sudo mkdir /tmp/afl-ramdisk && sudo chmod 777 /tmp/afl-ramdisk
sudo mount -t tmpfs -o size=1G tmpfs /tmp/afl-ramdisk
cp -R ~/Downloads/mozjpeg /tmp/afl-ramdisk
cp -R ~/bin/afl /tmp/afl-ramdisk
cp -R ~/bin/afl/testcases/images/jpeg/ /tmp/afl-ramdisk/samples
chmod +x ~/bin/set-up-ramdisk.sh
sudo -E env "PATH=$PATH" set-up-ramdisk.sh

Prepare AFL

This is required in order to run AFL.

sudo su
echo core >/proc/sys/kernel/core_pattern

Start fuzzing

Kick off the fuzzer.

cd /tmp/afl-ramdisk
export PATH="$PATH:/tmp/afl-ramdisk/afl"
sudo chown $(whoami):$(whoami) -R afl/ samples/ mozjpeg/
mkdir cjpeg_out
afl-launch -m="2G" -i samples -o afl_out -n 4 mozjpeg/cjpeg -quality 70 \
    -outfile cjpeg_out/afl-image.jpg @@

For some options, check out this post. Of note, some options that are available are:

  • The -quality option accepts fractional numbers (necessary if you want to make a fair benchmark) and two numbers separated by commas to set quality of brightness and color separately, e.g. -quality 60,70.
  • -sample 1x1 enables full-resolution color (e.g. red lines won’t be smudged as badly), but it makes files larger.
  • -quant-table 2 (mentioned earlier) makes images softer and reduces posterization in low qualities.
  • -notrellis makes images sharper, but increases file size.
  • -outfile defines path where result is (over)written to. And the last argument is the source image. It can be a PNG, a very high-quality JPEG or Targa.

The status of the fuzzer can be checked with afl-whatsup:

watch afl-whatsup -s pdf-out

Performance is decent, hovering around 1500 execs/second: