Merge pull request #537 from syoyo/v3

V3
2026-06-08 03:03:50 +00:00 · 2026-03-24 04:50:29 +09:00
parent 9248070755 1a04c114c6
commit b163ff225a
10 changed files with 6164 additions and 55 deletions
--- a/tests/tester.cc
+++ b/tests/tester.cc
@@ -1249,3 +1249,37 @@ TEST_CASE("empty-images-not-written", "[issue-495]") {
  // WriteImageData should be invoked for both images
  CHECK(counter == 2);
 }
+
+#ifdef TINYGLTF_USE_CUSTOM_JSON
+/* Regression test: in float32_mode, integer-only tokens with more than 9
+ * digits must still be parsed as integers (is_int == 1), not floats.
+ * Previously, max_sig=9 was applied to the integer part too, causing excess
+ * digits to bump exp10, which broke the exp10==0 guard in the integer
+ * fast-path and mis-classified the value as a float. */
+TEST_CASE("cj-float32-long-integer", "[customjson]") {
+    // Values chosen to cover exactly-at, just-over, and near int64 boundaries.
+    struct {
+        const char *text;
+        int64_t     expected;
+    } cases[] = {
+        { "1234567890",           1234567890LL        }, /* 10 digits */
+        { "12345678901",          12345678901LL       }, /* 11 digits */
+        { "1000000000000",        1000000000000LL     }, /* 13 digits */
+        { "9223372036854775807",  INT64_MAX           }, /* max int64 (19 digits) */
+        { "-1234567890",         -1234567890LL        }, /* negative 10 digits */
+        { "-9223372036854775808", INT64_MIN           }, /* min int64 */
+    };
+
+    for (auto &tc : cases) {
+        int      is_int = 0;
+        int64_t  ival   = 0;
+        double   dval   = 0.0;
+        const char *end = tc.text + strlen(tc.text);
+        const char *ret = cj_parse_number(tc.text, end, &is_int, &ival, &dval, /*float32_mode=*/1);
+        CAPTURE(tc.text);
+        REQUIRE(ret != nullptr);
+        CHECK(is_int == 1);
+        CHECK(ival == tc.expected);
+    }
+}
+#endif /* TINYGLTF_USE_CUSTOM_JSON */
--- a/tests/v3/fuzzer/Makefile
+++ b/tests/v3/fuzzer/Makefile
@@ -0,0 +1,67 @@
+# tests/v3/fuzzer/Makefile — Build libFuzzer harness for tinygltf v3
+#
+# Requires: clang++ with libFuzzer support
+#
+# Targets:
+#   make             — build fuzzer with ASan + UBSan
+#   make run         — run fuzzer with default settings
+#   make seed        — generate seed corpus from test models
+#   make clean       — remove binaries and corpus
+
+CXX       = clang++
+CXXFLAGS  = -g -O1 -std=c++17 -fno-rtti -fno-exceptions
+SANITIZE  = -fsanitize=fuzzer,address,undefined
+INCLUDES  = -I../../..
+
+FUZZER    = fuzz_gltf_v3
+CORPUS    = corpus
+ARTIFACTS = artifacts
+
+# Fuzzer runtime options
+MAX_LEN   ?= 65536
+JOBS      ?= $(shell nproc 2>/dev/null || echo 4)
+MAX_TIME  ?= 0
+
+.PHONY: all run seed clean
+
+all: $(FUZZER)
+
+$(FUZZER): fuzz_gltf_v3.cc ../../../tiny_gltf_v3.h ../../../tinygltf_json.h
+	$(CXX) $(CXXFLAGS) $(SANITIZE) $(INCLUDES) -o $@ $<
+
+run: $(FUZZER) | $(CORPUS) $(ARTIFACTS)
+	./$(FUZZER) $(CORPUS) \
+		-artifact_prefix=$(ARTIFACTS)/ \
+		-max_len=$(MAX_LEN) \
+		-jobs=$(JOBS) \
+		-workers=$(JOBS) \
+		$(if $(filter-out 0,$(MAX_TIME)),-max_total_time=$(MAX_TIME))
+
+# Generate seed corpus from existing test models
+seed: | $(CORPUS)
+	@echo "Seeding corpus from test models..."
+	@for f in ../../../models/Cube/Cube.gltf \
+	          ../../../models/Cube/Cube.glb; do \
+		if [ -f "$$f" ]; then \
+			cp "$$f" $(CORPUS)/; \
+			echo "  Added: $$f"; \
+		fi; \
+	done
+	@# Add a minimal valid glTF JSON
+	@echo '{"asset":{"version":"2.0"},"scene":0,"scenes":[{"nodes":[0]}],"nodes":[{"name":"n"}]}' > $(CORPUS)/minimal.gltf
+	@# Add a minimal valid GLB (header + empty JSON chunk)
+	@printf 'glTF\x02\x00\x00\x00\x1c\x00\x00\x00\x04\x00\x00\x00JSON{}  ' > $(CORPUS)/minimal.glb
+	@# Add edge cases
+	@echo '{}' > $(CORPUS)/empty_object.gltf
+	@echo '{"asset":{"version":"2.0"}}' > $(CORPUS)/asset_only.gltf
+	@echo "Corpus: $$(ls $(CORPUS) | wc -l) files"
+
+$(CORPUS):
+	mkdir -p $(CORPUS)
+
+$(ARTIFACTS):
+	mkdir -p $(ARTIFACTS)
+
+clean:
+	rm -f $(FUZZER)
+	rm -rf $(CORPUS) $(ARTIFACTS)
--- a/tests/v3/fuzzer/fuzz_gltf_v3.cc
+++ b/tests/v3/fuzzer/fuzz_gltf_v3.cc
@@ -0,0 +1,110 @@
+/*
+ * fuzz_gltf_v3.cc — libFuzzer harness for tinygltf v3 parser.
+ *
+ * Fuzz targets:
+ *   - Auto-detect (GLB or JSON) parse from arbitrary bytes
+ *   - Exercises JSON parser, GLB header parsing, arena allocator,
+ *     error stack, and all glTF entity parsing paths.
+ *
+ * Build (clang with libFuzzer):
+ *   clang++ -g -O1 -fsanitize=fuzzer,address,undefined \
+ *       -std=c++17 -fno-rtti -fno-exceptions \
+ *       -I../../.. -o fuzz_gltf_v3 fuzz_gltf_v3.cc
+ *
+ * Run:
+ *   ./fuzz_gltf_v3 corpus/ -max_len=65536
+ *
+ * Seed corpus: place valid .gltf and .glb files in corpus/
+ */
+
+#define TINYGLTF3_IMPLEMENTATION
+#include "tiny_gltf_v3.h"
+
+#include <cstdint>
+#include <cstddef>
+
+/* Memory budget to prevent OOM during fuzzing */
+static const uint64_t FUZZ_MEMORY_BUDGET = 64ULL * 1024 * 1024; /* 64 MB */
+
+static void fuzz_parse_auto(const uint8_t *data, size_t size) {
+    tg3_model model;
+    tg3_error_stack errors;
+    tg3_error_stack_init(&errors);
+
+    tg3_parse_options opts;
+    tg3_parse_options_init(&opts);
+    opts.memory.memory_budget = FUZZ_MEMORY_BUDGET;
+
+    tg3_parse_auto(&model, &errors, data, (uint64_t)size,
+                   "", 0, &opts);
+
+    tg3_model_free(&model);
+    tg3_error_stack_free(&errors);
+}
+
+static void fuzz_parse_json(const uint8_t *data, size_t size) {
+    tg3_model model;
+    tg3_error_stack errors;
+    tg3_error_stack_init(&errors);
+
+    tg3_parse_options opts;
+    tg3_parse_options_init(&opts);
+    opts.memory.memory_budget = FUZZ_MEMORY_BUDGET;
+
+    tg3_parse(&model, &errors, data, (uint64_t)size,
+              "", 0, &opts);
+
+    tg3_model_free(&model);
+    tg3_error_stack_free(&errors);
+}
+
+static void fuzz_parse_glb(const uint8_t *data, size_t size) {
+    tg3_model model;
+    tg3_error_stack errors;
+    tg3_error_stack_init(&errors);
+
+    tg3_parse_options opts;
+    tg3_parse_options_init(&opts);
+    opts.memory.memory_budget = FUZZ_MEMORY_BUDGET;
+
+    tg3_parse_glb(&model, &errors, data, (uint64_t)size,
+                  "", 0, &opts);
+
+    tg3_model_free(&model);
+    tg3_error_stack_free(&errors);
+}
+
+static void fuzz_parse_float32(const uint8_t *data, size_t size) {
+    tg3_model model;
+    tg3_error_stack errors;
+    tg3_error_stack_init(&errors);
+
+    tg3_parse_options opts;
+    tg3_parse_options_init(&opts);
+    opts.memory.memory_budget = FUZZ_MEMORY_BUDGET;
+    opts.parse_float32 = 1;
+
+    tg3_parse_auto(&model, &errors, data, (uint64_t)size,
+                   "", 0, &opts);
+
+    tg3_model_free(&model);
+    tg3_error_stack_free(&errors);
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    if (size == 0) return 0;
+
+    /* Use first byte to select parse path, rest is the payload */
+    uint8_t selector = data[0] % 4;
+    const uint8_t *payload = data + 1;
+    size_t payload_size = size - 1;
+
+    switch (selector) {
+    case 0: fuzz_parse_auto(payload, payload_size);    break;
+    case 1: fuzz_parse_json(payload, payload_size);    break;
+    case 2: fuzz_parse_glb(payload, payload_size);     break;
+    case 3: fuzz_parse_float32(payload, payload_size); break;
+    }
+
+    return 0;
+}