[fix][tests] Fix Expand, Extract, Select fuzz tests (#1243)

* Fixed expand, extract and select fuzz tests: filtered invalid inputs to prevent invalid memory access

Author: nmizonov

tools/tests/fuzzing/low-level-api/expand_fuzz_test.cpp

@@ -10,6 +10,8 @@
 
 #include "qpl/qpl.h"
 
+#include "filtering_fuzz_common.hpp"
+
 #ifndef QPL_EXECUTION_PATH
 #define QPL_EXECUTION_PATH qpl_path_software
 #endif
@@ -34,23 +36,31 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) {
     Size--;
 
     if (Size > sizeof(expand_properties)) {
-        expand_properties properties_ptr = *reinterpret_cast<const expand_properties*>(Data);
+        expand_properties properties = *reinterpret_cast<const expand_properties*>(Data);
 
         // Make sure the output bit width is in the valid range of enum qpl_out_format
-        properties_ptr.output_bit_width = static_cast<qpl_out_format>(properties_ptr.output_bit_width % 4);
-        properties_ptr.input_bit_width  = properties_ptr.input_bit_width % 32;
+        properties.output_bit_width =
+                static_cast<qpl_out_format>(static_cast<uint8_t>(properties.output_bit_width) % 4);
+        properties.input_bit_width = properties.input_bit_width % 32;
 
         Data += sizeof(expand_properties);
         Size -= sizeof(expand_properties);
 
-        auto mask_byte_length = properties_ptr.mask_byte_length % (32 * 1024);
-        if (Size > mask_byte_length) {
+        auto mask_byte_length = properties.mask_byte_length % (32 * 1024);
+
+        const int64_t source_size   = static_cast<int64_t>(Size) - static_cast<int64_t>(mask_byte_length);
+        const bool    is_rle_parser = qpl_p_parquet_rle == parser;
+        const auto    source_ptr    = Data + mask_byte_length;
+        const bool    is_good_data  = validate_filtering_input(properties.input_bit_width, source_ptr, is_rle_parser,
+                                                               properties.output_bit_width, properties.number_of_elements,
+                                                               source_size, properties.destination_size);
+        if (is_good_data) {
             std::vector<uint8_t> mask(Data, Data + mask_byte_length);
 
             std::vector<uint8_t> source(Data + mask_byte_length, Data + Size);
-            properties_ptr.destination_size =
-                    std::min(static_cast<uint32_t>(mask_byte_length * 32), properties_ptr.destination_size);
-            std::vector<uint8_t> destination(properties_ptr.destination_size);
+            properties.destination_size =
+                    std::min(static_cast<uint32_t>(mask_byte_length * 32), properties.destination_size);
+            std::vector<uint8_t> destination(properties.destination_size);
 
             qpl_status status;
             uint32_t   job_size = 0;
@@ -72,10 +82,10 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) {
             job_ptr->next_out_ptr       = destination.data();
             job_ptr->available_out      = destination.size();
             job_ptr->op                 = qpl_op_expand;
-            job_ptr->num_input_elements = properties_ptr.number_of_elements;
-            job_ptr->src1_bit_width     = properties_ptr.input_bit_width;
-            job_ptr->src2_bit_width     = properties_ptr.input_bit_width_2;
-            job_ptr->out_bit_width      = properties_ptr.output_bit_width;
+            job_ptr->num_input_elements = properties.number_of_elements;
+            job_ptr->src1_bit_width     = properties.input_bit_width;
+            job_ptr->src2_bit_width     = properties.input_bit_width_2;
+            job_ptr->out_bit_width      = properties.output_bit_width;
             job_ptr->parser             = parser;
 
             status = qpl_execute_job(job_ptr);

tools/tests/fuzzing/low-level-api/extract_fuzz_test.cpp

@@ -9,6 +9,8 @@
 
 #include "qpl/qpl.h"
 
+#include "filtering_fuzz_common.hpp"
+
 #ifndef QPL_EXECUTION_PATH
 #define QPL_EXECUTION_PATH qpl_path_software
 #endif
@@ -33,36 +35,50 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) {
     Size--;
 
     if (Size > sizeof(extract_properties)) {
-        auto*                properties_ptr = reinterpret_cast<const extract_properties*>(Data);
-        std::vector<uint8_t> source(Data + sizeof(extract_properties), Data + Size);
-        std::vector<uint8_t> destination(properties_ptr->destination_size);
-
-        qpl_status status;
-        uint32_t   job_size = 0;
-
-        // Job initialization
-        status = qpl_get_job_size(execution_path, &job_size);
-        if (status != QPL_STS_OK) { return 0; }
-
-        auto     job_buffer = std::make_unique<uint8_t[]>(job_size);
-        qpl_job* job_ptr    = reinterpret_cast<qpl_job*>(job_buffer.get());
-
-        status = qpl_init_job(execution_path, job_ptr);
-        if (status != QPL_STS_OK) { return 0; }
-
-        job_ptr->next_in_ptr        = source.data();
-        job_ptr->available_in       = source.size();
-        job_ptr->next_out_ptr       = destination.data();
-        job_ptr->available_out      = destination.size();
-        job_ptr->op                 = qpl_op_extract;
-        job_ptr->num_input_elements = properties_ptr->number_of_elements;
-        job_ptr->src1_bit_width     = properties_ptr->input_bit_width;
-        job_ptr->param_low          = properties_ptr->low_index_boundary;
-        job_ptr->param_high         = properties_ptr->high_index_boundary;
-        job_ptr->out_bit_width      = properties_ptr->output_bit_width;
-        job_ptr->parser             = parser;
-
-        status = qpl_execute_job(job_ptr);
+        extract_properties properties = *reinterpret_cast<const extract_properties*>(Data);
+
+        // Make sure the output bit width is in the valid range of enum qpl_out_format
+        properties.output_bit_width =
+                static_cast<qpl_out_format>(static_cast<uint8_t>(properties.output_bit_width) % 4);
+
+        const int64_t source_size   = static_cast<int64_t>(Size) - sizeof(extract_properties);
+        const bool    is_rle_parser = qpl_p_parquet_rle == parser;
+        const auto    source_ptr    = Data + sizeof(extract_properties);
+        bool          is_good_data  = validate_filtering_input(properties.input_bit_width, source_ptr, is_rle_parser,
+                                                               properties.output_bit_width, properties.number_of_elements,
+                                                               source_size, properties.destination_size);
+        if (properties.high_index_boundary > properties.number_of_elements) { is_good_data = false; }
+        if (is_good_data) {
+            std::vector<uint8_t> source(Data + sizeof(extract_properties), Data + Size);
+            std::vector<uint8_t> destination(properties.destination_size);
+
+            qpl_status status;
+            uint32_t   job_size = 0;
+
+            // Job initialization
+            status = qpl_get_job_size(execution_path, &job_size);
+            if (status != QPL_STS_OK) { return 0; }
+
+            auto     job_buffer = std::make_unique<uint8_t[]>(job_size);
+            qpl_job* job_ptr    = reinterpret_cast<qpl_job*>(job_buffer.get());
+
+            status = qpl_init_job(execution_path, job_ptr);
+            if (status != QPL_STS_OK) { return 0; }
+
+            job_ptr->next_in_ptr        = source.data();
+            job_ptr->available_in       = source.size();
+            job_ptr->next_out_ptr       = destination.data();
+            job_ptr->available_out      = destination.size();
+            job_ptr->op                 = qpl_op_extract;
+            job_ptr->num_input_elements = properties.number_of_elements;
+            job_ptr->src1_bit_width     = properties.input_bit_width;
+            job_ptr->param_low          = properties.low_index_boundary;
+            job_ptr->param_high         = properties.high_index_boundary;
+            job_ptr->out_bit_width      = properties.output_bit_width;
+            job_ptr->parser             = parser;
+
+            status = qpl_execute_job(job_ptr);
+        }
     }
 
     return 0;

tools/tests/fuzzing/low-level-api/filtering_fuzz_common.hpp

@@ -0,0 +1,43 @@
+/*******************************************************************************
+ * Copyright (C) 2025 Intel Corporation
+ *
+ * SPDX-License-Identifier: MIT
+ ******************************************************************************/
+
+#pragma once
+
+#include "qpl/c_api/defs.h"
+
+constexpr uint32_t qpl_out_format_to_uint(qpl_out_format output) {
+    switch (output) {
+        case qpl_ow_nom: return 1U;
+        case qpl_ow_8: return 8U;
+        case qpl_ow_16: return 16U;
+        case qpl_ow_32: return 32U;
+        default: return 1U;
+    }
+}
+
+inline bool validate_filtering_input(uint32_t input_bit_width_1, const uint8_t* p_input_bit_width_2,
+                                     bool is_bit_width_2, qpl_out_format out_format_enum, size_t number_of_elements,
+                                     int64_t src_available_bytes, size_t dst_available_bytes) {
+    if (src_available_bytes <= 0) { return false; }
+
+    // Check if input and output bit widths are valid
+    uint32_t input_bit_width = input_bit_width_1;
+    if (is_bit_width_2) { input_bit_width = static_cast<uint32_t>(*p_input_bit_width_2); }
+    const uint32_t output_bit_width = qpl_out_format_to_uint(out_format_enum);
+    if (input_bit_width > output_bit_width) { return false; }
+
+    // Check if input and output sizes are valid
+    const size_t src_required_bytes = (number_of_elements * input_bit_width + 7) / 8;
+    const size_t dst_required_bytes = (number_of_elements * output_bit_width + 7) / 8;
+    if (src_required_bytes > src_available_bytes || dst_required_bytes > dst_available_bytes) { return false; }
+
+    // Check if number of elements can be written with the given output bit width
+    if (output_bit_width != 1U) {
+        const uint32_t max_output_value = (1ULL << output_bit_width) - 1;
+        if (max_output_value < number_of_elements) { return false; }
+    }
+    return true;
+}

tools/tests/fuzzing/low-level-api/select_fuzz_test.cpp

@@ -9,6 +9,8 @@
 
 #include "qpl/qpl.h"
 
+#include "filtering_fuzz_common.hpp"
+
 #ifndef QPL_EXECUTION_PATH
 #define QPL_EXECUTION_PATH qpl_path_software
 #endif
@@ -33,14 +35,26 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) {
     Size--;
 
     if (Size > sizeof(select_properties)) {
-        auto* properties_ptr   = reinterpret_cast<const select_properties*>(Data);
-        auto  mask_byte_length = properties_ptr->mask_byte_length % 4096;
-        if (Size > sizeof(select_properties) + mask_byte_length) {
+        select_properties properties       = *reinterpret_cast<const select_properties*>(Data);
+        auto              mask_byte_length = properties.mask_byte_length % 4096;
+
+        // Make sure the output bit width is in the valid range of enum qpl_out_format
+        properties.output_bit_width =
+                static_cast<qpl_out_format>(static_cast<uint8_t>(properties.output_bit_width) % 4);
+
+        const int64_t source_size = static_cast<int64_t>(Size) - static_cast<int64_t>(sizeof(select_properties)) -
+                                    static_cast<int64_t>(mask_byte_length);
+        const bool is_rle_parser = qpl_p_parquet_rle == parser;
+        const auto source_ptr    = Data + sizeof(select_properties) + mask_byte_length;
+        const bool is_good_data  = validate_filtering_input(properties.input_bit_width, source_ptr, is_rle_parser,
+                                                            properties.output_bit_width, properties.number_of_elements,
+                                                            source_size, properties.destination_size);
+        if (is_good_data) {
             std::vector<uint8_t> mask(Data + sizeof(select_properties),
                                       Data + sizeof(select_properties) + mask_byte_length);
 
             std::vector<uint8_t> source(Data + sizeof(select_properties) + mask_byte_length, Data + Size);
-            std::vector<uint8_t> destination(properties_ptr->destination_size);
+            std::vector<uint8_t> destination(properties.destination_size);
 
             qpl_status status;
             uint32_t   job_size = 0;
@@ -62,10 +76,10 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) {
             job_ptr->next_out_ptr       = destination.data();
             job_ptr->available_out      = destination.size();
             job_ptr->op                 = qpl_op_select;
-            job_ptr->num_input_elements = properties_ptr->number_of_elements;
-            job_ptr->src1_bit_width     = properties_ptr->input_bit_width;
-            job_ptr->src2_bit_width     = properties_ptr->input_bit_width_2;
-            job_ptr->out_bit_width      = properties_ptr->output_bit_width;
+            job_ptr->num_input_elements = properties.number_of_elements;
+            job_ptr->src1_bit_width     = properties.input_bit_width;
+            job_ptr->src2_bit_width     = properties.input_bit_width_2;
+            job_ptr->out_bit_width      = properties.output_bit_width;
             job_ptr->parser             = parser;
 
             status = qpl_execute_job(job_ptr);