Add fuzzers to exercise specific pipeline classes

.gitignore

@@ -25,5 +25,4 @@ manual/html.xsl
 manual/print.xsl
 qpdf/build/
 zlib-flate/build/
-fuzz/qpdf_fuzzer_seed_corpus/
 distribution/

fuzz/ascii85_fuzzer.cc

@@ -0,0 +1,52 @@
+#include <qpdf/Pl_Discard.hh>
+#include <qpdf/Pl_ASCII85Decoder.hh>
+#include <iostream>
+#include <stdexcept>
+
+class FuzzHelper
+{
+  public:
+    FuzzHelper(unsigned char const* data, size_t size);
+    void run();
+
+  private:
+    void doChecks();
+
+    unsigned char const* data;
+    size_t size;
+};
+
+FuzzHelper::FuzzHelper(unsigned char const* data, size_t size) :
+    data(data),
+    size(size)
+{
+}
+
+void
+FuzzHelper::doChecks()
+{
+    Pl_Discard discard;
+    Pl_ASCII85Decoder p("decode", &discard);
+    p.write(const_cast<unsigned char*>(data), size);
+    p.finish();
+}
+
+void
+FuzzHelper::run()
+{
+    try
+    {
+        doChecks();
+    }
+    catch (std::runtime_error const& e)
+    {
+        std::cerr << "runtime_error: " << e.what() << std::endl;
+    }
+}
+
+extern "C" int LLVMFuzzerTestOneInput(unsigned char const* data, size_t size)
+{
+    FuzzHelper f(data, size);
+    f.run();
+    return 0;
+}

fuzz/ascii85_fuzzer_seed_corpus/a0113b6bc9b18c0d120bdf79f10a4928dc6fc908

@@ -0,0 +1,43 @@
+70!<9iWTSm7K<E>iWTSm7fWNCiWTSm8,rWHiWTSm8H8`MiWTSm8cSiRiWTSm
+9)nrWiWTSm9E5&\iWTSm9`P/aiWTSm:&k8fiWTSm:B1AkiWTSm:]LJpiWTSm
+;#gSuiWTSm;?-]%iWTSm;ZHf*iWTSm;uco/iWTSm<<*#4iWTSm<WE,9iWTSm
+<r`5>iWTSm=9&>CiWTSm=TAGHiWTSm=o\P&M<.ZglicMP!!!"'J]"ig!<A%A
+q#CBoL!k&HkhZ:>!9c9E!!)4J#6=g,>KOe_2$i.E#lc1Zi<9Je!!!$!,nT#=
+#\X2<!!)9As8W-!,o#;A#\XJD!!)91s8W-!,oGSE#\XbL!!)9!s8W-!,okkI
+#\Y%T!!)8fs8W-!,p;.M#\Y=\!!)8Vs8W-!,p_FQ#\YUd!!)8Fs8W-!,q.^U
+#\Yml!!)86s8W-!,qS!Y#\Z0t!!)8&s8W-!,r"9]#\ZI'!!)7ks8W-!,rFQa
+#\Za/!!)7[s8W-!,rjie#\[$7!!)7Ks8W-!,s:,i#\[<?!!)7;s8W-!,s^Dm
+#\[TG!!)7+s8W-!,t-\q#\[lO!!)6ps8W-!,tQtu#\\/W!!)6`s8W-!,u!8$
+#\\G_!!)9Qrr<#u,uEP(#\\_g!!)9Arr<#u,uih,#\]"o!!)91rr<#u-!9+0
+#\];"!!)9!rr<#u-!]C4#\]S*!!)8frr<#u-",[8#\]k2!!)8Vrr<#u-"Ps<
+#\^.:!!)8Frr<#u-"u6@#\^FB!!)86rr<#u-#DND#\^^J!!)8&rr<#u-#hfH
+#\_!R!!)7krr<#u-$8)L#\_9Z!!)7[rr<#u-$\AP#\_Qb!!)7Krr<#u-%+YT
+#\_ij!!)7;rr<#u-%OqX#\`,r!!)7+rr<#u-%t4\#\`E%!!)6prr<#u-&CL`
+#\`]-!!)6`rr<#u-&gdd#\`u5!!)9QrVuot-'7'h#\X2=!!)9ArVuot-'[?l
+#\XJE!!)91rVuot-(*Wp#\XbM!!)9!rVuot-(Not#\Y%U!!)8frVuot-(s3#
+#\Y=]!!)8VrVuot-)BK'#\YUe!!)8FrVuot-)fc+#\Ymm!!)86rVuot-*6&/
+#\Z0u!!)8&rVuot-*Z>3#\ZI(!!)7krVuot-+)V7#\Za0!!)7[rVuot-+Mn;
+#\[$8!!)7KrVuot-+r1?#\[<@!!)7;rVuot-,AIC#\[TH!!)7+rVuot-,eaG
+#\[lP!!)6prVuot--5$K#\\/X!!)6`rVuot--Y<O#\\G`!!)9Qr;Zfs-.(TS
+#\\_h!!)9Ar;Zfs-.LlW#\]"p!!)91r;Zfs-.q/[#\];#!!)9!r;Zfs-/@G_
+#\]S+!!)8fr;Zfs-/d_c#\]k3!!)8Vr;Zfs-04"g#\^.;!!)8Fr;Zfs-0X:k
+#\^FC!!)86r;Zfs-1'Ro#\^^K!!)8&r;Zfs-1Kjs#\_!S!!)7kr;Zfs-1p."
+#\_9[!!)7[r;Zfs-2?F&#\_Qc!!)7Kr;Zfs-2c^*#\_ik!!)7;r;Zfs,llp.
+#\`,s!!)7+r;Zfs,m<32#\`E&!!)6pr;Zfs,m`K6#\`].!!)6`r;Zfs,n/c:
+#\`u6!!)9Qqu?]r,nT&>#\X2>!!)9Aqu?]r,o#>B#\XJF!!)91qu?]r,oGVF
+#\XbN!!)9!qu?]r,oknJ#\Y%V!!)8fqu?]r,p;1N#\Y=^!!)8Vqu?]r,p_IR
+#\YUf!!)8Fqu?]r,q.aV#\Ymn!!)86qu?]r,qS$Z#\Z1!!!)8&qu?]r,r"<^
+#\ZI)!!)7kqu?]r,rFTb#\Za1!!)7[qu?]r,rjlf#\[$9!!)7Kqu?]r,s:/j
+#\[<A!!)7;qu?]r,s^Gn#\[TI!!)7+qu?]r,t-_r#\[lQ!!)6pqu?]r,tR#!
+#\\/Y!!)6`qu?]r,u!;%#\\Ga!!)9QqZ$Tq,uES)#\\_i!!)9AqZ$Tq,uik-
+#\]"q!!)91qZ$Tq-!9.1#\];$!!)9!qZ$Tq-!]F5#\]S,!!)8fqZ$Tq-",^9
+#\]k4!!)8VqZ$Tq-"Q!=#\^.<!!)8FqZ$Tq-"u9A#\^FD!!)86qZ$Tq-#DQE
+#\^^L!!)8&qZ$Tq-#hiI#\_!T!!)7kqZ$Tq-$8,M#\_9\!!)7[qZ$Tq-$\DQ
+#\_Qd!!)7KqZ$Qqzz!!!!Rm9YY.KB2Mu<)RB0Rfs(2&=Wh/;-%B"jobtRPPb
+C[oT5/rOH>QcOH>QcOH>Q(M<0BV#_5(Ziro\gF:@ITK>7VbLuJRDs3dTsiWT
+UG&;APTlc'+Liro\hahs3?M<0BV#b_gf"UKgtF:u(`!!!"Q^iTn'"=+Q:"UP
+.Tahs4%OH>QcOH>QcOH>Q(M<0BV(lLfgMbOV<:]u[VM+f0#a$_0]zM,Y`'M$
+,*fQi6sbahs4"F=$ufM<0BV#`0NHMd6aJF<h!IFU3mu"H-:`MZts>1!q`($,
+La&Mb=>67L4oV%#\-p0uu*'$.'3I^kop\iW4rW,`0m+F<h!Gls7MgF=%!]+Q
+Wb4<Jfgk^i]p@70oY2jTPoq_i8g>NP$V=!!!"m+QWb4<Jfgk^i^*[,io18K>
+7M_,io18?,Mb`F=$ufKYWH+F:?1n~>trailing garbage

fuzz/build.mk

@@ -1,7 +1,16 @@
 # This directory contains support for Google's oss-fuzz project. See
 # https://github.com/google/oss-fuzz/tree/master/projects/qpdf
 
-FUZZERS = qpdf_fuzzer
+FUZZERS = \
+    qpdf_fuzzer \
+    ascii85_fuzzer \
+    dct_fuzzer \
+    flate_fuzzer \
+    hex_fuzzer \
+    lzw_fuzzer \
+    pngpredictor_fuzzer \
+    runlength_fuzzer \
+    tiffpredictor_fuzzer
 
 DEFAULT_FUZZ_RUNNER := standalone_fuzz_target_runner
 OBJ_DEFAULT_FUZZ := fuzz/$(OUTPUT_DIR)/$(DEFAULT_FUZZ_RUNNER).$(OBJ)
@@ -9,7 +18,8 @@ OBJ_DEFAULT_FUZZ := fuzz/$(OUTPUT_DIR)/$(DEFAULT_FUZZ_RUNNER).$(OBJ)
 BINS_fuzz = $(foreach B,$(FUZZERS),fuzz/$(OUTPUT_DIR)/$(call binname,$(B)))
 TARGETS_fuzz = $(OBJ_DEFAULT_FUZZ) $(BINS_fuzz) fuzz_corpus
 
-INCLUDES_fuzz = include
+# Fuzzers test private classes too, so we need libqpdf in the include path
+INCLUDES_fuzz = include libqpdf
 
 # LIB_FUZZING_ENGINE is overridden by oss-fuzz
 LIB_FUZZING_ENGINE ?= $(OBJ_DEFAULT_FUZZ)
@@ -129,6 +139,8 @@ install_fuzz: $(STATIC_BINS_fuzz)
 	  fi; \
 	  if test -d fuzz/$(OUTPUT_DIR)/$${B}_seed_corpus; then \
 	    (cd fuzz/$(OUTPUT_DIR)/$${B}_seed_corpus; zip -q -r $(OUT)/$${B}_seed_corpus.zip .); \
+	  elif test -d fuzz/$${B}_seed_corpus; then \
+	    (cd fuzz/$${B}_seed_corpus; zip -q -r $(OUT)/$${B}_seed_corpus.zip .); \
 	  fi; \
 	done
 

fuzz/dct_fuzzer.cc

@@ -0,0 +1,52 @@
+#include <qpdf/Pl_Discard.hh>
+#include <qpdf/Pl_DCT.hh>
+#include <iostream>
+#include <stdexcept>
+
+class FuzzHelper
+{
+  public:
+    FuzzHelper(unsigned char const* data, size_t size);
+    void run();
+
+  private:
+    void doChecks();
+
+    unsigned char const* data;
+    size_t size;
+};
+
+FuzzHelper::FuzzHelper(unsigned char const* data, size_t size) :
+    data(data),
+    size(size)
+{
+}
+
+void
+FuzzHelper::doChecks()
+{
+    Pl_Discard discard;
+    Pl_DCT p("decode", &discard);
+    p.write(const_cast<unsigned char*>(data), size);
+    p.finish();
+}
+
+void
+FuzzHelper::run()
+{
+    try
+    {
+        doChecks();
+    }
+    catch (std::runtime_error const& e)
+    {
+        std::cerr << "runtime_error: " << e.what() << std::endl;
+    }
+}
+
+extern "C" int LLVMFuzzerTestOneInput(unsigned char const* data, size_t size)
+{
+    FuzzHelper f(data, size);
+    f.run();
+    return 0;
+}

fuzz/flate_fuzzer.cc

@@ -0,0 +1,52 @@
+#include <qpdf/Pl_Discard.hh>
+#include <qpdf/Pl_Flate.hh>
+#include <iostream>
+#include <stdexcept>
+
+class FuzzHelper
+{
+  public:
+    FuzzHelper(unsigned char const* data, size_t size);
+    void run();
+
+  private:
+    void doChecks();
+
+    unsigned char const* data;
+    size_t size;
+};
+
+FuzzHelper::FuzzHelper(unsigned char const* data, size_t size) :
+    data(data),
+    size(size)
+{
+}
+
+void
+FuzzHelper::doChecks()
+{
+    Pl_Discard discard;
+    Pl_Flate p("decode", &discard, Pl_Flate::a_deflate);
+    p.write(const_cast<unsigned char*>(data), size);
+    p.finish();
+}
+
+void
+FuzzHelper::run()
+{
+    try
+    {
+        doChecks();
+    }
+    catch (std::runtime_error const& e)
+    {
+        std::cerr << "runtime_error: " << e.what() << std::endl;
+    }
+}
+
+extern "C" int LLVMFuzzerTestOneInput(unsigned char const* data, size_t size)
+{
+    FuzzHelper f(data, size);
+    f.run();
+    return 0;
+}

fuzz/hex_fuzzer.cc

@@ -0,0 +1,52 @@
+#include <qpdf/Pl_Discard.hh>
+#include <qpdf/Pl_ASCIIHexDecoder.hh>
+#include <iostream>
+#include <stdexcept>
+
+class FuzzHelper
+{
+  public:
+    FuzzHelper(unsigned char const* data, size_t size);
+    void run();
+
+  private:
+    void doChecks();
+
+    unsigned char const* data;
+    size_t size;
+};
+
+FuzzHelper::FuzzHelper(unsigned char const* data, size_t size) :
+    data(data),
+    size(size)
+{
+}
+
+void
+FuzzHelper::doChecks()
+{
+    Pl_Discard discard;
+    Pl_ASCIIHexDecoder p("decode", &discard);
+    p.write(const_cast<unsigned char*>(data), size);
+    p.finish();
+}
+
+void
+FuzzHelper::run()
+{
+    try
+    {
+        doChecks();
+    }
+    catch (std::runtime_error const& e)
+    {
+        std::cerr << "runtime_error: " << e.what() << std::endl;
+    }
+}
+
+extern "C" int LLVMFuzzerTestOneInput(unsigned char const* data, size_t size)
+{
+    FuzzHelper f(data, size);
+    f.run();
+    return 0;
+}

fuzz/hex_fuzzer_seed_corpus/1c43fc2a41e55a9e1cecce2013254b632f5afac4

@@ -0,0 +1,70 @@
+45000028e20508074600002ce205080747000030e205080748000034e20
+5080749000038e20508074a00003ce20508074b000040e20508074c0000
+44e20508074d000048e20508074e00004ce20508074f000050e20508075
+0000054e205080751000058e20508075200005ce205080753000060e205
+080754000064e205080755000068e20508075600006ce20508075700007
+0e205080758000074e205080759000078e20508075a00005589e55383ec
+04e8000000005b81c3b44c01008b93f8ffffff85d27405e8de000000e83
+5060000e840070100585bc9c3ff3508e10508ff250ce1050800000000ff
+2510e105086800000000e9e0ffffffff2514e105086808000000e9d0fff
+fffff2518e105086810000000e9c0ffffffff251ce105086818000000e9
+b0ffffffff2520e105086820000000e9a0ffffffff2524e105086828000
+000e990ffffffff2528e105086830000000e980ffffffff252ce1050868
+38000000e970ffffffff2530e105086840000000e960ffffffff2534e10
+5086848000000e950ffffffff2538e105086850000000e940ffffffff25
+3ce105086858000000e930ffffffff2540e105086860000000e920fffff
+fff2544e105086868000000e910ffffffff2548e105086870000000e900
+ffffffff254ce105086878000000e9f0feffffff2550e10508688000000
+0e9e0feffffff2554e105086888000000e9d0feffffff2558e105086890
+000000e9c0feffffff255ce105086898000000e9b0feffffff2560e1050
+868a0000000e9a0feffffff2564e1050868a8000000e990feffffff2568
+e1050868b0000000e980feffffff256ce1050868b8000000e970fefffff
+f2570e1050868c0000000e960feffffff2574e1050868c8000000e950fe
+ffffff2578e1050868d0000000e940feffffff257ce1050868d8000000e
+930feffffff2580e1050868e0000000e920feffffff2584e1050868e800
+0000e910feffffff2588e1050868f0000000e900feffffff258ce105086
+8f8000000e9f0fdffffff2590e105086800010000e9e0fdffffff2594e1
+05086808010000e9d0fdffffff2598e105086810010000e9c0fdffffff2
+59ce105086818010000e9b0fdffffff25a0e105086820010000e9a0fdff
+ffff25a4e105086828010000e990fdffffff25a8e105086830010000e98
+0fdffffff25ace105086838010000e970fdffffff25b0e1050868400100
+00e960fdffffff25b4e105086848010000e950fdffffff25b8e10508685
+0010000e940fdffffff25bce105086858010000e930fdffffff25c0e105
+086860010000e920fdffffff25c4e105086868010000e910fdffffff25c
+8e105086870010000e900fdffffff25cce105086878010000e9f0fcffff
+FF25D0E105086880010000E9E0FCFFFFFF25D4E105086888010000E9D0F
+CFFFFFF25D8E105086890010000E9C0FCFFFFFF25DCE105086898010000
+E9B0FCFFFFFF25E0E1050868A0010000E9A0FCFFFFFF25E4E1050868A80
+10000E990FCFFFFFF25E8E1050868B0010000E980FCFFFFFF25ECE10508
+68B8010000E970FCFFFFFF25F0E1050868C0010000E960FCFFFFFF25F4E
+1050868C8010000E950FCFFFFFF25F8E1050868D0010000E940FCFFFFFF
+25FCE1050868D8010000E930FCFFFFFF2500E2050868E0010000E920FCF
+FFFFF2504E2050868E8010000E910FCFFFFFF2508E2050868F0010000E9
+00FCFFFFFF250CE2050868F8010000E9F0FBFFFFFF2510E205086800020
+000E9E0FBFFFFFF2514E205086808020000E9D0FBFFFFFF2518E2050868
+10020000E9C0FBFFFFFF251CE205086818020000E9B0FBFFFFFF2520E20
+5086820020000E9A0FBFFFFFF2524E205086828020000E990FBFFFFFF25
+28E2050 8683	0020000E980FBFFFFFF252CE205086838020000E970FBFFF
+FFF2530E205086840020000E960FBFFFFFF2534E205086848020000E950
+FBFFFFFF2538E205086850020000E940FBFFFFFF253CE20508685802000
+0E930FBFFFFFF2540E205086860020000E920FBFFFFFF2544E205086868
+020000E910FBFFFFFF2548E205086870020000E900FBFFFFFF254CE2050
+86878020000E9F0FAFFFFFF2550E205086880020000E9E0FAFFFFFF2554
+e205086888020000e9d0faffffff2558e205086890020000e9c0fafffff
+f255ce205086898020000e9b0faffffff2560e2050868a0020000e9a0fa
+ffffff2564e2050868a8020000e990faffffff2568e2050868b0020000e
+980faffffff256ce2050868b8020000e970faffffff2570e2050868c002
+0000e960faffffff2574e2050868c8020000e950faffffff2578e205086
+8d0020000e940faffff00000000000000000000000031ed5e89e183e4f0
+50545268009b050868109b0508515668f0e60408e893fbfffff49090909
+0909090909090909090905589e583ec08803dc8e3050800740ceb1c83c0
+04a388e20508ffd2a188e205088b1085d275ebc605c8e3050801c9c3905
+589e583ec08a110e0050885c07412b80000000085c07409c7042410e005
+08ffd0c9c3909090909090909090909090905589e583ec188b45088b4d0
+c8b50048b00894c2408c744240c0000000089542404890424e897fe0000
+c9c3908d7426005589e583ec08891c248b5d0c897424048b75088b4b048
+b56048b06330331d131d209c1751a8b4b088b46088b5b0c8b560c31c831
+da09d00f94c089c283e2018b1c2489d08b74240489ec5dc38d742600a12
+0e505085589e585c075088b4508a320e505085dc38d76008dbc27000000
+00a120e505085589e585c0750da124e5050883c001a324e505085dc3908
+d7426005584c089e5740cc705>trailing farbage

fuzz/lzw_fuzzer.cc

@@ -0,0 +1,52 @@
+#include <qpdf/Pl_Discard.hh>
+#include <qpdf/Pl_LZWDecoder.hh>
+#include <iostream>
+#include <stdexcept>
+
+class FuzzHelper
+{
+  public:
+    FuzzHelper(unsigned char const* data, size_t size);
+    void run();
+
+  private:
+    void doChecks();
+
+    unsigned char const* data;
+    size_t size;
+};
+
+FuzzHelper::FuzzHelper(unsigned char const* data, size_t size) :
+    data(data),
+    size(size)
+{
+}
+
+void
+FuzzHelper::doChecks()
+{
+    Pl_Discard discard;
+    Pl_LZWDecoder p("decode", &discard, false);
+    p.write(const_cast<unsigned char*>(data), size);
+    p.finish();
+}
+
+void
+FuzzHelper::run()
+{
+    try
+    {
+        doChecks();
+    }
+    catch (std::runtime_error const& e)
+    {
+        std::cerr << "runtime_error: " << e.what() << std::endl;
+    }
+}
+
+extern "C" int LLVMFuzzerTestOneInput(unsigned char const* data, size_t size)
+{
+    FuzzHelper f(data, size);
+    f.run();
+    return 0;
+}

fuzz/pngpredictor_fuzzer.cc

@@ -0,0 +1,52 @@
+#include <qpdf/Pl_Discard.hh>
+#include <qpdf/Pl_PNGFilter.hh>
+#include <iostream>
+#include <stdexcept>
+
+class FuzzHelper
+{
+  public:
+    FuzzHelper(unsigned char const* data, size_t size);
+    void run();
+
+  private:
+    void doChecks();
+
+    unsigned char const* data;
+    size_t size;
+};
+
+FuzzHelper::FuzzHelper(unsigned char const* data, size_t size) :
+    data(data),
+    size(size)
+{
+}
+
+void
+FuzzHelper::doChecks()
+{
+    Pl_Discard discard;
+    Pl_PNGFilter p("decode", &discard, Pl_PNGFilter::a_decode, 32, 1, 8);
+    p.write(const_cast<unsigned char*>(data), size);
+    p.finish();
+}
+
+void
+FuzzHelper::run()
+{
+    try
+    {
+        doChecks();
+    }
+    catch (std::runtime_error const& e)
+    {
+        std::cerr << "runtime_error: " << e.what() << std::endl;
+    }
+}
+
+extern "C" int LLVMFuzzerTestOneInput(unsigned char const* data, size_t size)
+{
+    FuzzHelper f(data, size);
+    f.run();
+    return 0;
+}

fuzz/qtest/fuzz.test

@@ -9,30 +9,59 @@ require TestDriver;
 
 my $td = new TestDriver('fuzz');
 
-my @files = glob("../build/qpdf_fuzzer_seed_corpus/*");
-my $n_test_files = 29;
-my $n_orig_files = 2559;
-my $n_files = $n_test_files + $n_orig_files;
+my $qpdf_n_test_files = 29;
+my $qpdf_n_orig_files = 2559;
+my $qpdf_n_files = $qpdf_n_test_files + $qpdf_n_orig_files;
 
-if (scalar(@files) != $n_files)
+my @fuzzers = (
+    ['qpdf' => $qpdf_n_files],
+    ['ascii85' => 1],
+    ['dct' => 1],
+    ['flate' => 1],
+    ['hex' => 1],
+    ['lzw' => 1],
+    ['pngpredictor' => 1],
+    ['runlength' => 6],
+    ['tiffpredictor' => 1],
+    );
+
+my $n_tests = 0;
+# One test for each directory for file count, two tests for each file
+# in each directory
+foreach my $d (@fuzzers)
 {
-    die "wrong number of files seen in fuzz.test";
+    $n_tests += 1 + (2 * $d->[1]);
 }
 
-foreach my $f (@files)
+foreach my $d (@fuzzers)
 {
-    my $sum = basename($f);
-    $td->runtest("checksum $sum",
-                 {$td->STRING => get_sha1_checksum($f)},
-                 {$td->STRING => $sum});
-    $td->runtest("fuzz check $sum",
-                 {$td->COMMAND => "qpdf_fuzzer $f"},
-                 {$td->REGEXP => ".*$f successful\n",
-                      $td->EXIT_STATUS => 0},
+    my $k = $d->[0];
+    my $dir = "../${k}_fuzzer_seed_corpus";
+    if (! -d $dir)
+    {
+        $dir = "../build/${k}_fuzzer_seed_corpus";
+    }
+    my @files = glob("$dir/*");
+    $td->runtest("file count for $dir",
+                 {$td->STRING => scalar(@files) . "\n"},
+                 {$td->STRING => $d->[1] . "\n"},
                  $td->NORMALIZE_NEWLINES);
+
+    foreach my $f (@files)
+    {
+        my $sum = basename($f);
+        $td->runtest("$k checksum   $sum",
+                     {$td->STRING => get_sha1_checksum($f)},
+                     {$td->STRING => $sum});
+        $td->runtest("$k fuzz check $sum",
+                     {$td->COMMAND => "${k}_fuzzer $f"},
+                     {$td->REGEXP => ".*$f successful\n",
+                          $td->EXIT_STATUS => 0},
+                     $td->NORMALIZE_NEWLINES);
+    }
 }
 
-$td->report(2 * $n_files);
+$td->report($n_tests);
 
 sub get_sha1_checksum
 {

fuzz/runlength_fuzzer.cc

@@ -0,0 +1,52 @@
+#include <qpdf/Pl_Discard.hh>
+#include <qpdf/Pl_RunLength.hh>
+#include <iostream>
+#include <stdexcept>
+
+class FuzzHelper
+{
+  public:
+    FuzzHelper(unsigned char const* data, size_t size);
+    void run();
+
+  private:
+    void doChecks();
+
+    unsigned char const* data;
+    size_t size;
+};
+
+FuzzHelper::FuzzHelper(unsigned char const* data, size_t size) :
+    data(data),
+    size(size)
+{
+}
+
+void
+FuzzHelper::doChecks()
+{
+    Pl_Discard discard;
+    Pl_RunLength p("decode", &discard, Pl_RunLength::a_decode);
+    p.write(const_cast<unsigned char*>(data), size);
+    p.finish();
+}
+
+void
+FuzzHelper::run()
+{
+    try
+    {
+        doChecks();
+    }
+    catch (std::runtime_error const& e)
+    {
+        std::cerr << "runtime_error: " << e.what() << std::endl;
+    }
+}
+
+extern "C" int LLVMFuzzerTestOneInput(unsigned char const* data, size_t size)
+{
+    FuzzHelper f(data, size);
+    f.run();
+    return 0;
+}

fuzz/runlength_fuzzer_seed_corpus/0928451e068252ef8f3d1878a5c1f81b86dc9eb8

@@ -0,0 +1 @@
+鑧黴rstv€

fuzz/runlength_fuzzer_seed_corpus/4354588bbf0979da3b05eb7cadd13b74141ad49c

@@ -0,0 +1 @@
+亀abababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababab€

fuzz/runlength_fuzzer_seed_corpus/4ffb8ea47113554fbac0d5ba533838e3dd7aa23a

@@ -0,0 +1 @@
+~abababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababa鸼€

fuzz/runlength_fuzzer_seed_corpus/b307a53d7d354fe2dbd4b13dca43ddacfaea91e1

@@ -0,0 +1 @@
+鑧黴rstv陎€

fuzz/runlength_fuzzer_seed_corpus/c78ebd3c85a39a596d9f5cfd2b8d240bc1b9c125

@@ -0,0 +1 @@
+<EFBFBD>

fuzz/tiffpredictor_fuzzer.cc

@@ -0,0 +1,53 @@
+#include <qpdf/Pl_Discard.hh>
+#include <qpdf/Pl_TIFFPredictor.hh>
+#include <iostream>
+#include <stdexcept>
+
+class FuzzHelper
+{
+  public:
+    FuzzHelper(unsigned char const* data, size_t size);
+    void run();
+
+  private:
+    void doChecks();
+
+    unsigned char const* data;
+    size_t size;
+};
+
+FuzzHelper::FuzzHelper(unsigned char const* data, size_t size) :
+    data(data),
+    size(size)
+{
+}
+
+void
+FuzzHelper::doChecks()
+{
+    Pl_Discard discard;
+    Pl_TIFFPredictor p("decoder", &discard,
+                       Pl_TIFFPredictor::a_decode, 16, 1, 8);
+    p.write(const_cast<unsigned char*>(data), size);
+    p.finish();
+}
+
+void
+FuzzHelper::run()
+{
+    try
+    {
+        doChecks();
+    }
+    catch (std::runtime_error const& e)
+    {
+        std::cerr << "runtime_error: " << e.what() << std::endl;
+    }
+}
+
+extern "C" int LLVMFuzzerTestOneInput(unsigned char const* data, size_t size)
+{
+    FuzzHelper f(data, size);
+    f.run();
+    return 0;
+}