Add a bunch of NSS ASN.1 fuzzers

testing/libfuzzer/fuzzers/nss/asn1_bitstring_fuzzer.cc

Index: testing/libfuzzer/fuzzers/nss/asn1_bitstring_fuzzer.cc
diff --git a/testing/libfuzzer/fuzzers/nss/asn1_bitstring_fuzzer.cc b/testing/libfuzzer/fuzzers/nss/asn1_bitstring_fuzzer.cc
new file mode 100644
index 0000000000000000000000000000000000000000..49b4f98cde17274f3ab9901c86df5c30a150d8fb
--- /dev/null
+++ b/testing/libfuzzer/fuzzers/nss/asn1_bitstring_fuzzer.cc
@@ -0,0 +1,44 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include <nss.h>
+#include <nspr.h>
+#include <secasn1.h>
+#include <secder.h>
+#include <secport.h>
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  const SEC_ASN1Template* the_template = SEC_ASN1_GET(SEC_BitStringTemplate);
+  SECItem quick_dest = {siBuffer, nullptr, 0};
+  SECItem legacy_dest = {siBuffer, nullptr, 0};
+
+  // Attempt the QuickDER path.

[kcc2, 2016/02/10 02:25:22]

does this have to be a single target, or it can be split into two? 
(quick and legacy). 
My fear is that if one of the parts is very slow we will not be able to properly
test the other part. 

Also, what will happen if we make quick_arena/legacy_arena globals and never
free them?
Will there be a permanent leak? 

[Ryan Sleevi, 2016/02/10 02:45:36]

Yes, we totally can.

Templated logic is totally fine, right? If so, considering that the permutations
of all of these tests are "template, type to receive template, initialization
code for type to receive template", the bulk of the tests could be de-duplicated
into a common templated base.
We can use the arena markers for a test

That is:

void LLVMFuzzerTestOneInput(...) {
  void* mark = PORT_ArenaMark(arena);
  // do stuff that allocates in the arena
  PORT_ArenaRelease(arena, mark);
}

That will just mark the arena as shrunk, but will still memset.

To eliminate the memsets, we would need to undefine DEBUG (c.f.
http://mxr.mozilla.org/nspr/source/lib/ds/plarena.h#184 )

+  PLArenaPool* quick_arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+  if (!quick_arena)
+    return 0;
+
+  SECItem quick_src = {siBuffer, const_cast<unsigned char*>(
+                                     static_cast<const unsigned char*>(data)),
+                       static_cast<unsigned int>(size)};
+  SEC_QuickDERDecodeItem(quick_arena, &quick_dest, the_template, &quick_src);
+  PORT_FreeArena(quick_arena, PR_FALSE);
+
+  // Attempt the Legacy path.
+  PLArenaPool* legacy_arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+  if (!legacy_arena)
+    return 0;
+
+  SECItem legacy_src = {siBuffer, const_cast<unsigned char*>(
+                                      static_cast<const unsigned char*>(data)),
+                        static_cast<unsigned int>(size)};
+
+  SEC_ASN1DecodeItem(legacy_arena, &legacy_dest, the_template, &legacy_src);
+  PORT_FreeArena(legacy_arena, PR_FALSE);
+
+  return 0;
+}