media: Add fuzzer test for bit_reader

media/base/bit_reader_fuzzertest.cc

Index: media/base/bit_reader_fuzzertest.cc
diff --git a/media/base/bit_reader_fuzzertest.cc b/media/base/bit_reader_fuzzertest.cc
new file mode 100644
index 0000000000000000000000000000000000000000..6599b7eeb148b91794393df097e77c9e2793c3f1
--- /dev/null
+++ b/media/base/bit_reader_fuzzertest.cc
@@ -0,0 +1,41 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+
+#include "base/numerics/safe_conversions.h"
+#include "media/base/bit_reader.h"
+
+// Given |value|, return a number between 1 and 32.
+static int DetermineNumBits(uint8_t value) {
+  return (value % 32) + 1;
+}
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  media::BitReader reader(data, base::checked_cast<int>(size));
+
+  // Read and skip through the data. Since we want the test to be repeatable
+  // for a given input, use the values in |data| to determine how many bits
+  // to read/skip until the end of the stream (which should fail).
+  for (size_t i = 0; i < size && reader.bits_available(); ++i) {

[DaleCurtis, 2016/03/03 00:16:35]

Why restrict to size here? Seems you want to keep reading and just use i/8 for
your read or skip check? DetermineNumBits() could also take bits remaining and
clamp so that you don't need l.35. to l.39

[jrummell, 2016/03/03 23:21:37]

I was using the bytes in |data| to determine the operation to do. I didn't want
to read off the end of |data|. However, I've switched it to use a random number
generator, so this is no longer an issue.

Note that now the data bytes are not really used (other than to generate the
random number seed).

+    uint8_t value = data[i];
+    if (value < 128) {
+      // Read up to 32 bits. This may fail if there is not enough bits

[DaleCurtis, 2016/03/03 00:16:35]

Why 32 instead of say 64?

[jrummell, 2016/03/03 23:21:38]

Updated to use a bigger range.

+      // remaining, but it doesn't matter (testing for failures is also good).
+      uint32_t data;
+      reader.ReadBits(DetermineNumBits(value), &data);
+    } else {
+      // Skip up to 32 bits. As above, this may fail.
+      reader.SkipBits(DetermineNumBits(value));
+    }
+  }
+
+  // It is possible that we didn't get all the way through the bits, so
+  // skip over whatever is left.
+  if (reader.bits_available() > 0)
+    reader.SkipBits(reader.bits_available());
+
+  return 0;
+}