fuzzers for VerifyNameMatch and VerifyNameInSubtree

net/cert/internal/verify_name_match_fuzzer.cc

Index: net/cert/internal/verify_name_match_fuzzer.cc
diff --git a/net/cert/internal/verify_name_match_fuzzer.cc b/net/cert/internal/verify_name_match_fuzzer.cc
new file mode 100644
index 0000000000000000000000000000000000000000..7774f4bf0496c34cd4450366ab0493f9e610dff3
--- /dev/null
+++ b/net/cert/internal/verify_name_match_fuzzer.cc
@@ -0,0 +1,35 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/internal/verify_name_match.h"
+
+#include <limits>
+
+#include "net/der/input.h"
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  // Use the first byte of data as a ratio to divide the rest of data into

[eroman, 2016/04/28 18:27:10]

The problem with using a 1 byte ratio like this is we won't be able to fuzz
every possible length.

Instead I suggest just using 2 bytes as first_part_size, and then the remaining
bytes for the second part.

We have //net specific helper routines for this. Some is not yet checked in, but
take a look at:
https://codereview.chromium.org/1917503002/diff/260001/net/base/fuzzed_data_p...

With that paradigm you can write this as:

// Allow the first length to be up to 65535 bytes long (uses 2 bytes of fuzzer
input for this)
size_t first_part_size = fuzzed_data.ConsumeValueInRange(0, 0xFFFF);

base::StringPiece first_part = fuzzed_data.ConsumeBytes(first_part_size);
base::StringPiece second_part = fuzzed_data.ConsumeRemainingBytes();

ConsumeRemainingBytes() doesn't exist yet, but I suggest you add it to that
class -- should just be a 1 liner and is generally useful. (I know Chris has a
change that needs similar functionality.)

+  // two parts. If there is less than one byte, just give up.
+  if (size < 1)
+    return 0;
+  size_t split_val = data[0];
+
+  const uint8_t* remaining_data = data + 1;
+  size_t remaining_size = size - 1;
+  size_t first_part_size = remaining_size * split_val / 0xff;
+  // Sanity check. If |size| is very large the multiplication could wrap
+  // around, but |first_part_size| should still never be larger than
+  // |remaining_size|.
+  CHECK_LE(first_part_size, remaining_size);
+
+  net::der::Input in1(remaining_data, first_part_size);
+  net::der::Input in2(remaining_data + first_part_size,
+                      remaining_size - first_part_size);
+  bool match = net::VerifyNameMatch(in1, in2);
+  bool reverse_order_match = net::VerifyNameMatch(in2, in1);
+  // Result should be the same regardless of argument order.
+  CHECK_EQ(match, reverse_order_match);
+  return 0;
+}