fuzzers for VerifyNameMatch and VerifyNameInSubtree

net/cert/internal/verify_name_match_verifynameinsubtree_fuzzer.cc

Index: net/cert/internal/verify_name_match_verifynameinsubtree_fuzzer.cc
diff --git a/net/cert/internal/verify_name_match_verifynameinsubtree_fuzzer.cc b/net/cert/internal/verify_name_match_verifynameinsubtree_fuzzer.cc
new file mode 100644
index 0000000000000000000000000000000000000000..57a0fbf7b8f43cb906e44f6d66b727c7a68faede
--- /dev/null
+++ b/net/cert/internal/verify_name_match_verifynameinsubtree_fuzzer.cc
@@ -0,0 +1,36 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/internal/verify_name_match.h"
+
+#include <limits>
+
+#include "net/der/input.h"
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  // Use the first byte of data as a ratio to divide the rest of data into
+  // two parts. If there is less than one byte, just give up.
+  if (size < 1)
+    return 0;
+  size_t split_val = data[0];
+
+  const uint8_t* remaining_data = data + 1;
+  size_t remaining_size = size - 1;
+  size_t first_part_size = remaining_size * split_val / 0xff;
+  // Sanity check. If |size| is very large the multiplication could wrap
+  // around, but |first_part_size| should still never be larger than
+  // |remaining_size|.
+  CHECK_LE(first_part_size, remaining_size);
+
+  net::der::Input in1(remaining_data, first_part_size);
+  net::der::Input in2(remaining_data + first_part_size,
+                      remaining_size - first_part_size);
+  bool match = net::VerifyNameInSubtree(in1, in2);
+  bool reverse_order_match = net::VerifyNameInSubtree(in2, in1);
+  // If both InSubtree matches are true, then in1 == in2 (modulo normalization).
+  if (match && reverse_order_match)
+    CHECK(net::VerifyNameMatch(in1, in2));
+  return 0;
+}