Add fuzzer for FDE CSS syntax parser.

Add fuzzer for FDE CSS syntax parser.

This CL adds a fuzzer for the CSS Syntax parser in XFA.

BUG=chromium:587126
Committed: https://pdfium.googlesource.com/pdfium/+/756d37943415ca15d491b79ba78012225a06db76

[dsinclair, 2016-06-13 20:05:47]

dsinclair@chromium.org changed reviewers:
+ ochang@chromium.org, thestig@chromium.org

[dsinclair, 2016-06-13 20:05:47]

PTAL.

https://codereview.chromium.org/2068513002/diff/1/xfa/fxfa/parser/xfa_basic_i...
File xfa/fxfa/parser/xfa_basic_imp.cpp (right):

https://codereview.chromium.org/2068513002/diff/1/xfa/fxfa/parser/xfa_basic_i...
xfa/fxfa/parser/xfa_basic_imp.cpp:562: if (iMaxLength == 0)
This is needed because the corpus was seeding with an input of "" and the fuzzer
would immediately crash due to an assert in FXSYS_wcsncpy that the size isn't 0.

[Oliver Chang, 2016-06-13 20:11:19]

GYP build configs? (so that buildbots catch fuzzer breakages before we roll)

https://codereview.chromium.org/2068513002/diff/1/xfa/fxfa/parser/xfa_basic_i...
File xfa/fxfa/parser/xfa_basic_imp.cpp (right):

https://codereview.chromium.org/2068513002/diff/1/xfa/fxfa/parser/xfa_basic_i...
xfa/fxfa/parser/xfa_basic_imp.cpp:562: if (iMaxLength == 0)
On 2016/06/13 20:05:47, dsinclair wrote:
> This is needed because the corpus was seeding with an input of "" and the
fuzzer
> would immediately crash due to an assert in FXSYS_wcsncpy that the size isn't
0.

It's probably best to do

if (size == 0)
  return 0;

in LLVMFuzzerTestOneInput instead of changing this here.

[dsinclair, 2016-06-13 20:19:22]

Doh, added GYP build.

https://codereview.chromium.org/2068513002/diff/1/xfa/fxfa/parser/xfa_basic_i...
File xfa/fxfa/parser/xfa_basic_imp.cpp (right):

https://codereview.chromium.org/2068513002/diff/1/xfa/fxfa/parser/xfa_basic_i...
xfa/fxfa/parser/xfa_basic_imp.cpp:562: if (iMaxLength == 0)
On 2016/06/13 20:11:19, Oliver Chang wrote:
> On 2016/06/13 20:05:47, dsinclair wrote:
> > This is needed because the corpus was seeding with an input of "" and the
> fuzzer
> > would immediately crash due to an assert in FXSYS_wcsncpy that the size
isn't
> 0.
> 
> It's probably best to do
> 
> if (size == 0)
>   return 0;
> 
> in LLVMFuzzerTestOneInput instead of changing this here.

I think the check is valid here. We can't proceed if the size is zero, so we can
bail out early. It's just the first issue found by the fuzzer, heh.

[Oliver Chang, 2016-06-13 20:20:47]

lgtm

[dsinclair, 2016-06-13 20:24:45]

The CQ bit was checked by dsinclair@chromium.org

[commit-bot: I haz the power, 2016-06-13 20:24:55]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/2068513002/20001

[Lei Zhang, 2016-06-13 20:30:39]

lgtm

https://codereview.chromium.org/2068513002/diff/20001/xfa/fxfa/parser/xfa_bas...
File xfa/fxfa/parser/xfa_basic_imp.cpp (right):

https://codereview.chromium.org/2068513002/diff/20001/xfa/fxfa/parser/xfa_bas...
xfa/fxfa/parser/xfa_basic_imp.cpp:560: if (iMaxLength > m_wsBuffer.GetLength() -
m_iPosition)
std::min() ?

[dsinclair, 2016-06-13 20:32:57]

The CQ bit was unchecked by dsinclair@chromium.org

[dsinclair, 2016-06-13 20:35:27]

https://codereview.chromium.org/2068513002/diff/20001/xfa/fxfa/parser/xfa_bas...
File xfa/fxfa/parser/xfa_basic_imp.cpp (right):

https://codereview.chromium.org/2068513002/diff/20001/xfa/fxfa/parser/xfa_bas...
xfa/fxfa/parser/xfa_basic_imp.cpp:560: if (iMaxLength > m_wsBuffer.GetLength() -
m_iPosition)
On 2016/06/13 20:30:38, Lei Zhang wrote:
> std::min() ?

Done.

[dsinclair, 2016-06-13 20:35:30]

The CQ bit was checked by dsinclair@chromium.org

[dsinclair, 2016-06-13 20:35:31]

The patchset sent to the CQ was uploaded after l-g-t-m from
thestig@chromium.org, ochang@chromium.org
Link to the patchset: https://codereview.chromium.org/2068513002/#ps40001
(title: "Use std::min")

[commit-bot: I haz the power, 2016-06-13 20:35:34]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/2068513002/40001

[commit-bot: I haz the power, 2016-06-13 20:56:24]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-06-13 20:56:25]

Try jobs failed on following builders:
  linux_xfa on master.tryserver.client.pdfium (JOB_FAILED,
https://build.chromium.org/p/tryserver.client.pdfium/builders/linux_xfa/build...)

[dsinclair, 2016-06-14 14:21:42]

The CQ bit was checked by dsinclair@chromium.org

[dsinclair, 2016-06-14 14:21:42]

The patchset sent to the CQ was uploaded after l-g-t-m from
thestig@chromium.org, ochang@chromium.org
Link to the patchset: https://codereview.chromium.org/2068513002/#ps60001
(title: "Make freetype headers visible to fuzzers")

[commit-bot: I haz the power, 2016-06-14 14:21:50]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/2068513002/60001

[commit-bot: I haz the power, 2016-06-14 14:34:24]

Description was changed from

==========
Add fuzzer for FDE CSS syntax parser.

This CL adds a fuzzer for the CSS Syntax parser in XFA.

BUG=chromium:587126
==========

to

==========
Add fuzzer for FDE CSS syntax parser.

This CL adds a fuzzer for the CSS Syntax parser in XFA.

BUG=chromium:587126

Committed:
https://pdfium.googlesource.com/pdfium/+/756d37943415ca15d491b79ba78012225a06...
==========

[commit-bot: I haz the power, 2016-06-14 14:34:25]

Committed patchset #4 (id:60001) as
https://pdfium.googlesource.com/pdfium/+/756d37943415ca15d491b79ba78012225a06...