Chromium Code Reviews Chromium Code Reviews
Issue 2261873002:
Add fuzzer for HTMLPreloadScanner (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "core/MediaTypeNames.h" | |
| 6 #include "core/css/MediaValuesCached.h" | |
| 7 #include "core/frame/Settings.h" | |
| 8 #include "core/html/HTMLDocument.h" | |
| 9 #include "core/html/parser/HTMLDocumentParser.h" | |
| 5 #include "core/html/parser/TextResourceDecoder.h" | 10 #include "core/html/parser/TextResourceDecoder.h" |
| 6 | 11 #include "core/loader/TextResourceDecoderBuilder.h" |
| 12 #include "core/testing/DummyPageHolder.h" | |
| 7 #include "platform/testing/FuzzedDataProvider.h" | 13 #include "platform/testing/FuzzedDataProvider.h" |
| 8 #include "platform/testing/TestingPlatformSupport.h" | 14 #include "platform/testing/TestingPlatformSupport.h" |
| 15 #include "wtf/PtrUtil.h" | |
| 9 #include "wtf/text/WTFString.h" | 16 #include "wtf/text/WTFString.h" |
| 10 #include <algorithm> | 17 #include <algorithm> |
| 11 | 18 |
| 12 namespace blink { | 19 namespace blink { |
| 13 | 20 |
| 14 class TextResourceDecoderForFuzzing : public TextResourceDecoder { | 21 class TextResourceDecoderForFuzzing : public TextResourceDecoder { |
| 15 public: | 22 public: |
| 16 // Note: mimeTypes can be quite long and still valid for XML. See the | 23 // Note: mimeTypes can be quite long and still valid for XML. See the |
| 17 // comment in DOMImplementation.cpp which says: | 24 // comment in DOMImplementation.cpp which says: |
| 18 // Per RFCs 3023 and 2045, an XML MIME type is of the form: | 25 // Per RFCs 3023 and 2045, an XML MIME type is of the form: |
| 19 // ^[0-9a-zA-Z_\\-+~!$\\^{}|.%'`#&*]+/[0-9a-zA-Z_\\-+~!$\\^{}|.%'`#&*]+\+xml $ | 26 // ^[0-9a-zA-Z_\\-+~!$\\^{}|.%'`#&*]+/[0-9a-zA-Z_\\-+~!$\\^{}|.%'`#&*]+\+xml $ |
| 20 // | 27 // |
| 21 // Similarly, charsets can be long too (see the various encodings in | 28 // Similarly, charsets can be long too (see the various encodings in |
| 22 // wtf/text). For instance: "unicode-1-1-utf-8". To ensure good coverage, | 29 // wtf/text). For instance: "unicode-1-1-utf-8". To ensure good coverage, |
| 23 // set a generous max limit for these sizes (32 bytes should be good). | 30 // set a generous max limit for these sizes (32 bytes should be good). |
| 24 TextResourceDecoderForFuzzing(FuzzedDataProvider& fuzzedData) | 31 TextResourceDecoderForFuzzing(FuzzedDataProvider& fuzzedData) |
| 25 : TextResourceDecoder(String::fromUTF8(fuzzedData.ConsumeBytesInRange(0, 32)), String::fromUTF8(fuzzedData.ConsumeBytesInRange(0, 32)), FuzzedOption(fuz zedData)) | 32 : TextResourceDecoder(String::fromUTF8(fuzzedData.ConsumeBytesInRange(0, 32)), String::fromUTF8(fuzzedData.ConsumeBytesInRange(0, 32)), FuzzedOption(fuz zedData)) |
| 26 { | 33 { |
| 27 } | 34 } |
| 28 | 35 |
| 29 private: | 36 private: |
| 30 static TextResourceDecoder::EncodingDetectionOption FuzzedOption(FuzzedDataP rovider& fuzzedData) | 37 static TextResourceDecoder::EncodingDetectionOption FuzzedOption(FuzzedDataP rovider& fuzzedData) |
| 31 { | 38 { |
| 32 // Don't use AlwaysUseUTF8ForText which requires knowing the mimeType | 39 // Don't use AlwaysUseUTF8ForText which requires knowing the mimeType |
| 33 // ahead of time. | 40 // ahead of time. |
| 34 return fuzzedData.ConsumeBool() ? UseAllAutoDetection : UseContentAndBOM BasedDetection; | 41 return fuzzedData.ConsumeBool() ? UseAllAutoDetection : UseContentAndBOM BasedDetection; |
| 35 } | 42 } |
| 36 }; | 43 }; |
| 37 | 44 |
| 45 struct CachedDocumentParametersForFuzzing : public CachedDocumentParameters { | |
| 46 CachedDocumentParametersForFuzzing(FuzzedDataProvider& fuzzedData) | |
| 47 { | |
|
kouhei (in TOK)
2016/08/22 05:48:28
maybe simply
unique_ptr<CachedDocumentParameters>
| |
| 48 doHtmlPreloadScanning = fuzzedData.ConsumeBool(); | |
| 49 doDocumentWritePreloadScanning = fuzzedData.ConsumeBool(); | |
| 50 } | |
| 51 }; | |
| 52 | |
| 53 class MockResourcePreloader : public ResourcePreloader { | |
| 54 void preload(std::unique_ptr<PreloadRequest>, const NetworkHintsInterface&) override | |
| 55 { | |
| 56 } | |
| 57 }; | |
| 58 | |
| 38 int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) | 59 int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) |
| 39 { | 60 { |
| 40 FuzzedDataProvider fuzzedData(data, size); | 61 FuzzedDataProvider fuzzedData(data, size); |
| 62 | |
| 63 HTMLParserOptions options; | |
| 64 options.scriptEnabled = fuzzedData.ConsumeBool(); | |
| 65 options.pluginsEnabled = fuzzedData.ConsumeBool(); | |
| 66 | |
| 67 CachedDocumentParametersForFuzzing* documentParameters = new CachedDocumentP arametersForFuzzing(fuzzedData); | |
| 68 | |
| 69 KURL documentURL(ParsedURLString, "http://whatever.test/"); | |
| 70 | |
| 71 // Copied from HTMLPreloadScannerTest. May be worthwhile to fuzz. | |
| 72 MediaValuesCached::MediaValuesCachedData mediaData; | |
| 73 mediaData.viewportWidth = 500; | |
| 74 mediaData.viewportHeight = 600; | |
| 75 mediaData.deviceWidth = 700; | |
| 76 mediaData.deviceHeight = 800; | |
| 77 mediaData.devicePixelRatio = 2.0; | |
| 78 mediaData.colorBitsPerComponent = 24; | |
| 79 mediaData.monochromeBitsPerComponent = 0; | |
| 80 mediaData.primaryPointerType = PointerTypeFine; | |
| 81 mediaData.defaultFontSize = 16; | |
| 82 mediaData.threeDEnabled = true; | |
| 83 mediaData.mediaType = MediaTypeNames::screen; | |
| 84 mediaData.strictMode = true; | |
| 85 mediaData.displayMode = WebDisplayModeBrowser; | |
| 86 | |
| 87 MockResourcePreloader preloader; | |
| 88 | |
| 89 std::unique_ptr<HTMLPreloadScanner> scanner = HTMLPreloadScanner::create(opt ions, documentURL, wrapUnique(documentParameters), mediaData); | |
| 90 | |
| 41 TextResourceDecoderForFuzzing decoder(fuzzedData); | 91 TextResourceDecoderForFuzzing decoder(fuzzedData); |
| 42 CString bytes = fuzzedData.ConsumeRemainingBytes(); | 92 CString bytes = fuzzedData.ConsumeRemainingBytes(); |
| 43 decoder.decode(bytes.data(), bytes.length()); | 93 String decodedBytes = decoder.decode(bytes.data(), bytes.length()); |
| 44 decoder.flush(); | 94 scanner->appendToEnd(decodedBytes); |
| 95 scanner->scanAndPreload(&preloader, KURL(), nullptr); | |
| 45 return 0; | 96 return 0; |
| 46 } | 97 } |
| 47 | 98 |
| 48 } // namespace blink | 99 } // namespace blink |
| 49 | 100 |
| 50 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) | 101 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) |
| 51 { | 102 { |
| 52 return blink::LLVMFuzzerTestOneInput(data, size); | 103 return blink::LLVMFuzzerTestOneInput(data, size); |
| 53 } | 104 } |
| 54 | 105 |
| 55 extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) | 106 extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) |
| 56 { | 107 { |
| 57 // Intentional leak - no need to do cleanup as explained in | 108 // Intentional leak - no need to do cleanup as explained in |
| 58 // "Initialization/Cleanup" section of testing/libfuzzer/efficient_fuzzer.md | 109 // "Initialization/Cleanup" section of testing/libfuzzer/efficient_fuzzer.md |
| 59 DEFINE_STATIC_LOCAL(blink::ScopedUnittestsEnvironmentSetup, testSetup, (*arg c, *argv)); | 110 DEFINE_STATIC_LOCAL(blink::ScopedUnittestsEnvironmentSetup, testSetup, (*arg c, *argv)); |
| 60 ALLOW_UNUSED_LOCAL(testSetup); | 111 ALLOW_UNUSED_LOCAL(testSetup); |
| 61 | 112 |
| 62 return 0; | 113 return 0; |
| 63 } | 114 } |
| OLD | NEW |
