Add fuzzer for HTMLPreloadScanner

third_party/WebKit/Source/core/html/parser/HTMLPreloadScannerFuzzer.cpp

+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "core/MediaTypeNames.h"
+#include "core/css/MediaValuesCached.h"
+#include "core/html/HTMLDocument.h"
+#include "core/html/parser/HTMLDocumentParser.h"
+#include "core/html/parser/TextResourceDecoderForFuzzing.h"
+#include "platform/testing/BlinkFuzzerTestSupport.h"
+#include "platform/testing/FuzzedDataProvider.h"
+
+namespace blink {
+
+std::unique_ptr<CachedDocumentParameters> cachedDocumentParametersForFuzzing(FuzzedDataProvider& fuzzedData)
+{
+    std::unique_ptr<CachedDocumentParameters> documentParameters = CachedDocumentParameters::create();
+    documentParameters->doHtmlPreloadScanning = fuzzedData.ConsumeBool();
+    documentParameters->doDocumentWritePreloadScanning = fuzzedData.ConsumeBool();
+    // TODO(csharrison): How should this be fuzzed?
+    documentParameters->defaultViewportMinWidth = Length();
+    documentParameters->viewportMetaZeroValuesQuirk = fuzzedData.ConsumeBool();
+    documentParameters->viewportMetaEnabled = fuzzedData.ConsumeBool();
+    return documentParameters;
+}
+
+class MockResourcePreloader : public ResourcePreloader {
+    void preload(std::unique_ptr<PreloadRequest>, const NetworkHintsInterface&) override
+    {
+    }
+};
+
+int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+    FuzzedDataProvider fuzzedData(data, size);
+
+    HTMLParserOptions options;
+    options.scriptEnabled = fuzzedData.ConsumeBool();
+    options.pluginsEnabled = fuzzedData.ConsumeBool();
+
+    std::unique_ptr<CachedDocumentParameters> documentParameters = cachedDocumentParametersForFuzzing(fuzzedData);
+
+    KURL documentURL(ParsedURLString, "http://whatever.test/");
+
+    // Copied from HTMLPreloadScannerTest. May be worthwhile to fuzz.
+    MediaValuesCached::MediaValuesCachedData mediaData;
+    mediaData.viewportWidth = 500;
+    mediaData.viewportHeight = 600;
+    mediaData.deviceWidth = 700;
+    mediaData.deviceHeight = 800;
+    mediaData.devicePixelRatio = 2.0;
+    mediaData.colorBitsPerComponent = 24;
+    mediaData.monochromeBitsPerComponent = 0;
+    mediaData.primaryPointerType = PointerTypeFine;
+    mediaData.defaultFontSize = 16;
+    mediaData.threeDEnabled = true;
+    mediaData.mediaType = MediaTypeNames::screen;
+    mediaData.strictMode = true;
+    mediaData.displayMode = WebDisplayModeBrowser;
+
+    MockResourcePreloader preloader;
+
+    std::unique_ptr<HTMLPreloadScanner> scanner = HTMLPreloadScanner::create(options, documentURL, std::move(documentParameters), mediaData);
+
+    TextResourceDecoderForFuzzing decoder(fuzzedData);
+    CString bytes = fuzzedData.ConsumeRemainingBytes();

[mmoroz, 2016/08/30 19:01:53]

Can we estimate how many bytes will be read from the |data| until that line?

What I'm concerned about: we have a plenty of html-documents as a seed corpus,
that's great. But a couple of first bytes of these documents will be used to
initialize document's and parser's options. Thus, |ConsumeRemainingBytes()| will
always return a sort of invalid HTML for testcases from seed corpus. Is it be a
problem for |scanAndPreload()| call or not?

My concern is not a blocker at all, just a thing which may worth to observe. I
think we should land it and see how it goes, then we may upgrade the corpus
and/or add a dictionary as an improvement (if it will make sense, of course).

[Charlie Harrison, 2016/08/30 19:22:35]

Anywhere from 14-78 bytes will be consumed. It's possible that fuzzing the
TextResourceDecoder is overkill for this fuzzer, as I mentioned in a previous
comment. I'm happy to re-evaluate at a later point though.

Note that the ConsumeBool and ConsumeUint32InRange calls take data from the end
of the fuzzed data, not the beginning.

Your concern is very valid. How big a deal is it for seed corpuses to be
slightly invalid? I assumed this is not a big deal because tiny deltas like this
are easy for a fuzzer to fix up eventually.

+    String decodedBytes = decoder.decode(bytes.data(), bytes.length());
+    scanner->appendToEnd(decodedBytes);
+    scanner->scanAndPreload(&preloader, KURL(), nullptr);
+    return 0;
+}
+
+} // namespace blink
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+    return blink::LLVMFuzzerTestOneInput(data, size);
+}
+
+extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv)
+{
+    blink::InitializeBlinkFuzzTest(argc, argv);
+    return 0;
+}