Add minidump fuzzer for breakpad.

breakpad/minidump_fuzzer.cc

Index: breakpad/minidump_fuzzer.cc
diff --git a/breakpad/minidump_fuzzer.cc b/breakpad/minidump_fuzzer.cc
new file mode 100644
index 0000000000000000000000000000000000000000..2e02def4670d430fcfa61920d69e1ffcef3e9698
--- /dev/null
+++ b/breakpad/minidump_fuzzer.cc
@@ -0,0 +1,87 @@
+#include <stddef.h>

[Lei Zhang, 2016/08/30 21:00:33]

Missing copyright ehader.

[Will Harris, 2016/08/31 17:48:09]

Done.

+#include <stdint.h>
+#include <string.h>
+
+#include <streambuf>
+#include <istream>
+#include <memory>
+
+#include "base/memory/free_deleter.h"
+#include "google_breakpad/processor/basic_source_line_resolver.h"
+#include "google_breakpad/processor/minidump.h"
+#include "google_breakpad/processor/minidump_processor.h"
+#include "google_breakpad/processor/process_state.h"
+#include "processor/logging.h"
+#include "processor/simple_symbol_supplier.h"
+#include "processor/stackwalk_common.h"
+
+namespace {
+
+using google_breakpad::BasicSourceLineResolver;
+using google_breakpad::Minidump;
+using google_breakpad::MinidumpProcessor;
+using google_breakpad::ProcessState;
+using google_breakpad::SimpleSymbolSupplier;
+
+struct membuf : std::streambuf {
+  membuf(const uint8_t* base, size_t size) {
+    // This is probably a dodgy cast.

[Lei Zhang, 2016/08/30 21:00:33]

Beh. I wish the Minidump ctor just took a buffer instead of an istream.

[Will Harris, 2016/08/31 17:48:09]

Acknowledged.

+    char* p(const_cast<char*>(reinterpret_cast<const char*>(base)));
+    this->setg(p, p, p + size);
+  }
+};
+struct imemstream : virtual membuf, std::istream {
+  imemstream(const uint8_t* base, size_t size)
+      : membuf(base, size), std::istream(static_cast<std::streambuf*>(this)) {}
+};
+
+bool PrintMinidumpProcess(std::istream& input,

[Lei Zhang, 2016/08/30 21:00:33]

pass by non-const ref

[Will Harris, 2016/08/31 17:48:09]

Done.

+                          const std::vector<string>& symbol_paths,
+                          bool machine_readable,
+                          bool output_stack_contents) {
+  std::unique_ptr<SimpleSymbolSupplier> symbol_supplier;
+
+  if (!symbol_paths.empty()) {
+    // TODO(mmentovai): check existence of symbol_path if specified?
+    symbol_supplier.reset(new SimpleSymbolSupplier(symbol_paths));
+  }
+
+  BasicSourceLineResolver resolver;
+  MinidumpProcessor minidump_processor(symbol_supplier.get(), &resolver);
+
+  // Process the minidump.
+  Minidump dump(input);
+  if (!dump.Read()) {
+    BPLOG(ERROR) << "Minidump " << dump.path() << " could not be read";
+    return false;
+  }
+  ProcessState process_state;
+  if (minidump_processor.Process(&dump, &process_state) !=
+      google_breakpad::PROCESS_OK) {
+    BPLOG(ERROR) << "MinidumpProcessor::Process failed";
+    return false;
+  }
+
+  if (machine_readable) {

[Lei Zhang, 2016/08/30 21:00:33]

But it's always false.

[Will Harris, 2016/08/31 17:48:09]

Done.

+    PrintProcessStateMachineReadable(process_state);
+  } else {
+    PrintProcessState(process_state, output_stack_contents, &resolver);
+  }
+
+  return true;
+}
+
+}  // namespace
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  // put your fuzzing code here and use data+size as input.
+  uint8_t* ptr = static_cast<uint8_t*>(malloc(size));
+  if (!ptr)
+    return 0;
+
+  std::unique_ptr<uint8_t, base::FreeDeleter> buffer(ptr);
+  memcpy(buffer.get(), data, size);
+  imemstream input(buffer.get(), size);
+  PrintMinidumpProcess(input, std::vector<string>(), false, false);
+  return 0;
+}