Add a fuzzer for GzipSourceStream

net/filter/fuzzed_source_stream.cc

Index: net/filter/fuzzed_source_stream.cc
diff --git a/net/filter/fuzzed_source_stream.cc b/net/filter/fuzzed_source_stream.cc
new file mode 100644
index 0000000000000000000000000000000000000000..08577b8657c797e880d49b86abef6496e85bd714
--- /dev/null
+++ b/net/filter/fuzzed_source_stream.cc
@@ -0,0 +1,74 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/filter/fuzzed_source_stream.h"
+
+#include <string>
+
+#include "base/test/fuzzed_data_provider.h"
+#include "base/threading/thread_task_runner_handle.h"
+#include "net/base/io_buffer.h"
+#include "net/base/net_errors.h"
+
+namespace net {
+
+namespace {
+
+// Common net error codes that can be returned by a SourceStream.
+const Error kReadErrors[] = {OK, ERR_FAILED, ERR_CONTENT_DECODING_FAILED};
+
+}  // namespace
+
+FuzzedSourceStream::FuzzedSourceStream(base::FuzzedDataProvider* data_provider)
+    : SourceStream(SourceStream::TYPE_NONE),
+      data_provider_(data_provider),
+      read_pending_(false) {}
+
+FuzzedSourceStream::~FuzzedSourceStream() {
+  DCHECK(!read_pending_);
+}
+
+int FuzzedSourceStream::Read(IOBuffer* buf,
+                             int buf_len,
+                             const CompletionCallback& callback) {
+  DCHECK(!read_pending_);

[mmenke, 2016/10/27 19:31:11]

Maybe DCHECK that Read isn't called after we're returned a result <= 0?

[xunjieli, 2016/10/28 15:21:47]

Done.

+
+  bool sync = data_provider_->ConsumeBool();
+  int result = data_provider_->ConsumeUint8();

[mmenke, 2016/10/27 19:31:11]

I suggest just doing:

int result = data_provider_->ConsumeUint32InRange(0, buf_len);
std::string data = data_provider_->ConsumeBytes(result);

if (data.size() > 0) {
  ...
} else {
  ...
}

It's a little simpler (Allows having one if/else instead of 3 if's), and it
allows us to fill the buffer (Unless it's longer than the max size of
DataProvider's input).

Should probably also add a CHECK that buf_len >= 0, though.

[xunjieli, 2016/10/28 15:21:47]

Done.

+
+  if (result > buf_len)
+    result = buf_len;
+
+  if (result > 0) {
+    std::string data = data_provider_->ConsumeBytes(result);
+    result = data.size();
+    std::copy(data.data(), data.data() + result, buf->data());

[mmenke, 2016/10/27 19:31:11]

I think we need <algorithm> for std::copy?

[mmenke, 2016/10/27 19:31:11]

optional:  Could be a little more rigorous by not copying data until
OnReadComplete in the async case.  FuzzedSocket doesn't do this, I believe, but
perhaps it should.

[xunjieli, 2016/10/28 15:21:47]

Done.

[xunjieli, 2016/10/28 15:21:47]

Done.

+  }
+  if (result == 0)
+    result = data_provider_->PickValueInArray(kReadErrors);
+
+  if (sync)
+    return result;
+
+  read_pending_ = true;
+  // |this| is owned by the caller so use base::Unretained is safe.
+  base::ThreadTaskRunnerHandle::Get()->PostTask(
+      FROM_HERE, base::Bind(&FuzzedSourceStream::OnReadComplete,
+                            base::Unretained(this), callback, result));
+  return ERR_IO_PENDING;
+}
+
+std::string FuzzedSourceStream::Description() const {
+  return "";
+}
+
+void FuzzedSourceStream::OnReadComplete(const CompletionCallback& callback,
+                                        int result) {
+  DCHECK(read_pending_);
+
+  read_pending_ = false;
+  callback.Run(result);
+}
+
+}  // namespace net