Add a URLRequest FTP fuzzer.

base/test/fuzzed_data_provider.cc

Index: base/test/fuzzed_data_provider.cc
diff --git a/base/test/fuzzed_data_provider.cc b/base/test/fuzzed_data_provider.cc
index 3045e693a75f9eee407538809731a00eee9d160f..14ffb12a648f08008d52a5d730f43bbd6ab4d9db 100644
--- a/base/test/fuzzed_data_provider.cc
+++ b/base/test/fuzzed_data_provider.cc
@@ -54,6 +54,28 @@ uint32_t FuzzedDataProvider::ConsumeUint32InRange(uint32_t min, uint32_t max) {
   return min + result % (range + 1);
 }
 
+std::string FuzzedDataProvider::ConsumeRandomLengthString(size_t max_length) {
+  // Reads bytes from start of |remaining_data_|. Maps "\\" to "\", and maps "\"

[Paweł Hajdan Jr., 2016/11/15 13:38:50]

Why do we care about backslashes?

Is this the right level of abstraction for this logic?

[mmenke, 2016/11/15 13:43:48]

I'm not following.  We need a random string that can contain any character, with
a length from 1 to max_length.  We also want it to be relatively stable against
mutation, allowing the fuzzer to insert characters into it (Which length
prefix/suffix + characters doesn't do).

The simplest way to do this is with a magic sequence of characters that mean end
of string, but then that necessitates using an escape sequence of some sort, to
allow any string to be encoded.

[mmenke, 2016/11/15 13:46:59]

Sorry, "From length 0 to max_length".

[mmenke, 2016/11/15 13:55:32]

And, just so we're on the same page, the fuzzers generate random input (Based on
previous inputs that were interesting, and possibly a dictionary to help with
the search), send them to the fuzzer code, which then can use this class to
break up the input into bite-sized chunks.  Consumers don't need to use these
escape characters directly themselves.

In my tests, this method resulted in faster exploration of the search space than
picking out a length from the fuzzed data, and then creating a string of exactly
that many characters.

+  // followed by anything else to the end of the string. As a result of this
+  // logic, a fuzzer can insert characters into the string, and the string will
+  // be lengthened to include those new characters, resulting in a more stable
+  // fuzzer than picking the length of a string independently from picking its
+  // contents.
+  std::string out;
+  for (size_t i = 0; i < max_length && !remaining_data_.empty(); ++i) {
+    char next = remaining_data_[0];
+    remaining_data_.remove_prefix(1);
+    if (next == '\\' && !remaining_data_.empty()) {
+      next = remaining_data_[0];
+      remaining_data_.remove_prefix(1);
+      if (next != '\\')
+        return out;
+    }
+    out += next;
+  }
+  return out;
+}
+
 int FuzzedDataProvider::ConsumeInt32InRange(int min, int max) {
   CHECK_LE(min, max);