net/spdy/fuzzing/hpack_fuzz_util.cc - Issue 284643002: Hpack fuzzing tweaks to address CHECK failures on ClusterFuzz

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: net/spdy/fuzzing/hpack_fuzz_util.cc

Issue 284643002: Hpack fuzzing tweaks to address CHECK failures on ClusterFuzz (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 6 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/spdy/fuzzing/hpack_fuzz_util.cc

diff --git a/net/spdy/fuzzing/hpack_fuzz_util.cc b/net/spdy/fuzzing/hpack_fuzz_util.cc

index 5e62ca92c25c3a984acef761749587d5a6f30690..58f2ec1430d06e2acc19477e5307abe94335093c 100644

--- a/net/spdy/fuzzing/hpack_fuzz_util.cc

+++ b/net/spdy/fuzzing/hpack_fuzz_util.cc

@@ -113,16 +113,19 @@ size_t HpackFuzzUtil::SampleExponential(size_t mean, size_t sanity_bound) {

// static

bool HpackFuzzUtil::NextHeaderBlock(Input* input,

StringPiece* out) {

+ // ClusterFuzz may truncate input files if the fuzzer ran out of allocated

+ // disk space. Be tolerant of these.

CHECK_LE(input->offset, input->input.size());

- if (input->remaining() == 0) {

+ if (input->remaining() < sizeof(uint32)) {

return false;

}

- CHECK_LE(sizeof(uint32), input->remaining());

size_t length = ntohl(*reinterpret_cast<const uint32*>(input->ptr()));

input->offset += sizeof(uint32);

- CHECK_LE(length, input->remaining());

+ if (input->remaining() < length) {

+ return false;

+ }

*out = StringPiece(input->ptr(), length);

input->offset += length;

return true;

@@ -157,10 +160,16 @@ bool HpackFuzzUtil::RunHeaderBlockThroughFuzzerStages(FuzzerContext* context,

CHECK(context->second_stage->EncodeHeaderSet(

context->first_stage->decoded_block(), &second_stage_out));

- // Third stage: Expect a decoding of the re-encoded block to succeed.

- CHECK(context->third_stage->HandleControlFrameHeadersData(

- 1, second_stage_out.data(), second_stage_out.length()));

- CHECK(context->third_stage->HandleControlFrameHeadersComplete(1));

+ // Third stage: Expect a decoding of the re-encoded block to succeed, but

+ // don't require it. It's possible for the stage-two encoder to produce an

+ // output which violates decoder size tolerances.

+ if (!context->third_stage->HandleControlFrameHeadersData(

+ 1, second_stage_out.data(), second_stage_out.length())) {

+ return false;

+ }

+ if (!context->third_stage->HandleControlFrameHeadersComplete(1)) {

Ryan Hamilton 2014/05/12 21:05:49 Up to you, but you could write this as: return co

+ return false;

+ }

return true;

}

« no previous file with comments | « no previous file | net/spdy/hpack_decoder.cc » ('j') | no next file with comments »