| Anand K. Mistry | 7404c058 | 2018-11-21 16:17:51 | [diff] [blame] | 1 | // Copyright 2018 The Chromium Authors. All rights reserved. |
| 2 | // Use of this source code is governed by a BSD-style license that can be |
| 3 | // found in the LICENSE file. |
| 4 | |
| 5 | #include "base/macros.h" |
| 6 | #include "base/pickle.h" |
| 7 | #include "base/test/fuzzed_data_provider.h" |
| 8 | |
| 9 | namespace { |
| 10 | constexpr int kIterations = 16; |
| 11 | constexpr int kReadControlBytes = 32; |
| 12 | constexpr int kReadDataTypes = 17; |
| 13 | constexpr int kMaxReadLength = 1024; |
| 14 | constexpr int kMaxSkipBytes = 1024; |
| 15 | } // namespace |
| 16 | |
| 17 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { |
| 18 | if (size < kReadControlBytes) { |
| 19 | return 0; |
| 20 | } |
| 21 | // Use the first kReadControlBytes bytes of the fuzzer input to control how |
| 22 | // the pickled data is read. |
| 23 | base::FuzzedDataProvider data_provider(data, kReadControlBytes); |
| 24 | data += kReadControlBytes; |
| 25 | size -= kReadControlBytes; |
| 26 | |
| 27 | base::Pickle pickle(reinterpret_cast<const char*>(data), size); |
| 28 | base::PickleIterator iter(pickle); |
| 29 | for (int i = 0; i < kIterations; i++) { |
| 30 | uint8_t read_type = data_provider.ConsumeUint8(); |
| 31 | switch (read_type % kReadDataTypes) { |
| 32 | case 0: { |
| 33 | bool result = 0; |
| 34 | ignore_result(iter.ReadBool(&result)); |
| 35 | break; |
| 36 | } |
| 37 | case 1: { |
| 38 | int result = 0; |
| 39 | ignore_result(iter.ReadInt(&result)); |
| 40 | break; |
| 41 | } |
| 42 | case 2: { |
| 43 | long result = 0; |
| 44 | ignore_result(iter.ReadLong(&result)); |
| 45 | break; |
| 46 | } |
| 47 | case 3: { |
| 48 | uint16_t result = 0; |
| 49 | ignore_result(iter.ReadUInt16(&result)); |
| 50 | break; |
| 51 | } |
| 52 | case 4: { |
| 53 | uint32_t result = 0; |
| 54 | ignore_result(iter.ReadUInt32(&result)); |
| 55 | break; |
| 56 | } |
| 57 | case 5: { |
| 58 | int64_t result = 0; |
| 59 | ignore_result(iter.ReadInt64(&result)); |
| 60 | break; |
| 61 | } |
| 62 | case 6: { |
| 63 | uint64_t result = 0; |
| 64 | ignore_result(iter.ReadUInt64(&result)); |
| 65 | break; |
| 66 | } |
| 67 | case 7: { |
| 68 | float result = 0; |
| 69 | ignore_result(iter.ReadFloat(&result)); |
| 70 | break; |
| 71 | } |
| 72 | case 8: { |
| 73 | double result = 0; |
| 74 | ignore_result(iter.ReadDouble(&result)); |
| 75 | break; |
| 76 | } |
| 77 | case 9: { |
| 78 | std::string result; |
| 79 | ignore_result(iter.ReadString(&result)); |
| 80 | break; |
| 81 | } |
| 82 | case 10: { |
| 83 | base::StringPiece result; |
| 84 | ignore_result(iter.ReadStringPiece(&result)); |
| 85 | break; |
| 86 | } |
| 87 | case 11: { |
| 88 | base::string16 result; |
| 89 | ignore_result(iter.ReadString16(&result)); |
| 90 | break; |
| 91 | } |
| 92 | case 12: { |
| 93 | base::StringPiece16 result; |
| 94 | ignore_result(iter.ReadStringPiece16(&result)); |
| 95 | break; |
| 96 | } |
| 97 | case 13: { |
| 98 | const char* data_result = nullptr; |
| 99 | int length_result = 0; |
| 100 | ignore_result(iter.ReadData(&data_result, &length_result)); |
| 101 | break; |
| 102 | } |
| 103 | case 14: { |
| 104 | const char* data_result = nullptr; |
| 105 | int read_length = data_provider.ConsumeInt32InRange(0, kMaxReadLength); |
| 106 | ignore_result(iter.ReadBytes(&data_result, read_length)); |
| 107 | break; |
| 108 | } |
| 109 | case 15: { |
| 110 | int result = 0; |
| 111 | ignore_result(iter.ReadLength(&result)); |
| 112 | break; |
| 113 | } |
| 114 | case 16: { |
| 115 | ignore_result(iter.SkipBytes( |
| 116 | data_provider.ConsumeInt32InRange(0, kMaxSkipBytes))); |
| 117 | break; |
| 118 | } |
| 119 | } |
| 120 | } |
| 121 | |
| 122 | return 0; |
| 123 | } |
