Another batch of fuzzers.

BUG=539572

Review URL: https://codereview.chromium.org/1417033005

Cr-Commit-Position: refs/heads/master@{#355903}

6 files changed, 180 insertions, 0 deletions

diff --git a/testing/libfuzzer/BUILD.gn b/testing/libfuzzer/BUILD.gn
index 5fc0ff1..52c7092 100644
--- a/testing/libfuzzer/BUILD.gn
+++ b/testing/libfuzzer/BUILD.gn
@@ -62,6 +62,36 @@ test("dns_record_fuzzer") {
   ]
 }
 
+test("es_parser_adts_fuzzer") {
+  sources = [
+    "es_parser_adts_fuzzer.cc",
+  ]
+  deps = [
+    ":libfuzzer_main",
+    "//media",
+  ]
+}
+
+test("es_parser_h264_fuzzer") {
+  sources = [
+    "es_parser_h264_fuzzer.cc",
+  ]
+  deps = [
+    ":libfuzzer_main",
+    "//media",
+  ]
+}
+
+test("es_parser_mpeg1audio_fuzzer") {
+  sources = [
+    "es_parser_mpeg1audio_fuzzer.cc",
+  ]
+  deps = [
+    ":libfuzzer_main",
+    "//media",
+  ]
+}
+
 test("ftp_ctrl_response_fuzzer") {
   sources = [
     "ftp_ctrl_response_fuzzer.cc",
@@ -116,6 +146,16 @@ test("snappy_fuzzer") {
   ]
 }
 
+test("string_tokenizer_fuzzer") {
+  sources = [
+    "string_tokenizer_fuzzer.cc",
+  ]
+  deps = [
+    ":libfuzzer_main",
+    "//base",
+  ]
+}
+
 test("string_to_int_fuzzer") {
   sources = [
     "string_to_int_fuzzer.cc",
@@ -126,6 +166,17 @@ test("string_to_int_fuzzer") {
   ]
 }
 
+test("unescape_url_component_fuzzer") {
+  sources = [
+    "unescape_url_component_fuzzer.cc",
+  ]
+  deps = [
+    ":libfuzzer_main",
+    "//base",
+    "//net",
+  ]
+}
+
 test("url_parse_fuzzer") {
   sources = [
     "url_parse_fuzzer.cc",
diff --git a/testing/libfuzzer/es_parser_adts_fuzzer.cc b/testing/libfuzzer/es_parser_adts_fuzzer.cc
new file mode 100644
index 0000000..005bdc8
--- /dev/null
+++ b/testing/libfuzzer/es_parser_adts_fuzzer.cc
@@ -0,0 +1,22 @@
+// Copyright (c) 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "base/bind.h"
+#include "media/formats/mp2t/es_parser_adts.h"
+
+static void NewAudioConfig(const media::AudioDecoderConfig& config) {}
+static void EmitBuffer(scoped_refptr<media::StreamParserBuffer> buffer) {}
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const unsigned char* data,
+                                      unsigned long size) {
+  media::mp2t::EsParserAdts es_parser(base::Bind(&NewAudioConfig),
+                                      base::Bind(&EmitBuffer), true);
+  if (!es_parser.Parse(data, size, media::kNoTimestamp(),
+                       media::kNoDecodeTimestamp())) {
+    return 0;
+  }
+  es_parser.Flush();
+  return 0;
+}
diff --git a/testing/libfuzzer/es_parser_h264_fuzzer.cc b/testing/libfuzzer/es_parser_h264_fuzzer.cc
new file mode 100644
index 0000000..57058b9
--- /dev/null
+++ b/testing/libfuzzer/es_parser_h264_fuzzer.cc
@@ -0,0 +1,21 @@
+// Copyright (c) 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "base/bind.h"
+#include "media/formats/mp2t/es_parser_h264.h"
+
+static void NewVideoConfig(const media::VideoDecoderConfig& config) {}
+static void EmitBuffer(scoped_refptr<media::StreamParserBuffer> buffer) {}
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const unsigned char* data,
+                                      unsigned long size) {
+  media::mp2t::EsParserH264 es_parser(base::Bind(&NewVideoConfig),
+                                      base::Bind(&EmitBuffer));
+  if (!es_parser.Parse(data, size, media::kNoTimestamp(),
+                       media::kNoDecodeTimestamp())) {
+    return 0;
+  }
+  return 0;
+}
diff --git a/testing/libfuzzer/es_parser_mpeg1audio_fuzzer.cc b/testing/libfuzzer/es_parser_mpeg1audio_fuzzer.cc
new file mode 100644
index 0000000..15209a3
--- /dev/null
+++ b/testing/libfuzzer/es_parser_mpeg1audio_fuzzer.cc
@@ -0,0 +1,37 @@
+// Copyright (c) 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "base/bind.h"
+#include "media/formats/mp2t/es_parser_mpeg1audio.h"
+
+class NullMediaLog : public media::MediaLog {
+ public:
+  NullMediaLog() {}
+
+  void DoAddEventLogString(const std::string& event) {}
+  void AddEvent(scoped_ptr<media::MediaLogEvent> event) override {}
+
+ protected:
+  virtual ~NullMediaLog() {}
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(NullMediaLog);
+};
+
+static void NewAudioConfig(const media::AudioDecoderConfig& config) {}
+static void EmitBuffer(scoped_refptr<media::StreamParserBuffer> buffer) {}
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const unsigned char* data,
+                                      unsigned long size) {
+  scoped_refptr<NullMediaLog> media_log(new NullMediaLog());
+  media::mp2t::EsParserMpeg1Audio es_parser(base::Bind(&NewAudioConfig),
+                                            base::Bind(&EmitBuffer), media_log);
+  if (!es_parser.Parse(data, size, media::kNoTimestamp(),
+                       media::kNoDecodeTimestamp())) {
+    return 0;
+  }
+  es_parser.Flush();
+  return 0;
+}
diff --git a/testing/libfuzzer/string_tokenizer_fuzzer.cc b/testing/libfuzzer/string_tokenizer_fuzzer.cc
new file mode 100644
index 0000000..8174b23
--- /dev/null
+++ b/testing/libfuzzer/string_tokenizer_fuzzer.cc
@@ -0,0 +1,27 @@
+// Copyright (c) 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <string>
+
+#include "base/strings/string_tokenizer.h"
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const unsigned char* data,
+                                      unsigned long size) {
+  if (size < 1) {
+    return 0;
+  }
+  unsigned long pattern_size = data[0];
+  if (pattern_size > size - 1) {
+    return 0;
+  }
+  std::string pattern(reinterpret_cast<const char*>(data + 1), pattern_size);
+  std::string input(reinterpret_cast<const char*>(data + 1 + pattern_size),
+                    size - pattern_size - 1);
+  base::StringTokenizer t(input, pattern);
+  while (t.GetNext()) {
+    (void)t.token();
+  }
+  return 0;
+}
diff --git a/testing/libfuzzer/unescape_url_component_fuzzer.cc b/testing/libfuzzer/unescape_url_component_fuzzer.cc
new file mode 100644
index 0000000..c599c0b
--- /dev/null
+++ b/testing/libfuzzer/unescape_url_component_fuzzer.cc
@@ -0,0 +1,22 @@
+// Copyright (c) 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <string>
+
+#include "net/base/escape.h"
+
+
+static const int kMaxUnescapeRule = 31;
+
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const unsigned char* data,
+                                      unsigned long size) {
+  std::string path(reinterpret_cast<const char*>(data), size);
+  for (int i = 0; i <= kMaxUnescapeRule; i++) {
+    (void)net::UnescapeURLComponent(path,
+                                    static_cast<net::UnescapeRule::Type>(i));
+  }
+  return 0;
+}