diff options
| author | krasin <krasin@google.com> | 2015-10-21 18:46:22 -0700 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2015-10-22 01:47:14 +0000 |
| commit | f45d529d19dad67376809c81119f4f38c98f97ae (patch) | |
| tree | d4d70f8ff981e22de0289987a675e6a5b4b6192e /testing | |
| parent | 5b8b85e33293743b41412b8797816d46744fa884 (diff) | |
| download | chromium_src-f45d529d19dad67376809c81119f4f38c98f97ae.zip chromium_src-f45d529d19dad67376809c81119f4f38c98f97ae.tar.gz chromium_src-f45d529d19dad67376809c81119f4f38c98f97ae.tar.bz2 | |
Add four more fuzzers.
One of them (mp4_box_reader_fuzzer) requires proprietary_codecs=true.
BUG=chromium:539572
Review URL: https://codereview.chromium.org/1408243006
Cr-Commit-Position: refs/heads/master@{#355475}
Diffstat (limited to 'testing')
| -rw-r--r-- | testing/libfuzzer/BUILD.gn | 44 | ||||
| -rw-r--r-- | testing/libfuzzer/brotli_fuzzer.cc | 5 | ||||
| -rw-r--r-- | testing/libfuzzer/courgette_fuzzer.cc | 22 | ||||
| -rw-r--r-- | testing/libfuzzer/dns_record_fuzzer.cc | 7 | ||||
| -rw-r--r-- | testing/libfuzzer/ftp_ctrl_response_fuzzer.cc | 7 | ||||
| -rw-r--r-- | testing/libfuzzer/ftp_directory_listing_fuzzer.cc | 5 | ||||
| -rw-r--r-- | testing/libfuzzer/language_detection_fuzzer.cc | 36 | ||||
| -rw-r--r-- | testing/libfuzzer/mp4_box_reader_fuzzer.cc | 41 | ||||
| -rw-r--r-- | testing/libfuzzer/snappy_fuzzer.cc | 7 | ||||
| -rw-r--r-- | testing/libfuzzer/string_to_int_fuzzer.cc | 5 | ||||
| -rw-r--r-- | testing/libfuzzer/vp9_parser_fuzzer.cc | 19 |
11 files changed, 183 insertions, 15 deletions
diff --git a/testing/libfuzzer/BUILD.gn b/testing/libfuzzer/BUILD.gn index c8c5e02..5fc0ff1 100644 --- a/testing/libfuzzer/BUILD.gn +++ b/testing/libfuzzer/BUILD.gn @@ -7,6 +7,7 @@ # # To enable libfuzzer, 'use_libfuzzer' GN option should be set to true. +import("//build/config/features.gni") import("//testing/test.gni") static_library("libfuzzer_main") { @@ -39,6 +40,17 @@ test("brotli_fuzzer") { ] } +test("courgette_fuzzer") { + sources = [ + "courgette_fuzzer.cc", + ] + deps = [ + ":libfuzzer_main", + "//base", + "//courgette:courgette_lib", + ] +} + test("dns_record_fuzzer") { sources = [ "dns_record_fuzzer.cc", @@ -72,6 +84,28 @@ test("ftp_directory_listing_fuzzer") { ] } +test("language_detection_fuzzer") { + sources = [ + "language_detection_fuzzer.cc", + ] + deps = [ + ":libfuzzer_main", + "//components/translate/core/language_detection:language_detection", + ] +} + +if (proprietary_codecs) { + test("mp4_box_reader_fuzzer") { + sources = [ + "mp4_box_reader_fuzzer.cc", + ] + deps = [ + ":libfuzzer_main", + "//media", + ] + } +} + test("snappy_fuzzer") { sources = [ "snappy_fuzzer.cc", @@ -101,3 +135,13 @@ test("url_parse_fuzzer") { "//url:url", ] } + +test("vp9_parser_fuzzer") { + sources = [ + "vp9_parser_fuzzer.cc", + ] + deps = [ + ":libfuzzer_main", + "//media", + ] +} diff --git a/testing/libfuzzer/brotli_fuzzer.cc b/testing/libfuzzer/brotli_fuzzer.cc index 74ee07a..c02e982 100644 --- a/testing/libfuzzer/brotli_fuzzer.cc +++ b/testing/libfuzzer/brotli_fuzzer.cc @@ -8,9 +8,10 @@ #include "third_party/brotli/dec/decode.h" // Entry point for LibFuzzer. -extern "C" void LLVMFuzzerTestOneInput(const unsigned char* data, - unsigned long size) { +extern "C" int LLVMFuzzerTestOneInput(const unsigned char* data, + unsigned long size) { std::vector<uint8_t> uncompressed_buf(128 << 10); size_t uncompressed_size = uncompressed_buf.size(); BrotliDecompressBuffer(size, data, &uncompressed_size, &uncompressed_buf[0]); + return 0; } diff --git a/testing/libfuzzer/courgette_fuzzer.cc b/testing/libfuzzer/courgette_fuzzer.cc new file mode 100644 index 0000000..d55454c --- /dev/null +++ b/testing/libfuzzer/courgette_fuzzer.cc @@ -0,0 +1,22 @@ +// Copyright (c) 2015 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "base/memory/scoped_ptr.h" +#include "courgette/assembly_program.h" +#include "courgette/courgette.h" +#include "courgette/encoded_program.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const unsigned char* data, + unsigned long size) { + courgette::AssemblyProgram* prog; + courgette::Status status = + courgette::ParseDetectedExecutable(data, size, &prog); + if (status != courgette::C_OK) { + return 0; + } + scoped_ptr<courgette::EncodedProgram> enc_prog(prog->Encode()); + courgette::DeleteAssemblyProgram(prog); + return 0; +} diff --git a/testing/libfuzzer/dns_record_fuzzer.cc b/testing/libfuzzer/dns_record_fuzzer.cc index e199c43..207b17c 100644 --- a/testing/libfuzzer/dns_record_fuzzer.cc +++ b/testing/libfuzzer/dns_record_fuzzer.cc @@ -7,14 +7,15 @@ #include "net/dns/dns_response.h" // Entry point for LibFuzzer. -extern "C" void LLVMFuzzerTestOneInput(const unsigned char* data, - unsigned long size) { +extern "C" int LLVMFuzzerTestOneInput(const unsigned char* data, + unsigned long size) { std::string out; net::DnsRecordParser parser(data, size, 0); if (!parser.IsValid()) { - return; + return 0; } net::DnsResourceRecord record; while (parser.ReadRecord(&record)) { } + return 0; } diff --git a/testing/libfuzzer/ftp_ctrl_response_fuzzer.cc b/testing/libfuzzer/ftp_ctrl_response_fuzzer.cc index 817b20f..686921b 100644 --- a/testing/libfuzzer/ftp_ctrl_response_fuzzer.cc +++ b/testing/libfuzzer/ftp_ctrl_response_fuzzer.cc @@ -6,14 +6,15 @@ #include "net/log/net_log.h" // Entry point for LibFuzzer. -extern "C" void LLVMFuzzerTestOneInput(const unsigned char* data, - unsigned long size) { +extern "C" int LLVMFuzzerTestOneInput(const unsigned char* data, + unsigned long size) { const net::BoundNetLog log; net::FtpCtrlResponseBuffer buffer(log); if (!buffer.ConsumeData(reinterpret_cast<const char*>(data), size)) { - return; + return 0; } while (buffer.ResponseAvailable()) { (void)buffer.PopResponse(); } + return 0; } diff --git a/testing/libfuzzer/ftp_directory_listing_fuzzer.cc b/testing/libfuzzer/ftp_directory_listing_fuzzer.cc index 2698086..2b767e9 100644 --- a/testing/libfuzzer/ftp_directory_listing_fuzzer.cc +++ b/testing/libfuzzer/ftp_directory_listing_fuzzer.cc @@ -9,9 +9,10 @@ #include "net/ftp/ftp_directory_listing_parser.h" // Entry point for LibFuzzer. -extern "C" void LLVMFuzzerTestOneInput(const unsigned char* data, - unsigned long size) { +extern "C" int LLVMFuzzerTestOneInput(const unsigned char* data, + unsigned long size) { std::string buffer(reinterpret_cast<const char*>(data), size); std::vector<net::FtpDirectoryListingEntry> entries; net::ParseFtpDirectoryListing(buffer, base::Time::Now(), &entries); + return 0; } diff --git a/testing/libfuzzer/language_detection_fuzzer.cc b/testing/libfuzzer/language_detection_fuzzer.cc new file mode 100644 index 0000000..a257ca4 --- /dev/null +++ b/testing/libfuzzer/language_detection_fuzzer.cc @@ -0,0 +1,36 @@ +// Copyright (c) 2015 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <stdint.h> +#include <string> + +#include "base/strings/string16.h" +#include "base/strings/utf_string_conversions.h" +#include "components/translate/core/language_detection/language_detection_util.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const unsigned char* data, + unsigned long size) { + if (size == 0) { + return 0; + } + uint8_t ch = data[0]; + int lang_len = ch & 0xF; + int html_lang_len = (ch >> 4) & 0xF; + int text_len = size - lang_len - html_lang_len; + if ((text_len < 0) || (text_len % 2 != 0)) { + return 0; + } + std::string lang(reinterpret_cast<const char*>(data), lang_len); + std::string html_lang(reinterpret_cast<const char*>(data + lang_len), + html_lang_len); + base::string16 text( + reinterpret_cast<const base::char16*>(data + lang_len + html_lang_len), + text_len / 2); + std::string cld_lang; + bool is_cld_reliable; + translate::DeterminePageLanguage(lang, html_lang, text, &cld_lang, + &is_cld_reliable); + return 0; +} diff --git a/testing/libfuzzer/mp4_box_reader_fuzzer.cc b/testing/libfuzzer/mp4_box_reader_fuzzer.cc new file mode 100644 index 0000000..d81c652 --- /dev/null +++ b/testing/libfuzzer/mp4_box_reader_fuzzer.cc @@ -0,0 +1,41 @@ +// Copyright (c) 2015 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "media/formats/mp4/box_reader.h" +#include "base/logging.h" +#include "base/memory/scoped_ptr.h" + +class NullMediaLog : public media::MediaLog { + public: + NullMediaLog() {} + + void DoAddEventLogString(const std::string& event) {} + + void AddEvent(scoped_ptr<media::MediaLogEvent> event) override {} + + protected: + virtual ~NullMediaLog() {} + + private: + DISALLOW_COPY_AND_ASSIGN(NullMediaLog); +}; + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const unsigned char* data, + unsigned long size) { + bool err; + scoped_refptr<NullMediaLog> media_log(new NullMediaLog()); + scoped_ptr<media::mp4::BoxReader> reader( + media::mp4::BoxReader::ReadTopLevelBox(data, size, media_log, &err)); + if (err) { + return 0; + } + if (reader == NULL) { + return 0; + } + if (!reader->ScanChildren()) { + return 0; + } + return 0; +} diff --git a/testing/libfuzzer/snappy_fuzzer.cc b/testing/libfuzzer/snappy_fuzzer.cc index 9c7354f..744b5c3 100644 --- a/testing/libfuzzer/snappy_fuzzer.cc +++ b/testing/libfuzzer/snappy_fuzzer.cc @@ -8,17 +8,18 @@ #include "third_party/snappy/src/snappy.h" // Entry point for LibFuzzer. -extern "C" void LLVMFuzzerTestOneInput(const unsigned char* data, - unsigned long size) { +extern "C" int LLVMFuzzerTestOneInput(const unsigned char* data, + unsigned long size) { snappy::ByteArraySource src(reinterpret_cast<const char*>(data), size); uint32_t len; // Note: src is invalid after GetUncompressedLength call. if (!snappy::GetUncompressedLength(&src, &len) || (len > 1E6)) { // We have to bail out, to avoid self-crafted decompression bombs. - return; + return 0; } std::string uncompressed_str; snappy::Uncompress(reinterpret_cast<const char*>(data), size, &uncompressed_str); + return 0; } diff --git a/testing/libfuzzer/string_to_int_fuzzer.cc b/testing/libfuzzer/string_to_int_fuzzer.cc index 2c7ce18..5eb80bf 100644 --- a/testing/libfuzzer/string_to_int_fuzzer.cc +++ b/testing/libfuzzer/string_to_int_fuzzer.cc @@ -10,8 +10,8 @@ #include "base/strings/string_number_conversions.h" // Entry point for LibFuzzer. -extern "C" void LLVMFuzzerTestOneInput(const unsigned char* data, - unsigned long size) { +extern "C" int LLVMFuzzerTestOneInput(const unsigned char* data, + unsigned long size) { std::string input(reinterpret_cast<const char*>(data), size); int out_int; base::StringToInt(input, &out_int); @@ -34,4 +34,5 @@ extern "C" void LLVMFuzzerTestOneInput(const unsigned char* data, base::HexStringToBytes(input, &out_bytes); base::HexEncode(data, size); + return 0; } diff --git a/testing/libfuzzer/vp9_parser_fuzzer.cc b/testing/libfuzzer/vp9_parser_fuzzer.cc new file mode 100644 index 0000000..c879453 --- /dev/null +++ b/testing/libfuzzer/vp9_parser_fuzzer.cc @@ -0,0 +1,19 @@ +// Copyright (c) 2015 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "media/filters/vp9_parser.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const unsigned char* data, + unsigned long size) { + media::Vp9Parser parser; + parser.SetStream(data, size); + while (true) { + media::Vp9FrameHeader fhdr; + if (media::Vp9Parser::kOk != parser.ParseNextFrame(&fhdr)) { + break; + } + } + return 0; +} |