Add a trivial fuzzer for inspector_protocol's CBOR parser.

Bug: None Change-Id: I92514a0a3be55c1ed746a49de0f484fd924cbe05 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1602741Reviewed-by: Andrey Kosyakov <caseq@chromium.org> Reviewed-by: Alexei Filippov <alph@chromium.org> Reviewed-by: Jonathan Metzman <metzman@chromium.org> Reviewed-by: Johannes Henkel <johannes@chromium.org> Commit-Queue: Chris Palmer <palmer@chromium.org> Cr-Commit-Position: refs/heads/master@{#658803}

Add a trivial fuzzer for inspector_protocol's CBOR parser.
Bug: None Change-Id: I92514a0a3be55c1ed746a49de0f484fd924cbe05 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1602741Reviewed-by: Andrey Kosyakov <caseq@chromium.org> Reviewed-by: Alexei Filippov <alph@chromium.org> Reviewed-by: Jonathan Metzman <metzman@chromium.org> Reviewed-by: Johannes Henkel <johannes@chromium.org> Commit-Queue: Chris Palmer <palmer@chromium.org> Cr-Commit-Position: refs/heads/master@{#658803}
0a523b3f · Chris Palmer · Commit Bot · e977efde · 0a523b3f · 0a523b3f
Commit 0a523b3f authored May 10, 2019 by Chris Palmer Committed by Commit Bot May 10, 2019
3 changed files
--- a/content/browser/devtools/inspector_fuzzer.cc
+++ b/content/browser/devtools/inspector_fuzzer.cc
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include <memory>
+#include <vector>
+
+#include "third_party/inspector_protocol/encoding/encoding.h"
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  using namespace inspector_protocol_encoding;
+
+  span<uint8_t> fuzz{data, size};
+
+  // We need to handle whatever the parser parses. So, we handle the parsed
+  // stuff with another CBOR encoder, just because it's conveniently available.
+  std::vector<uint8_t> encoded;
+  Status status;
+  std::unique_ptr<StreamingParserHandler> encoder =
+      cbor::NewCBOREncoder(&encoded, &status);
+
+  cbor::ParseCBOR(fuzz, encoder.get());
+
+  return 0;
+}
--- a/content/test/fuzzer/BUILD.gn
+++ b/content/test/fuzzer/BUILD.gn
@@ -139,6 +139,17 @@ fuzzer_test("devtools_protocol_encoding_json_fuzzer") {
  seed_corpus = "//third_party/grpc/src/test/core/json/corpus/"
 }

+fuzzer_test("inspector_fuzzer") {
+  sources = [
+    "../../browser/devtools/inspector_fuzzer.cc",
+  ]
+  deps = [
+    "//third_party/inspector_protocol:encoding",
+  ]
+  seed_corpus = "//components/cbor/reader_fuzzer_corpus/"
+  libfuzzer_options = [ "max_len=65535" ]
+}
+
 fuzzer_test("http_structured_header_fuzzer") {
  sources = [
    "http_structured_header_fuzzer.cc",

--- a/third_party/inspector_protocol/README.chromium
+++ b/third_party/inspector_protocol/README.chromium
@@ -5,7 +5,7 @@ Version: 0
 Revision: 2039736177ee11d96a096cdab9c58cc1d78faa43
 License: BSD
 License File: LICENSE
-Security Critical: no
+Security Critical: yes

 Description:
 WebKit/core/inspector uses these scripts to generate handlers from protocol