Support split chunk input for WebSocketFrameParser fuzzer

net::WebSocketFrameParser keeps state between calls as a WebSocket frame header can span multiple reads from the underlying socket. Up until now, the fuzzer only simulated one read. By passing the input in multiple chunks, the coverage of the fuzzer is increased. Also increase max_len to 256. As the per-iteration setup cost is quite high for this fuzzer, a larger input length makes the coverage from each iteration higher without significantly harming speed. R=yhirano BUG= Review-Url: https://codereview.chromium.org/2309723002 Cr-Commit-Position: refs/heads/master@{#417224}

Support split chunk input for WebSocketFrameParser fuzzer
net::WebSocketFrameParser keeps state between calls as a WebSocket frame header can span multiple reads from the underlying socket. Up until now, the fuzzer only simulated one read. By passing the input in multiple chunks, the coverage of the fuzzer is increased. Also increase max_len to 256. As the per-iteration setup cost is quite high for this fuzzer, a larger input length makes the coverage from each iteration higher without significantly harming speed. R=yhirano BUG= Review-Url: https://codereview.chromium.org/2309723002 Cr-Commit-Position: refs/heads/master@{#417224}
105ae61b · ricea · Commit bot · 1062876a · 105ae61b · 105ae61b
Commit 105ae61b authored Sep 08, 2016 by ricea Committed by Commit bot Sep 08, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 2 deletions

net/BUILD.gn net/BUILD.gn +1 -0

net/websockets/websocket_frame_parser_fuzzer.cc net/websockets/websocket_frame_parser_fuzzer.cc +7 -2

No files found.
--- a/net/BUILD.gn
+++ b/net/BUILD.gn
@@ -1959,6 +1959,7 @@ fuzzer_test("net_websocket_frame_parser_fuzzer") {
    "//net",
  ]
  dict = "data/fuzzer_dictionaries/net_websocket_frame_parser_fuzzer.dict"
+  libfuzzer_options = [ "max_len=256" ]
 }
 fuzzer_test("net_http_chunked_decoder_fuzzer") {

--- a/net/websockets/websocket_frame_parser_fuzzer.cc
+++ b/net/websockets/websocket_frame_parser_fuzzer.cc
@@ -7,13 +7,18 @@
 #include <vector>
+#include "base/test/fuzzed_data_provider.h"
 #include "net/websockets/websocket_frame_parser.h"
 // Entry point for LibFuzzer.
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  base::FuzzedDataProvider fuzzed_data_provider(data, size);
  net::WebSocketFrameParser parser;
  std::vector<std::unique_ptr<net::WebSocketFrameChunk>> frame_chunks;
-  parser.Decode(reinterpret_cast<const char*>(data), size, &frame_chunks);
+  while (fuzzed_data_provider.remaining_bytes() > 0) {
+    size_t chunk_size = fuzzed_data_provider.ConsumeUint32InRange(1, 32);
+    base::StringPiece chunk = fuzzed_data_provider.ConsumeBytes(chunk_size);
+    parser.Decode(chunk.data(), chunk.size(), &frame_chunks);
+  }
  return 0;
 }