[Nearby] Add fuzzing target for Advertisement

This adds a new fuzzing target for Advertisement parsing. Note that the
parsing is already running in a sandboxed utility process, but it's
still good to verify with a fuzzer that raw data handling does not have
any unexpected issues.

Bug: 1091349
Change-Id: I3b1af84e5144fb2e88531ee6dc342dfc6ddc661b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2203381Reviewed-by: Ken Rockot <rockot@google.com>
Reviewed-by: Alex Gough <ajgo@chromium.org>
Commit-Queue: Richard Knoll <knollr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#775726}

chrome/services/sharing/nearby_decoder/BUILD.gn

@@ -2,6 +2,8 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
+import("//testing/libfuzzer/fuzzer_test.gni")
+
 source_set("nearby_decoder") {
   sources = [
     "advertisement.cc",
@@ -34,3 +36,12 @@ source_set("unit_tests") {
     "//testing/gtest",
   ]
 }
+
+fuzzer_test("nearby_decoder_fuzzer") {
+  sources = [ "nearby_decoder_fuzzer.cc" ]
+  deps = [
+    ":nearby_decoder",
+    "//base",
+    "//mojo/core/embedder",
+  ]
+}

chrome/services/sharing/nearby_decoder/DEPS

+specific_include_rules = {
+  "nearby_decoder_fuzzer.cc": [
+    "+mojo/core/embedder/embedder.h",
+  ]
+}

chrome/services/sharing/nearby_decoder/nearby_decoder_fuzzer.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/services/sharing/nearby_decoder/nearby_decoder.h"
+
+#include <stddef.h>
+#include <stdint.h>
+#include <memory>
+#include <vector>
+
+#include "base/logging.h"
+#include "base/no_destructor.h"
+#include "base/run_loop.h"
+#include "base/task/single_thread_task_executor.h"
+#include "chrome/services/sharing/public/mojom/nearby_decoder.mojom.h"
+#include "chrome/services/sharing/public/mojom/nearby_decoder_types.mojom.h"
+#include "mojo/core/embedder/embedder.h"
+#include "mojo/public/cpp/bindings/remote.h"
+
+struct Environment {
+  Environment() {
+    mojo::core::Init();
+    // Disable noisy logging as per "libFuzzer in Chrome" documentation:
+    // testing/libfuzzer/getting_started.md#Disable-noisy-error-message-logging.
+    logging::SetMinLogLevel(logging::LOG_FATAL);
+
+    // Create instance once to be reused between fuzzing rounds.
+    decoder = std::make_unique<sharing::NearbySharingDecoder>(
+        remote.BindNewPipeAndPassReceiver());
+  }
+
+  base::SingleThreadTaskExecutor task_executor;
+  mojo::Remote<sharing::mojom::NearbySharingDecoder> remote;
+  std::unique_ptr<sharing::NearbySharingDecoder> decoder;
+};
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  static base::NoDestructor<Environment> environment;
+
+  std::vector<uint8_t> buffer(data, data + size);
+  base::RunLoop run_loop;
+  environment->decoder->DecodeAdvertisement(
+      buffer, base::BindOnce(
+                  [](base::RunLoop* run_loop,
+                     sharing::mojom::AdvertisementPtr advertisement) {
+                    run_loop->Quit();
+                  },
+                  &run_loop));
+  run_loop.Run();
+
+  return 0;
+}