[Nearby] Add DecodeFrame fuzzer

This adds a fuzz target for the DecodeFrame method of the NearbyDecoder. Bug: 1091349 Change-Id: Iac7eabc35d57c2786e5cffbe2b292910d859c244 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2374868Reviewed-by: Alex Chau <alexchau@chromium.org> Commit-Queue: Richard Knoll <knollr@chromium.org> Cr-Commit-Position: refs/heads/master@{#801446}

[Nearby] Add DecodeFrame fuzzer
This adds a fuzz target for the DecodeFrame method of the NearbyDecoder. Bug: 1091349 Change-Id: Iac7eabc35d57c2786e5cffbe2b292910d859c244 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2374868Reviewed-by: Alex Chau <alexchau@chromium.org> Commit-Queue: Richard Knoll <knollr@chromium.org> Cr-Commit-Position: refs/heads/master@{#801446}
1fe5ba7f · Richard Knoll · Commit Bot · 3ec3c173 · 1fe5ba7f · 1fe5ba7f
Commit 1fe5ba7f authored Aug 25, 2020 by Richard Knoll Committed by Commit Bot Aug 25, 2020
4 changed files
--- a/chrome/services/sharing/nearby/decoder/BUILD.gn
+++ b/chrome/services/sharing/nearby/decoder/BUILD.gn
@@ -37,8 +37,17 @@ source_set("unit_tests") {
  ]
 }

-fuzzer_test("nearby_decoder_fuzzer") {
-  sources = [ "nearby_decoder_fuzzer.cc" ]
+fuzzer_test("nearby_decoder_decode_advertisement_fuzzer") {
+  sources = [ "nearby_decoder_decode_advertisement_fuzzer.cc" ]
+  deps = [
+    ":decoder",
+    "//base",
+    "//mojo/core/embedder",
+  ]
+}
+
+fuzzer_test("nearby_decoder_decode_frame_fuzzer") {
+  sources = [ "nearby_decoder_decode_frame_fuzzer.cc" ]
  deps = [
    ":decoder",
    "//base",

--- a/chrome/services/sharing/nearby/decoder/DEPS
+++ b/chrome/services/sharing/nearby/decoder/DEPS
 specific_include_rules = {
-  "nearby_decoder_fuzzer.cc": [
+  ".*_fuzzer\.cc": [
    "+mojo/core/embedder/embedder.h",
  ]
 }
--- a/chrome/services/sharing/nearby/decoder/nearby_decoder_fuzzer.cc
+++ b/chrome/services/sharing/nearby/decoder/nearby_decoder_fuzzer.cc
--- a/chrome/services/sharing/nearby/decoder/nearby_decoder_decode_frame_fuzzer.cc
+++ b/chrome/services/sharing/nearby/decoder/nearby_decoder_decode_frame_fuzzer.cc
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/services/sharing/nearby/decoder/nearby_decoder.h"
+
+#include <stddef.h>
+#include <stdint.h>
+#include <memory>
+#include <vector>
+
+#include "base/logging.h"
+#include "base/no_destructor.h"
+#include "base/run_loop.h"
+#include "base/task/single_thread_task_executor.h"
+#include "chrome/services/sharing/public/mojom/nearby_decoder.mojom.h"
+#include "chrome/services/sharing/public/mojom/nearby_decoder_types.mojom.h"
+#include "mojo/core/embedder/embedder.h"
+#include "mojo/public/cpp/bindings/remote.h"
+
+struct Environment {
+  Environment() {
+    mojo::core::Init();
+    // Disable noisy logging as per "libFuzzer in Chrome" documentation:
+    // testing/libfuzzer/getting_started.md#Disable-noisy-error-message-logging.
+    logging::SetMinLogLevel(logging::LOG_FATAL);
+
+    // Create instance once to be reused between fuzzing rounds.
+    decoder = std::make_unique<sharing::NearbySharingDecoder>(
+        remote.BindNewPipeAndPassReceiver());
+  }
+
+  base::SingleThreadTaskExecutor task_executor;
+  mojo::Remote<sharing::mojom::NearbySharingDecoder> remote;
+  std::unique_ptr<sharing::NearbySharingDecoder> decoder;
+};
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  static base::NoDestructor<Environment> environment;
+
+  std::vector<uint8_t> buffer(data, data + size);
+  base::RunLoop run_loop;
+  environment->decoder->DecodeFrame(
+      buffer,
+      base::BindOnce([](base::RunLoop* run_loop,
+                        sharing::mojom::FramePtr frame) { run_loop->Quit(); },
+                     &run_loop));
+  run_loop.Run();
+
+  return 0;
+}