Add fuzzer for feedback::RedactionTool

Untrusted input? Complex C++ parsing code? Put a fuzzer on it!

Bug: chromium:1121816
Change-Id: Iddb65e2568d88bbd32157bae49ceacaa1755c04d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2443396
Commit-Queue: Ian Barkley-Yeung <iby@chromium.org>
Reviewed-by: Miriam Zimmerman <mutexlox@chromium.org>
Auto-Submit: Ian Barkley-Yeung <iby@chromium.org>
Cr-Commit-Position: refs/heads/master@{#813042}

components/feedback/BUILD.gn

@@ -2,6 +2,8 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
+import("//testing/libfuzzer/fuzzer_test.gni")
+
 static_library("feedback") {
   sources = [
     "feedback_common.cc",
@@ -76,3 +78,9 @@ source_set("unit_tests") {
     "//testing/gtest",
   ]
 }
+
+fuzzer_test("redaction_tool_fuzzer") {
+  sources = [ "redaction_tool_fuzzer.cc" ]
+  deps = [ ":feedback" ]
+  dict = "redaction_tool_fuzzer.dict"
+}

components/feedback/redaction_tool_fuzzer.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include <memory>
+#include <string>
+#include <vector>
+
+#include <fuzzer/FuzzedDataProvider.h>
+
+#include "components/feedback/redaction_tool.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  FuzzedDataProvider provider(data, size);
+
+  int first_party_extension_id_count = provider.ConsumeIntegralInRange(-1, 50);
+  // This is the storage for the strings inside first_party_extension_ids. This
+  // is to make sure the char *'s we pass to the RedactionTool constructor are
+  // deleted correctly -- they must be deleted after redactor is destructed, but
+  // not leaked.
+  std::vector<std::string> first_party_extension_id_store;
+  // The first_party_extension_ids we pass to the RedactionTool constructor.
+  // This owns the array but not the pointed-to strings. Note that if
+  // first_party_extension_id_count is -1, this is not set so we pass nullptr to
+  // the constructor; that's deliberate.
+  std::unique_ptr<const char*[]> first_party_extension_ids;
+  if (first_party_extension_id_count >= 0) {
+    first_party_extension_id_store.reserve(first_party_extension_id_count);
+    first_party_extension_ids =
+        std::make_unique<const char*[]>(first_party_extension_id_count + 1);
+    for (int i = 0; i < first_party_extension_id_count; ++i) {
+      constexpr int kArbitraryMaxNameLength = 4096;
+      first_party_extension_id_store.emplace_back(
+          provider.ConsumeRandomLengthString(kArbitraryMaxNameLength));
+      first_party_extension_ids[i] = first_party_extension_id_store[i].c_str();
+    }
+    first_party_extension_ids[first_party_extension_id_count] = nullptr;
+  }
+
+  feedback::RedactionTool redactor(first_party_extension_ids.get());
+  redactor.Redact(provider.ConsumeRemainingBytesAsString());
+  return 0;
+}

components/feedback/redaction_tool_fuzzer.dict

+# Copyright 2020 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Literals from kCustomPatternsWithContext strings
+CellID="Cell ID:"
+LocAC="Location area code:"
+SSID1="ssid"
+SSIDHex="SSID - hexdump"
+SSID1="SSID"
+Serial1="serial number"
+Serial2="Serial Number"
+GAIA="gaia_id"
+GAIAId="id:"
+GAIAEmail=", email"
+UUID="UUID="
+UUIDEnd="xxx"
+VolumeLabel="LABEL="
+VolumeLabel2="/media/removable/"
+
+# Literals from kCustomPatternsWithoutContext, and other things that look like
+# URLS and Emails
+URL1="http://"
+URL2="https://"
+URL3="ftp://"
+URL4="chrome://"
+URL5="chrome-extension://"
+URL6="android://"
+URL7="rtsp://"
+URLHost="foo.com"
+URLPort=":80"
+URLQuery="?"
+URLFragment="#"
+
+# Email Symbols
+EMailAt="@"
+EMailDot="."
+EMailExample="a@b.c"
+
+# MAC Symbols
+MACColon=":"
+MACExample="10:fd:b5:ec:b1:3e"