indexeddb: Add fuzzer for leveldb coding

This change add a fuzzer for the following methods:
* EncodeIndexedDBKey()
* EncodeIndexedDBKeyPath()
* DecodeIndexedDBKey()
* DecodeIndexedDBKeyPath()

Bug: 654810
Change-Id: Iadc850bdc750f0f1b80b7d70b90deed298ece808
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1857605
Commit-Queue: Ovidio de Jesús Ruiz-Henríquez <odejesush@chromium.org>
Reviewed-by: Oliver Chang <ochang@chromium.org>
Reviewed-by: Daniel Murphy <dmurph@chromium.org>
Reviewed-by: Max Moroz <mmoroz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#707228}

content/browser/BUILD.gn

@@ -29,6 +29,7 @@ jumbo_source_set("browser") {
     "//content/public/browser:browser_sources",
     "//content/test/fuzzer:appcache_fuzzer",
     "//content/test/fuzzer:browser_accessibility_fuzzer",
+    "//content/test/fuzzer:indexed_db_fuzzer_support",
   ]
 
   configs += [

content/browser/indexed_db/fuzzer_corpus/encoded_indexed_db_key/encoded_binary_key

+Hello world!
\ No newline at end of file

content/browser/indexed_db/fuzzer_corpus/indexed_db_key/array_type

+
ޭ4VxHello world!
\ No newline at end of file

content/browser/indexed_db/fuzzer_corpus/indexed_db_key/number_type

+acn

content/browser/indexed_db/fuzzer_corpus/indexed_db_key_path/ascii_utf8_vector

+
Hello world!PEsta es una oración con algunos símbolos especiales para probar el codificador.
\ No newline at end of file

content/browser/indexed_db/indexed_db_leveldb_coding_decodeidbkey_fuzzer.cc

+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "base/strings/utf_string_conversions.h"
+#include "content/browser/indexed_db/indexed_db_leveldb_coding.h"
+#include "third_party/blink/public/common/indexeddb/indexeddb_key.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  base::StringPiece key_str_piece(reinterpret_cast<const char*>(data), size);
+  auto indexed_db_key = std::make_unique<blink::IndexedDBKey>();
+  ignore_result(content::DecodeIDBKey(&key_str_piece, &indexed_db_key));
+
+  // Ensure that encoding |indexed_db_key| produces the same result.
+  std::string result;
+  content::EncodeIDBKey(*indexed_db_key, &result);
+  assert(base::StringPiece(result) == key_str_piece);
+  return 0;
+}

content/browser/indexed_db/indexed_db_leveldb_coding_decodeidbkeypath_fuzzer.cc

+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "base/strings/utf_string_conversions.h"
+#include "content/browser/indexed_db/indexed_db_leveldb_coding.h"
+#include "third_party/blink/public/common/indexeddb/indexeddb_key_path.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  base::StringPiece key_path_str_piece(reinterpret_cast<const char*>(data),
+                                       size);
+  blink::IndexedDBKeyPath indexed_db_key_path;
+  ignore_result(
+      content::DecodeIDBKeyPath(&key_path_str_piece, &indexed_db_key_path));
+
+  // Ensure that encoding |indexed_db_key_path| produces the same result.
+  std::string result;
+  content::EncodeIDBKeyPath(indexed_db_key_path, &result);
+  assert(base::StringPiece(result) == key_path_str_piece);
+  return 0;
+}

content/browser/indexed_db/indexed_db_leveldb_coding_encodeidbkey_fuzzer.cc

+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include <fuzzer/FuzzedDataProvider.h>
+
+#include "base/strings/string_piece.h"
+#include "base/strings/utf_string_conversions.h"
+#include "content/browser/indexed_db/indexed_db_leveldb_coding.h"
+#include "third_party/blink/public/common/indexeddb/indexeddb_key.h"
+
+using blink::IndexedDBKey;
+using blink::mojom::IDBKeyType;
+
+// IDBKeyType has 7 possible values, so the lower 3 bits of |data| are used to
+// determine the IDBKeyType to return.
+IDBKeyType GetIDBKeyType(uint8_t data) {
+  auto enum_mask = data & 0x7;
+  switch (enum_mask) {
+    case 0:
+      return IDBKeyType::Invalid;
+    case 1:
+      return IDBKeyType::Array;
+    case 2:
+      return IDBKeyType::Binary;
+    case 3:
+      return IDBKeyType::String;
+    case 4:
+      return IDBKeyType::Date;
+    case 5:
+      return IDBKeyType::Number;
+    case 6:
+      return IDBKeyType::None;
+    case 7:
+      return IDBKeyType::Min;
+    default:
+      return IDBKeyType::Invalid;
+  }
+}
+
+// Parse |fuzzed_data| to create an IndexedDBKey. This method takes uses the
+// first byte to determine the type of key to create. The remaining bytes in
+// |fuzzed_data| will be consumed differently depending on the type of key.
+IndexedDBKey CreateKey(FuzzedDataProvider* fuzzed_data) {
+  // If there is no more data to use, return a |None| type key.
+  if (fuzzed_data->remaining_bytes() < 1)
+    return IndexedDBKey(IDBKeyType::None);
+
+  auto key_type = GetIDBKeyType(fuzzed_data->ConsumeIntegral<uint8_t>());
+
+  switch (key_type) {
+    case IDBKeyType::Array: {
+      // Recursively create and add keys to |key_array| until there are no more
+      // bytes to consume. Then, create the final key to return with this array.
+      IndexedDBKey::KeyArray key_array;
+      while (fuzzed_data->remaining_bytes() > 0) {
+        key_array.push_back(CreateKey(fuzzed_data));
+      }
+      return IndexedDBKey(key_array);
+    }
+    // For keys of type |Binary| and |String|, consume sizeof(size_t) bytes to
+    // determine the maximum length of the string to create.
+    case IDBKeyType::Binary: {
+      if (fuzzed_data->remaining_bytes() < 1)
+        return IndexedDBKey("");
+      auto str_size = fuzzed_data->ConsumeIntegral<size_t>();
+      return IndexedDBKey(fuzzed_data->ConsumeBytesAsString(str_size));
+    }
+    case IDBKeyType::String: {
+      if (fuzzed_data->remaining_bytes() < 1)
+        return IndexedDBKey(base::UTF8ToUTF16(std::string()));
+      auto str_size = fuzzed_data->ConsumeIntegral<size_t>();
+      base::string16 data_str =
+          base::UTF8ToUTF16(fuzzed_data->ConsumeBytesAsString(str_size));
+      return IndexedDBKey(data_str);
+    }
+    case IDBKeyType::Date:
+    case IDBKeyType::Number: {
+      return IndexedDBKey(fuzzed_data->ConsumeFloatingPoint<double>(),
+                          key_type);
+    }
+    case IDBKeyType::Invalid:
+    case IDBKeyType::None:
+    case IDBKeyType::Min:
+    default:
+      return IndexedDBKey(key_type);
+  }
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  FuzzedDataProvider fuzzed_data(data, size);
+  auto key = CreateKey(&fuzzed_data);
+  std::string result;
+  content::EncodeIDBKey(key, &result);
+
+  // Ensure that |result| can be decoded back into the original key.
+  auto decoded_key = std::make_unique<IndexedDBKey>();
+  auto result_str_piece = base::StringPiece(result);
+  ignore_result(content::DecodeIDBKey(&result_str_piece, &decoded_key));
+  assert(decoded_key.Equals(key));
+  return 0;
+}

content/browser/indexed_db/indexed_db_leveldb_coding_encodeidbkeypath_fuzzer.cc

+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include <fuzzer/FuzzedDataProvider.h>
+
+#include "base/strings/utf_string_conversions.h"
+#include "content/browser/indexed_db/indexed_db_leveldb_coding.h"
+#include "third_party/blink/public/common/indexeddb/indexeddb_key_path.h"
+
+using blink::IndexedDBKeyPath;
+
+IndexedDBKeyPath GetKeyPath(FuzzedDataProvider* fuzzed_data) {
+  // If there is no more data to use, return an empty key path.
+  if (fuzzed_data->remaining_bytes() < 1)
+    return IndexedDBKeyPath();
+
+  // Consume sizeof(size_t) bytes to determine the size of the vector of strings
+  // to use for the IndexedDBKeyPath.
+  auto vector_size = fuzzed_data->ConsumeIntegral<size_t>();
+
+  if (vector_size == 0) {
+    return IndexedDBKeyPath();
+  } else if (vector_size == 1) {
+    // Consume all of |fuzzed_data| to create an IndexedDBKeyPath.
+    auto str16 =
+        base::UTF8ToUTF16(fuzzed_data->ConsumeRemainingBytesAsString());
+    return IndexedDBKeyPath(str16);
+  }
+
+  // Create and add string16s to |paths| until |vector_size| is reached or the
+  // end of |data| is reached.
+  std::vector<base::string16> paths;
+  for (size_t i = 0; i < vector_size && fuzzed_data->remaining_bytes() > 0;
+       ++i) {
+    // Consume sizeof(size_t) bytes to determine the size of the string to
+    // create.
+    size_t str_size = fuzzed_data->ConsumeIntegral<size_t>();
+
+    auto str16 = base::UTF8ToUTF16(fuzzed_data->ConsumeBytesAsString(str_size));
+    paths.push_back(str16);
+  }
+  return IndexedDBKeyPath(paths);
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  FuzzedDataProvider fuzzed_data(data, size);
+  IndexedDBKeyPath key_path = GetKeyPath(&fuzzed_data);
+  std::string result;
+  content::EncodeIDBKeyPath(key_path, &result);
+
+  // Ensure that |result| can be decoded back into the original key path.
+  IndexedDBKeyPath decoded_key_path;
+  auto result_str_piece = base::StringPiece(result);
+  ignore_result(
+      content::DecodeIDBKeyPath(&result_str_piece, &decoded_key_path));
+  assert(decoded_key_path == key_path);
+  return 0;
+}

content/test/fuzzer/BUILD.gn

@@ -273,3 +273,54 @@ fuzzer_test("browser_accessibility_fuzzer") {
     "//storage/browser:test_support",
   ]
 }
+
+source_set("indexed_db_fuzzer_support") {
+  public_deps = [
+    "//base",
+    "//content/browser",
+    "//content/public/browser:browser_sources",
+    "//third_party/blink/public/common:headers",
+  ]
+  testonly = true
+}
+
+fuzzer_test("indexed_db_leveldb_coding_encodeidbkey_fuzzer") {
+  sources = [
+    "../../browser/indexed_db/indexed_db_leveldb_coding_encodeidbkey_fuzzer.cc",
+  ]
+  deps = [
+    ":indexed_db_fuzzer_support",
+  ]
+  seed_corpus = "../../browser/indexed_db/fuzzer_corpus/indexed_db_key"
+}
+
+fuzzer_test("indexed_db_leveldb_coding_encodeidbkeypath_fuzzer") {
+  sources = [
+    "../../browser/indexed_db/indexed_db_leveldb_coding_encodeidbkeypath_fuzzer.cc",
+  ]
+  deps = [
+    ":indexed_db_fuzzer_support",
+  ]
+  seed_corpus = "../../browser/indexed_db/fuzzer_corpus/indexed_db_key_path"
+}
+
+fuzzer_test("indexed_db_leveldb_coding_decodeidbkey_fuzzer") {
+  sources = [
+    "../../browser/indexed_db/indexed_db_leveldb_coding_decodeidbkey_fuzzer.cc",
+  ]
+  deps = [
+    ":indexed_db_fuzzer_support",
+  ]
+  seed_corpus = "../../browser/indexed_db/fuzzer_corpus/encoded_indexed_db_key"
+}
+
+fuzzer_test("indexed_db_leveldb_coding_decodeidbkeypath_fuzzer") {
+  sources = [
+    "../../browser/indexed_db/indexed_db_leveldb_coding_decodeidbkeypath_fuzzer.cc",
+  ]
+  deps = [
+    ":indexed_db_fuzzer_support",
+  ]
+  seed_corpus =
+      "../../browser/indexed_db/fuzzer_corpus/encoded_indexed_db_key_path"
+}