[libFuzzer][LPM] Write experimental proto fuzzer for skia filters.

TBR=vitalybuka@chromium.org

Bug: 539572
Change-Id: I1e7dbad47b8f5b4debfd4ab071ce946d07c0d93f
Reviewed-on: https://chromium-review.googlesource.com/885085Reviewed-by: Jonathan Metzman <metzman@chromium.org>
Reviewed-by: Martin Barbella <mbarbella@chromium.org>
Commit-Queue: Jonathan Metzman <metzman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#533308}

testing/libfuzzer/fuzzers/BUILD.gn

@@ -524,3 +524,22 @@ fuzzer_test("v8_fully_instrumented_fuzzer") {
   dict = "dicts/generated/javascript.dict"
   libfuzzer_options = [ "only_ascii=1" ]
 }
+
+if (!is_win) {
+  fuzzer_test("skia_image_filter_proto_fuzzer") {
+    sources = [
+      "../proto/skia_image_filter_proto_converter.cc",
+      "../proto/skia_image_filter_proto_converter.h",
+      "skia_image_filter_proto_fuzzer.cc",
+    ]
+
+    deps = [
+      "//base",
+      "//base/test:test_support",
+      "//skia",
+      "//testing/libfuzzer/proto:skia_image_filter_converter",
+      "//testing/libfuzzer/proto:skia_image_filter_proto",
+      "//third_party/libprotobuf-mutator",
+    ]
+  }
+}

testing/libfuzzer/fuzzers/skia_image_filter_proto_fuzzer.cc

+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Takes an Input protobuf message from libprotobuf-mutator, converts it to an
+// actual skia image filter and then applies it to a canvas for the purpose of
+// fuzzing skia. This should uncover bugs that could be used by a compromised
+// renderer to exploit the browser process.
+
+#include <stdlib.h>
+
+#include <iostream>
+#include <string>
+
+#include "testing/libfuzzer/proto/skia_image_filter_proto_converter.h"
+
+#include "base/process/memory.h"
+#include "base/test/test_discardable_memory_allocator.h"
+#include "third_party/libprotobuf-mutator/src/src/libfuzzer/libfuzzer_macro.h"
+#include "third_party/skia/include/core/SkBitmap.h"
+#include "third_party/skia/include/core/SkCanvas.h"
+#include "third_party/skia/include/core/SkImageFilter.h"
+
+protobuf_mutator::protobuf::LogSilencer log_silencer;
+
+using skia_image_filter_proto_converter::Input;
+using skia_image_filter_proto_converter::Converter;
+
+static const int kBitmapSize = 24;
+
+struct Environment {
+  base::TestDiscardableMemoryAllocator* discardable_memory_allocator;
+  Environment() {
+    base::EnableTerminationOnOutOfMemory();
+    discardable_memory_allocator = new base::TestDiscardableMemoryAllocator();
+    base::DiscardableMemoryAllocator::SetInstance(discardable_memory_allocator);
+  }
+};
+
+DEFINE_PROTO_FUZZER(const Input& input) {
+  static Environment environment = Environment();
+  ALLOW_UNUSED_LOCAL(environment);
+
+  static Converter converter = Converter();
+  std::string ipc_filter_message = converter.Convert(input);
+
+  // Allow the flattened skia filter to be retrieved easily.
+  if (getenv("LPM_DUMP_NATIVE_INPUT")) {
+    // Don't write a newline since it will make the output invalid (so that it
+    // cannot be fed to filter_fuzz_stub) Flush instead.
+    std::cout << ipc_filter_message << std::flush;
+  }
+
+  sk_sp<SkImageFilter> flattenable = SkImageFilter::Deserialize(
+      ipc_filter_message.c_str(), ipc_filter_message.size());
+
+  if (!flattenable)
+    return;
+
+  SkBitmap bitmap;
+  bitmap.allocN32Pixels(kBitmapSize, kBitmapSize);
+  SkCanvas canvas(bitmap);
+  canvas.clear(0x00000000);
+  SkPaint paint;
+  paint.setImageFilter(flattenable);
+  canvas.save();
+  canvas.clipRect(SkRect::MakeXYWH(0, 0, SkIntToScalar(kBitmapSize),
+                                   SkIntToScalar(kBitmapSize)));
+  canvas.drawBitmap(bitmap, 0, 0, &paint);
+  canvas.restore();
+}

testing/libfuzzer/proto/BUILD.gn

@@ -35,3 +35,33 @@ source_set("json_proto_converter") {
     ":json_proto",
   ]
 }
+
+if (!is_win) {
+  static_library("skia_image_filter_converter") {
+    sources = [
+      "skia_image_filter_proto_converter.cc",
+      "skia_image_filter_proto_converter.h",
+    ]
+    deps = [
+      ":skia_image_filter_proto",
+      "//base",
+      "//skia",
+      "//third_party/libprotobuf-mutator",
+    ]
+    defines = [ "AVOID_MISBEHAVIOR=1" ]
+
+    testonly = true
+
+    #  Can't disable instrumentation because of container-overflow false
+    # positives.
+
+    # Assertion failures in skia are uninteresting. Don't use debug builds on
+    # CF.
+  }
+
+  proto_library("skia_image_filter_proto") {
+    sources = [
+      "skia_image_filter.proto",
+    ]
+  }
+}

third_party/libprotobuf-mutator/BUILD.gn

@@ -26,7 +26,10 @@ source_set("libprotobuf-mutator") {
       "src/src/text_format.cc",
       "src/src/utf8_fix.cc",
     ]
-    deps = [
+
+    # Allow users of LPM to use protobuf reflection and other features from
+    # protobuf_full.
+    public_deps = [
       "//third_party/protobuf:protobuf_full",
     ]