Add new fuzzer for CRLSet::Parse: net_crl_set_fuzzer

The coverage was non-zero for CRLSet::Parse, but it appears the
fuzzers never managed to get the bottom of the function. As such,
ReadCRL had no coverage.

This CL improves the coverage by creating a new fuzzer specifically
for CRLSet::Parse with a seed corpus. I just grabbed files from
net/data/ssl/certificates/ that contained "crl" in their name -- this
was enough to get the fuzzer to venture into ReadCRL.

Change-Id: I67618a448b23c36313ea7c8df09536529522075c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1643908Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Commit-Queue: Dan McArdle <dmcardle@chromium.org>
Cr-Commit-Position: refs/heads/master@{#666008}

net/BUILD.gn

@@ -6351,6 +6351,19 @@ fuzzer_test("net_gzip_source_stream_fuzzer") {
   ]
 }
 
+fuzzer_test("net_crl_set_fuzzer") {
+  sources = [
+    "cert/crl_set_fuzzer.cc",
+  ]
+  deps = [
+    ":net_fuzzer_test_support",
+    ":test_support",
+    "//base",
+    "//net",
+  ]
+  seed_corpus = "data/fuzzer_data/net_crl_set_fuzzer/"
+}
+
 if (!disable_ftp_support) {
   fuzzer_test("net_ftp_ctrl_response_fuzzer") {
     sources = [

net/cert/crl_set_fuzzer.cc

+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "base/test/fuzzed_data_provider.h"
+#include "net/cert/crl_set.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  base::FuzzedDataProvider data_provider(data, size);
+  const std::string str = data_provider.ConsumeRandomLengthString(size);
+  scoped_refptr<net::CRLSet> out_crl_set;
+  net::CRLSet::Parse(str, &out_crl_set);
+  return 0;
+}