Fix CHECK in net_mime_type_fuzzer.

When diving up the input into 4 chunks, it was skipping over the final
character of each chunk. This happened even if a chunk included all
remaining characters, resulting in a StringPiece that started
beyond the end of the string. This resulted in a 0-length StringPiece,
and things worked fine for years, until a CHECK was added catching this
this brokenness.

This CL switches the fuzzer over to using FuzzedDataProvider, which
doesn't have this issue.

Fixed: 1123036
Change-Id: If17e26d065a157f8d401a7e4afc06c769c8670f8
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2382063Reviewed-by: Eric Roman <eroman@chromium.org>
Commit-Queue: Matt Menke <mmenke@chromium.org>
Cr-Commit-Position: refs/heads/master@{#802788}

net/base/mime_sniffer_fuzzer.cc

@@ -5,62 +5,44 @@
 #include "net/base/mime_sniffer.h"
 
 #include <stddef.h>
-#include <stdint.h>
 
-#include <algorithm>
 #include <string>
 
-#include "base/strings/string_piece.h"
-#include "url/gurl.h"
-
-namespace {
-
-// Finds the line break in |input|, removes every thing up to and including the
-// line break from |input|, and returns everything up to the line break as a
-// string.
-std::string GetNextArgument(base::StringPiece* input) {
-  base::StringPiece::size_type argument_end = input->find('\n');
-  if (argument_end == base::StringPiece::npos)
-    argument_end = input->size();
-  base::StringPiece argument = input->substr(0, argument_end);
-  *input = input->substr(argument_end + 1);
-  return argument.as_string();
-}
+#include <fuzzer/FuzzedDataProvider.h>
 
-}  // namespace
+#include "url/gurl.h"
 
 // Fuzzer for the two main mime sniffing functions:
 // SniffMimeType and SniffMimeTypeFromLocalData.
-//
-// Breaks |data| up into 3 substrings: URL, MIME type hint, and content, and
-// passes them to the MIME sniffing functions (SniffMimeTypeFromLocalData
-// does not take all 3 arguments). The first two substrings are each on their
-// own line, and content is everything after them. Since neither URLs nor
-// content-encoding headers can have line breaks, this doesn't reduce coverage.
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   // net::SniffMimeType DCHECKs if passed an input buffer that's too large,
-  // since it's meant to be used only on the first chunk of a file that's bing
+  // since it's meant to be used only on the first chunk of a file that's being
   // fed into a stream. Set a max size of the input to avoid running into that
   // DCHECK.  Use 64k because that's twice the size of a typical read attempt.
   constexpr size_t kMaxSniffLength = 64 * 1024;
   static_assert(kMaxSniffLength >= net::kMaxBytesToSniff,
                 "kMaxSniffLength is too small.");
 
-  base::StringPiece input(reinterpret_cast<const char*>(data), size);
+  FuzzedDataProvider data_provider(data, size);
+
   // Divide up the input.  It's important not to pass |url_string| to the GURL
   // constructor until after the length check, to prevent the fuzzer from
   // exploring GURL space with invalid inputs.
-  std::string url_string = GetNextArgument(&input);
-  std::string mime_type_hint = GetNextArgument(&input);
+  //
+  // Max lengths of URL and type hint are arbitrary.
+  std::string url_string = data_provider.ConsumeRandomLengthString(4 * 1024);
+  std::string mime_type_hint = data_provider.ConsumeRandomLengthString(1024);
   net::ForceSniffFileUrlsForHtml force_sniff_file_urls_for_html =
-      GetNextArgument(&input).size() == 0
-          ? net::ForceSniffFileUrlsForHtml::kDisabled
-          : net::ForceSniffFileUrlsForHtml::kEnabled;
+      data_provider.ConsumeBool() ? net::ForceSniffFileUrlsForHtml::kDisabled
+                                  : net::ForceSniffFileUrlsForHtml::kEnabled;
 
-  // Do nothing if input is too long.
-  if (input.length() > kMaxSniffLength)
+  // Do nothing if remaining input is too long. An early exit prevents the
+  // fuzzer from exploring needlessly long inputs with interesting prefixes.
+  if (data_provider.remaining_bytes() > kMaxSniffLength)
     return 0;
 
+  std::string input = data_provider.ConsumeRemainingBytesAsString();
+
   std::string result;
   net::SniffMimeType(input.data(), input.length(), GURL(url_string),
                      mime_type_hint, force_sniff_file_urls_for_html, &result);

net/data/fuzzer_dictionaries/net_mime_sniffer_fuzzer.dict

@@ -2,7 +2,10 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-# Lines 7-299 of this file were generated with
+# Used by FuzzedDataProvider::ConsumeRandomLengthString to break up lines.
+"\\"
+
+# The remaining lines 7-299 of this file were generated with
 # testing/libfuzzer/dictionary_generator.py using net_mime_sniffer_fuzzer
 # binary and RFC 2045.
 # The rest was created semimanually based on net/base/mime_sniffer.cc.