viz: Fix the fuzzer for hit-test query.

Impose a limit on the depth of the embedding, to avoid a stack overflow
during the generation of the hit-test data phase.

BUG=820835

Cq-Include-Trybots: luci.chromium.try:android_optional_gpu_tests_rel
Change-Id: I07f3dbb5422458db703661b421b315e1ca4784dd
Reviewed-on: https://chromium-review.googlesource.com/993033Reviewed-by: Ria Jiang <riajiang@chromium.org>
Commit-Queue: Sadrul Chowdhury <sadrul@chromium.org>
Cr-Commit-Position: refs/heads/master@{#548214}

components/viz/host/hit_test/hit_test_query_fuzzer.cc

@@ -20,14 +20,17 @@ uint32_t GetNextUInt32(base::FuzzedDataProvider* fuzz) {
 
 void AddHitTestRegion(base::FuzzedDataProvider* fuzz,
                       std::vector<viz::AggregatedHitTestRegion>* regions,
-                      std::vector<viz::FrameSinkId>* frame_sink_ids) {
+                      std::vector<viz::FrameSinkId>* frame_sink_ids,
+                      const uint32_t depth = 0) {
+  constexpr uint32_t kMaxDepthAllowed = 25;
   if (fuzz->remaining_bytes() < sizeof(viz::AggregatedHitTestRegion))
     return;
   viz::FrameSinkId frame_sink_id(GetNextUInt32(fuzz), GetNextUInt32(fuzz));
   uint32_t flags = GetNextUInt32(fuzz);
   gfx::Rect rect(fuzz->ConsumeUint8(), fuzz->ConsumeUint8(),
                  fuzz->ConsumeUint16(), fuzz->ConsumeUint16());
-  int32_t child_count = fuzz->ConsumeUint32InRange(0, 10);
+  int32_t child_count =
+      depth < kMaxDepthAllowed ? fuzz->ConsumeUint32InRange(0, 10) : 0;
   gfx::Transform transform;
   if (fuzz->ConsumeBool() && fuzz->remaining_bytes() >= sizeof(transform)) {
     std::string matrix_bytes = fuzz->ConsumeBytes(sizeof(gfx::Transform));
@@ -39,7 +42,7 @@ void AddHitTestRegion(base::FuzzedDataProvider* fuzz,
   if (regions->size() == 1 || fuzz->ConsumeBool())
     frame_sink_ids->push_back(frame_sink_id);
   while (child_count-- > 0)
-    AddHitTestRegion(fuzz, regions, frame_sink_ids);
+    AddHitTestRegion(fuzz, regions, frame_sink_ids, depth + 1);
 }
 
 class Environment {