Replace ConsumeBytesInRange with ConsumeRandomLengthString in fuzzed_data_provider

This CL changes the Blink wrapper for fuzzed_data_provider for callers wanting a random length string. This uses a much simpler technique for pulling strings out of random data which should yield better fuzzing discovery. Note: This will change the behavior of the (two) fuzzers using ConsumeBytesInRange. Additionally, we add a small max limit to the tokenizer fuzzer to avoid hangs. I couldn't find anything wrong with the production code to cause these hangs. Bug: 813761 Change-Id: I30b3be16b6c101165fdd3041596a82412e5c46f1 Reviewed-on: https://chromium-review.googlesource.com/c/1354413Reviewed-by: Kentaro Hara <haraken@chromium.org> Reviewed-by: Max Moroz <mmoroz@chromium.org> Commit-Queue: Max Moroz <mmoroz@chromium.org> Cr-Commit-Position: refs/heads/master@{#612654}

Replace ConsumeBytesInRange with ConsumeRandomLengthString in fuzzed_data_provider
This CL changes the Blink wrapper for fuzzed_data_provider for callers wanting a random length string. This uses a much simpler technique for pulling strings out of random data which should yield better fuzzing discovery. Note: This will change the behavior of the (two) fuzzers using ConsumeBytesInRange. Additionally, we add a small max limit to the tokenizer fuzzer to avoid hangs. I couldn't find anything wrong with the production code to cause these hangs. Bug: 813761 Change-Id: I30b3be16b6c101165fdd3041596a82412e5c46f1 Reviewed-on: https://chromium-review.googlesource.com/c/1354413Reviewed-by: Kentaro Hara <haraken@chromium.org> Reviewed-by: Max Moroz <mmoroz@chromium.org> Commit-Queue: Max Moroz <mmoroz@chromium.org> Cr-Commit-Position: refs/heads/master@{#612654}
f3a7fa9a · Charlie Harrison · Commit Bot · 706b39eb · f3a7fa9a · f3a7fa9a
Commit f3a7fa9a authored Nov 30, 2018 by Charlie Harrison Committed by Commit Bot Nov 30, 2018
4 changed files
--- a/third_party/blink/renderer/core/html/parser/html_tokenizer_fuzzer.cc
+++ b/third_party/blink/renderer/core/html/parser/html_tokenizer_fuzzer.cc
@@ -30,9 +30,8 @@ int FuzzTokenizer(const uint8_t* data, size_t size) {
    // The tokenizer deals with incremental strings as they are received.
    // Split the input into a bunch of small chunks to throw partial tokens
    // at the tokenizer and exercise the state machine and resumption.
-    CString chunk = fuzzed_data_provider.ConsumeBytesInRange(1, 32);
-    SegmentedString segment(String(chunk.data(), chunk.length()));
-    input.Append(segment);
+    String chunk = fuzzed_data_provider.ConsumeRandomLengthString(32);
+    input.Append(SegmentedString(chunk));
    // If a token was generated from the input then the next call
    // needs to use a fresh token for output. If a token is not generated
    // then the same token instance needs to be reused in the next calls
@@ -48,7 +47,8 @@ int FuzzTokenizer(const uint8_t* data, size_t size) {

 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
  // Need at least 2 bytes for the options flags and one byte of test data.
-  if (size >= 3)
+  // Avoid huge inputs which can cause non-actionable timeout crashes.
+  if (size >= 3 && size <= 16384)
    blink::FuzzTokenizer(data, size);

  return 0;

--- a/third_party/blink/renderer/core/html/parser/text_resource_decoder_for_fuzzing.h
+++ b/third_party/blink/renderer/core/html/parser/text_resource_decoder_for_fuzzing.h
@@ -51,8 +51,7 @@ class TextResourceDecoderForFuzzing : public TextResourceDecoder {
    // Note: Charsets can be long (see the various encodings in
    // wtf/text). For instance: "unicode-1-1-utf-8". To ensure good coverage,
    // set a generous max limit for these sizes (32 bytes should be good).
-    return WTF::TextEncoding(
-        String::FromUTF8(fuzzed_data.ConsumeBytesInRange(0, 32)));
+    return WTF::TextEncoding(fuzzed_data.ConsumeRandomLengthString(32));
  }
 };


--- a/third_party/blink/renderer/platform/testing/fuzzed_data_provider.cc
+++ b/third_party/blink/renderer/platform/testing/fuzzed_data_provider.cc
@@ -9,11 +9,11 @@ namespace blink {
 FuzzedDataProvider::FuzzedDataProvider(const uint8_t* bytes, size_t num_bytes)
    : provider_(bytes, num_bytes) {}

-CString FuzzedDataProvider::ConsumeBytesInRange(uint32_t min_bytes,
-                                                uint32_t max_bytes) {
-  size_t num_bytes = provider_.ConsumeIntegralInRange(min_bytes, max_bytes);
-  std::vector<char> bytes = provider_.ConsumeBytes<char>(num_bytes);
-  return CString(bytes.data(), bytes.size());
+String FuzzedDataProvider::ConsumeRandomLengthString(size_t max_length) {
+  std::string str = provider_.ConsumeRandomLengthString(max_length);
+  // FromUTF8 will return a null string if the input data contains invalid UTF-8
+  // sequences. Fall back to latin1 in those cases.
+  return String::FromUTF8WithLatin1Fallback(str.data(), str.length());
 }

 CString FuzzedDataProvider::ConsumeRemainingBytes() {

--- a/third_party/blink/renderer/platform/testing/fuzzed_data_provider.h
+++ b/third_party/blink/renderer/platform/testing/fuzzed_data_provider.h
@@ -8,6 +8,7 @@
 #include "base/test/fuzzed_data_provider.h"
 #include "third_party/blink/renderer/platform/wtf/noncopyable.h"
 #include "third_party/blink/renderer/platform/wtf/text/cstring.h"
+#include "third_party/blink/renderer/platform/wtf/text/wtf_string.h"

 namespace blink {

@@ -19,10 +20,8 @@ class FuzzedDataProvider {
 public:
  FuzzedDataProvider(const uint8_t* bytes, size_t num_bytes);

-  // Returns a string with length between minBytes and maxBytes. If the
-  // length is greater than the length of the remaining data this is
-  // equivalent to ConsumeRemainingBytes().
-  CString ConsumeBytesInRange(uint32_t min_bytes, uint32_t max_bytes);
+  // Returns a string with length between 0 and max_length.
+  String ConsumeRandomLengthString(size_t max_length);

  // Returns a String containing all remaining bytes of the input data.
  CString ConsumeRemainingBytes();