Add a fuzzer for V4Store::MergeUpdate

R=drubery

Bug: 933065
Change-Id: If5b7c41875f36f53c217607c2270688c4af3cad9
Reviewed-on: https://chromium-review.googlesource.com/c/1496298
Commit-Queue: Varun Khaneja <vakh@chromium.org>
Commit-Queue: Daniel Rubery <drubery@chromium.org>
Commit-Queue: Nathan Parker <nparker@chromium.org>
Reviewed-by: Daniel Rubery <drubery@chromium.org>
Reviewed-by: Nathan Parker <nparker@chromium.org>
Auto-Submit: Varun Khaneja <vakh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#636637}

components/safe_browsing/db/BUILD.gn

@@ -2,8 +2,8 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-import("//third_party/protobuf/proto_library.gni")
 import("//testing/libfuzzer/fuzzer_test.gni")
+import("//third_party/protobuf/proto_library.gni")
 
 proto_library("safebrowsing_proto") {
   sources = [
@@ -482,3 +482,14 @@ fuzzer_test("v4_get_hash_protocol_manager_fuzzer") {
     ":v4_get_hash_protocol_manager",
   ]
 }
+
+fuzzer_test("v4_store_fuzzer") {
+  sources = [
+    "v4_store_fuzzer.cc",
+  ]
+  deps = [
+    ":v4_store",
+    ":v4_test_util",
+    "//base/test:test_support",
+  ]
+}

components/safe_browsing/db/v4_store.h

@@ -296,6 +296,7 @@ class V4Store {
   FRIEND_TEST_ALL_PREFIXES(V4StorePerftest, StressTest);
 
   friend class V4StoreTest;
+  friend class V4StoreFuzzer;
 
   // If |prefix_size| is within expected range, and |raw_hashes_length| is a
   // multiple of prefix_size, then it sets the string of length

components/safe_browsing/db/v4_store_fuzzer.cc

+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stdint.h>
+#include <memory>
+#include <string>
+
+#include "base/files/file_path.h"
+#include "base/test/test_simple_task_runner.h"
+#include "components/safe_browsing/db/v4_store.h"
+#include "components/safe_browsing/db/v4_test_util.h"
+
+namespace safe_browsing {
+
+class V4StoreFuzzer {
+ public:
+  static int FuzzMergeUpdate(const uint8_t* data, size_t size) {
+    // Empty update, not interesting.
+    if (size == 0)
+      return 0;
+
+    size_t num_prefixes_first_half = size / (2 * kMinHashPrefixLength);
+    size_t first_half_size = num_prefixes_first_half * kMinHashPrefixLength;
+
+    std::string first_half(data, data + first_half_size);
+    HashPrefixMap prefix_map_old;
+    V4Store::AddUnlumpedHashes(kMinHashPrefixLength, first_half,
+                               &prefix_map_old);
+
+    std::string second_half(data + first_half_size, data + size);
+    HashPrefixMap prefix_map_additions;
+    V4Store::AddUnlumpedHashes(kMinHashPrefixLength, second_half,
+                               &prefix_map_additions);
+
+    auto store = std::make_unique<TestV4Store>(
+        base::MakeRefCounted<base::TestSimpleTaskRunner>(), base::FilePath());
+    google::protobuf::RepeatedField<google::protobuf::int32> raw_removals;
+    std::string empty_checksum;
+    store->MergeUpdate(prefix_map_old, prefix_map_additions, &raw_removals,
+                       empty_checksum);
+
+    return 0;
+  }
+};
+
+}  // namespace safe_browsing
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  return safe_browsing::V4StoreFuzzer::FuzzMergeUpdate(data, size);
+}