Fuzzer for schema.org extractor.

Fuzz tests the single json string input to the extractor. Bug: 1069230 Change-Id: I96c5f44b249b4b24363d4b431e97b4fff6194792 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2186456Reviewed-by: Becca Hughes <beccahughes@chromium.org> Commit-Queue: Sam Bowen <sgbowen@google.com> Cr-Commit-Position: refs/heads/master@{#766527}

Fuzzer for schema.org extractor.
Fuzz tests the single json string input to the extractor. Bug: 1069230 Change-Id: I96c5f44b249b4b24363d4b431e97b4fff6194792 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2186456Reviewed-by: Becca Hughes <beccahughes@chromium.org> Commit-Queue: Sam Bowen <sgbowen@google.com> Cr-Commit-Position: refs/heads/master@{#766527}
fd7ffc54 · Sam Bowen · Commit Bot · d0e4b0e2 · fd7ffc54 · fd7ffc54
Commit fd7ffc54 authored May 07, 2020 by Sam Bowen Committed by Commit Bot May 07, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 66 additions and 0 deletions

components/schema_org/BUILD.gn components/schema_org/BUILD.gn +13 -0

components/schema_org/extractor_fuzzer.cc components/schema_org/extractor_fuzzer.cc +53 -0

No files found.
--- a/components/schema_org/BUILD.gn
+++ b/components/schema_org/BUILD.gn
@@ -3,6 +3,7 @@
 # found in the LICENSE file.

 import("//build/compiled_action.gni")
+import("//testing/libfuzzer/fuzzer_test.gni")

 source_set("unit_tests") {
  testonly = true
@@ -147,3 +148,15 @@ static_library("schema_org") {
    "//components/schema_org/common:improved_mojom",
  ]
 }
+
+fuzzer_test("extractor_fuzzer") {
+  sources = [ "extractor_fuzzer.cc" ]
+  deps = [
+    ":extractor",
+    ":schema_org_properties",
+    "//base",
+    "//base/test:test_support",
+    "//components/schema_org/common:improved_mojom",
+    "//services/data_decoder/public/cpp:test_support",
+  ]
+}
--- a/components/schema_org/extractor_fuzzer.cc
+++ b/components/schema_org/extractor_fuzzer.cc
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "base/run_loop.h"
+#include "base/task/single_thread_task_executor.h"
+#include "base/test/bind_test_util.h"
+#include "components/schema_org/common/improved_metadata.mojom.h"
+#include "components/schema_org/extractor.h"
+#include "components/schema_org/schema_org_entity_names.h"
+#include "services/data_decoder/public/cpp/test_support/in_process_data_decoder.h"
+#include "testing/libfuzzer/libfuzzer_exports.h"
+
+void FuzzExtractor(const uint8_t* data, size_t size) {
+  data_decoder::test::InProcessDataDecoder data_decoder;
+  std::string fuzz_input =
+      std::string(reinterpret_cast<const char*>(data), size);
+
+  base::RunLoop run_loop;
+
+  schema_org::Extractor extractor({schema_org::entity::kCompleteDataFeed});
+  extractor.Extract(fuzz_input,
+                    base::BindLambdaForTesting(
+                        [&](schema_org::improved::mojom::EntityPtr entity) {
+                          run_loop.Quit();
+                        }));
+
+  run_loop.Run();
+}
+
+class Env {
+ public:
+  scoped_refptr<base::SingleThreadTaskRunner> task_runner() {
+    return executor_.task_runner();
+  }
+
+ private:
+  base::SingleThreadTaskExecutor executor_;
+};
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  if (size == 0)
+    return 0;
+
+  static Env env;
+  env.task_runner()->PostTask(FROM_HERE,
+                              base::BindOnce(&FuzzExtractor, data, size));
+
+  return 0;
+}