diff options
Diffstat (limited to 'base/test/fuzzed_data_provider.cc')
-rw-r--r-- | base/test/fuzzed_data_provider.cc | 98 |
1 files changed, 98 insertions, 0 deletions
diff --git a/base/test/fuzzed_data_provider.cc b/base/test/fuzzed_data_provider.cc new file mode 100644 index 0000000000..b2d443a9b9 --- /dev/null +++ b/base/test/fuzzed_data_provider.cc @@ -0,0 +1,98 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "base/test/fuzzed_data_provider.h" + +#include <algorithm> +#include <limits> + +#include "base/logging.h" + +namespace base { + +FuzzedDataProvider::FuzzedDataProvider(const uint8_t* data, size_t size) + : remaining_data_(reinterpret_cast<const char*>(data), size) {} + +FuzzedDataProvider::~FuzzedDataProvider() = default; + +std::string FuzzedDataProvider::ConsumeBytes(size_t num_bytes) { + num_bytes = std::min(num_bytes, remaining_data_.length()); + StringPiece result(remaining_data_.data(), num_bytes); + remaining_data_ = remaining_data_.substr(num_bytes); + return result.as_string(); +} + +std::string FuzzedDataProvider::ConsumeRemainingBytes() { + return ConsumeBytes(remaining_data_.length()); +} + +uint32_t FuzzedDataProvider::ConsumeUint32InRange(uint32_t min, uint32_t max) { + CHECK_LE(min, max); + + uint32_t range = max - min; + uint32_t offset = 0; + uint32_t result = 0; + + while (offset < 32 && (range >> offset) > 0 && !remaining_data_.empty()) { + // Pull bytes off the end of the seed data. Experimentally, this seems to + // allow the fuzzer to more easily explore the input space. This makes + // sense, since it works by modifying inputs that caused new code to run, + // and this data is often used to encode length of data read by + // ConsumeBytes. Separating out read lengths makes it easier modify the + // contents of the data that is actually read. + uint8_t next_byte = remaining_data_.back(); + remaining_data_.remove_suffix(1); + result = (result << 8) | next_byte; + offset += 8; + } + + // Avoid division by 0, in the case |range + 1| results in overflow. + if (range == std::numeric_limits<uint32_t>::max()) + return result; + + return min + result % (range + 1); +} + +std::string FuzzedDataProvider::ConsumeRandomLengthString(size_t max_length) { + // Reads bytes from start of |remaining_data_|. Maps "\\" to "\", and maps "\" + // followed by anything else to the end of the string. As a result of this + // logic, a fuzzer can insert characters into the string, and the string will + // be lengthened to include those new characters, resulting in a more stable + // fuzzer than picking the length of a string independently from picking its + // contents. + std::string out; + for (size_t i = 0; i < max_length && !remaining_data_.empty(); ++i) { + char next = remaining_data_[0]; + remaining_data_.remove_prefix(1); + if (next == '\\' && !remaining_data_.empty()) { + next = remaining_data_[0]; + remaining_data_.remove_prefix(1); + if (next != '\\') + return out; + } + out += next; + } + return out; +} + +int FuzzedDataProvider::ConsumeInt32InRange(int min, int max) { + CHECK_LE(min, max); + + uint32_t range = max - min; + return min + ConsumeUint32InRange(0, range); +} + +bool FuzzedDataProvider::ConsumeBool() { + return (ConsumeUint8() & 0x01) == 0x01; +} + +uint8_t FuzzedDataProvider::ConsumeUint8() { + return ConsumeUint32InRange(0, 0xFF); +} + +uint16_t FuzzedDataProvider::ConsumeUint16() { + return ConsumeUint32InRange(0, 0xFFFF); +} + +} // namespace base |