[Zucchini] (raw) Gen Fuzzer

This is part of a series of Fuzzers to be added to Zucchini for security
review. This tests the raw data patch generation logic exercising the
patch writer and gen process. It only covers ~20% of code in 100000
executions as the bulk of the remaining code is associated with the much
more complex and expensive to fuzz reference related code.

With the supplied seed corpus the fuzzer reaches approximately 5000
execs/s. There were no bug/stability issues found in raw gen.

The file format for the seed is a FilePair proto as used in raw Apply;
however, it is static so doesn't need regeneration. The files within
the FilePair seed are ZTF (Zucchini Text Format) files based on the code
that will be landed in:
https://chromium-review.googlesource.com/c/chromium/src/+/1056147
This way the source files can be reused in the ZTF gen and apply
fuzzers which will be used to more efficiently fuzz the reference
handling code in Zucchini.

Remaining Security Review Fuzzers (For Windows Launch)
- ZTF Gen
- ZTF Apply
(ZTF = Zucchini text format)

Note that suffix array while originally discussed is already implictly
fuzzed by this fuzzer and as such shouldn't require a standalone
fuzzer.

Other remaining fuzzers (Not shipped so non-blocking of Windows Launch)
- Disassembler DEX
- Disassembler ELF (when merged from Trunk)

To create the seed file pair run the following from
components/zucchini/fuzzers/

./create_seed_file_pair.py ../../../out/Release/protoc \
  testdata/old.ztxt testdata/new.ztxt testdata/seed_proto.bin

Note: you need to first build protoc in out/Release/

Bug: 835341
Change-Id: I1bf5c2a4251093bbf5bfc92904afc376a2832dbd
Reviewed-on: https://chromium-review.googlesource.com/1062412
Commit-Queue: Calder Kitagawa <ckitagawa@chromium.org>
Reviewed-by: Samuel Huang <huangs@chromium.org>
Reviewed-by: Max Moroz <mmoroz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#559676}
NOKEYCHECK=True
GitOrigin-RevId: 133fb1221e6c293dc43ff438567b2834b2e5c798

6 files changed, 161 insertions, 2 deletions

diff --git a/BUILD.gn b/BUILD.gn
index 49f54fb..af16559 100644
--- a/BUILD.gn
+++ b/BUILD.gn
@@ -212,6 +212,9 @@ group("zucchini_fuzzers") {
 
   # Ensure protoc is available.
   if (current_toolchain == host_toolchain) {
-    deps += [ "//components/zucchini/fuzzers:zucchini_raw_apply_fuzzer" ]
+    deps += [
+      "//components/zucchini/fuzzers:zucchini_raw_apply_fuzzer",
+      "//components/zucchini/fuzzers:zucchini_raw_gen_fuzzer",
+    ]
   }
 }
diff --git a/fuzzers/BUILD.gn b/fuzzers/BUILD.gn
index 66c3d18..30464eb 100644
--- a/fuzzers/BUILD.gn
+++ b/fuzzers/BUILD.gn
@@ -38,6 +38,7 @@ proto_library("zucchini_file_pair_proto") {
 
 # Ensure protoc is available.
 if (current_toolchain == host_toolchain) {
+  # Raw Apply Fuzzer:
   action("zucchini_raw_apply_seed") {
     script = "generate_fuzzer_data.py"
 
@@ -70,7 +71,7 @@ if (current_toolchain == host_toolchain) {
 
   fuzzer_test("zucchini_raw_apply_fuzzer") {
     sources = [
-      "raw_apply_fuzzer.cc",
+      "raw_gen_fuzzer.cc",
     ]
     deps = [
       ":zucchini_file_pair_proto",
@@ -81,4 +82,18 @@ if (current_toolchain == host_toolchain) {
     seed_corpus = "$target_gen_dir/testdata/raw_apply_fuzzer"
     seed_corpus_deps = [ ":zucchini_raw_apply_seed" ]
   }
+
+  # Raw Gen Fuzzer:
+  fuzzer_test("zucchini_raw_gen_fuzzer") {
+    sources = [
+      "raw_gen_fuzzer.cc",
+    ]
+    deps = [
+      ":zucchini_file_pair_proto",
+      "//base",
+      "//components/zucchini:zucchini_lib",
+      "//third_party/libprotobuf-mutator",
+    ]
+    seed_corpus = "testdata/raw_gen_fuzzer"
+  }
 }
diff --git a/fuzzers/raw_gen_fuzzer.cc b/fuzzers/raw_gen_fuzzer.cc
new file mode 100644
index 0000000..176412d
--- /dev/null
+++ b/fuzzers/raw_gen_fuzzer.cc
@@ -0,0 +1,58 @@
+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stdint.h>
+
+#include <iostream>
+
+#include "base/environment.h"
+#include "base/logging.h"
+#include "components/zucchini/buffer_view.h"
+#include "components/zucchini/fuzzers/file_pair.pb.h"
+#include "components/zucchini/patch_writer.h"
+#include "components/zucchini/zucchini_gen.h"
+#include "testing/libfuzzer/proto/lpm_interface.h"
+
+namespace {
+
+constexpr int kMinImageSize = 16;
+constexpr int kMaxImageSize = 1024;
+
+}  // namespace
+
+struct Environment {
+  Environment() {
+    logging::SetMinLogLevel(3);  // Disable console spamming.
+  }
+};
+
+Environment* env = new Environment();
+
+DEFINE_BINARY_PROTO_FUZZER(const zucchini::fuzzers::FilePair& file_pair) {
+  // Dump code for debugging.
+  if (base::Environment::Create()->HasVar("LPM_DUMP_NATIVE_INPUT")) {
+    std::cout << "Old File: " << file_pair.old_file() << std::endl
+              << "New File: " << file_pair.new_or_patch_file() << std::endl;
+  }
+
+  // Prepare data.
+  zucchini::ConstBufferView old_image(
+      reinterpret_cast<const uint8_t*>(file_pair.old_file().data()),
+      file_pair.old_file().size());
+  zucchini::ConstBufferView new_image(
+      reinterpret_cast<const uint8_t*>(file_pair.new_or_patch_file().data()),
+      file_pair.new_or_patch_file().size());
+
+  // Restrict image sizes to speed up fuzzing.
+  if (old_image.size() < kMinImageSize || old_image.size() > kMaxImageSize ||
+      new_image.size() < kMinImageSize || new_image.size() > kMaxImageSize) {
+    return;
+  }
+
+  // Generate a patch writer.
+  zucchini::EnsemblePatchWriter patch_writer(old_image, new_image);
+
+  // Fuzz Target.
+  zucchini::GenerateRaw(old_image, new_image, &patch_writer);
+}
diff --git a/fuzzers/testdata/new.ztxt b/fuzzers/testdata/new.ztxt
new file mode 100644
index 0000000..1b1876f
--- /dev/null
+++ b/fuzzers/testdata/new.ztxt
@@ -0,0 +1,20 @@
+ZTxt
+BLOCK2
+{20,01} Another block. Lorem Ipsum, Ipsum, Ipsum
+<><><><><>{}{}{}{}[][][]()()()()
+[4,1]
+
+BLOCK1
+Lorem Ipsum, Ipsum Lorem, Alpha Beta Gamma <1,1>
+{4,4} [5,8] (90,08)
+(1,4)
+[+001, +001]
+References {-005,-006}, <001,002>, [98,78]
+(+01,+04)
+AAAAAAAAA
+
+Other new bytes.
+
+Old bytes live here as this is reasonable.
+New bytes live here.
+txTZ
diff --git a/fuzzers/testdata/old.ztxt b/fuzzers/testdata/old.ztxt
new file mode 100644
index 0000000..12dd536
--- /dev/null
+++ b/fuzzers/testdata/old.ztxt
@@ -0,0 +1,21 @@
+ZTxt
+ZucZucZucZucZucZucZucZucZuc
+ZucZucZucZucZucZucZucZucZuc
+ZucZucZucZucZucZucZucZucZuc
+ZucZucZucZucZucZucZucZucZuc
+BLOCK1
+Lorem Ipsum, Ipsum Lorem, Alpha Beta Gamma <1,1>
+{3,4} [4,5] (90,08)
+(1,4)
+[+001, +001]
+References {-004,-003}, <001,001>, [98,78]
+(+01,+00)
+AAAAAAAAA
+
+BLOCK2
+{06,01} Another block. Lorem Ipsum, Ipsum, Ipsum
+<><><><><>{}{}{}{}[][][]()()()()
+[4,1]
+
+Old bytes live here as this is reasonable.
+txTZ
diff --git a/fuzzers/testdata/raw_gen_fuzzer/seed_proto.bin b/fuzzers/testdata/raw_gen_fuzzer/seed_proto.bin
new file mode 100644
index 0000000..5939c72
--- /dev/null
+++ b/fuzzers/testdata/raw_gen_fuzzer/seed_proto.bin
@@ -0,0 +1,42 @@
+
+¤ZTxt
+ZucZucZucZucZucZucZucZucZuc
+ZucZucZucZucZucZucZucZucZuc
+ZucZucZucZucZucZucZucZucZuc
+ZucZucZucZucZucZucZucZucZuc
+BLOCK1
+Lorem Ipsum, Ipsum Lorem, Alpha Beta Gamma <1,1>
+{3,4} [4,5] (90,08)
+(1,4)
+[+001, +001]
+References {-004,-003}, <001,001>, [98,78]
+(+01,+00)
+AAAAAAAAA
+
+BLOCK2
+{06,01} Another block. Lorem Ipsum, Ipsum, Ipsum
+<><><><><>{}{}{}{}[][][]()()()()
+[4,1]
+
+Old bytes live here as this is reasonable.
+txTZ
+ÛZTxt
+BLOCK2
+{20,01} Another block. Lorem Ipsum, Ipsum, Ipsum
+<><><><><>{}{}{}{}[][][]()()()()
+[4,1]
+
+BLOCK1
+Lorem Ipsum, Ipsum Lorem, Alpha Beta Gamma <1,1>
+{4,4} [5,8] (90,08)
+(1,4)
+[+001, +001]
+References {-005,-006}, <001,002>, [98,78]
+(+01,+04)
+AAAAAAAAA
+
+Other new bytes.
+
+Old bytes live here as this is reasonable.
+New bytes live here.
+txTZ