1 // Copyright 2016 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "ui/accessibility/ax_tree.h" 6 #include "ui/accessibility/ax_tree_observer.h" 7 8 class EmptyAXTreeObserver : public ui::AXTreeObserver { 9 public: EmptyAXTreeObserver()10 EmptyAXTreeObserver() {} ~EmptyAXTreeObserver()11 ~EmptyAXTreeObserver() override {} 12 }; 13 14 // Entry point for LibFuzzer. LLVMFuzzerTestOneInput(const unsigned char * data,size_t size)15extern "C" int LLVMFuzzerTestOneInput(const unsigned char* data, size_t size) { 16 ui::AXTreeUpdate initial_state; 17 size_t i = 0; 18 while (i < size) { 19 ui::AXNodeData node; 20 node.id = data[i++]; 21 if (i < size) { 22 size_t child_count = data[i++]; 23 for (size_t j = 0; j < child_count && i < size; j++) 24 node.child_ids.push_back(data[i++]); 25 } 26 initial_state.nodes.push_back(node); 27 } 28 29 // Don't test absurdly large trees, it might time out. 30 #if defined(NDEBUG) 31 constexpr size_t kMaxNodes = 500000; 32 #else 33 constexpr size_t kMaxNodes = 50000; 34 #endif 35 if (initial_state.nodes.size() > kMaxNodes) { 36 LOG(WARNING) << "Skipping input because it's too large"; 37 return 0; 38 } 39 40 // Run with --v=1 to aid in debugging a specific crash. 41 VLOG(1) << "Input accessibility tree:\n" << initial_state.ToString(); 42 43 EmptyAXTreeObserver observer; 44 ui::AXTree tree; 45 tree.AddObserver(&observer); 46 tree.Unserialize(initial_state); 47 tree.RemoveObserver(&observer); 48 49 return 0; 50 } 51