1 // Copyright 2017 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "third_party/blink/renderer/platform/wtf/text/text_codec.h"
6 
7 #include "third_party/blink/renderer/platform/testing/blink_fuzzer_test_support.h"
8 #include "third_party/blink/renderer/platform/testing/fuzzed_data_provider.h"
9 #include "third_party/blink/renderer/platform/wtf/text/text_encoding.h"
10 #include "third_party/blink/renderer/platform/wtf/text/text_encoding_registry.h"
11 
12 // TODO(jsbell): This fuzzes code in wtf/ but has dependencies on platform/,
13 // so it must live in the latter directory. Once wtf/ moves into platform/wtf
14 // this should move there as well.
15 
16 WTF::FlushBehavior kFlushBehavior[] = {WTF::FlushBehavior::kDoNotFlush,
17                                        WTF::FlushBehavior::kFetchEOF,
18                                        WTF::FlushBehavior::kDataEOF};
19 
20 WTF::UnencodableHandling kUnencodableHandlingOptions[] = {
21     WTF::kEntitiesForUnencodables, WTF::kURLEncodedEntitiesForUnencodables,
22     WTF::kCSSEncodedEntitiesForUnencodables};
23 
24 class TextCodecFuzzHarness {};
25 
26 // Fuzzer for WTF::TextCodec.
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)27 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
28   static blink::BlinkFuzzerTestSupport test_support;
29   // The fuzzer picks 3 bytes off the end of the data to initialize metadata, so
30   // abort if the input is smaller than that.
31   if (size < 3)
32     return 0;
33 
34   // TODO(csharrison): When crbug.com/701825 is resolved, add the rest of the
35   // text codecs.
36 
37   // Initializes the codec map.
38   static const WTF::TextEncoding encoding = WTF::TextEncoding(
39 #if defined(UTF_8)
40       "UTF-8"
41 #elif defined(WINDOWS_1252)
42       "windows-1252"
43 #endif
44       "");
45 
46   // Use the fully qualified name to avoid ambiguity with the standard class.
47   blink::FuzzedDataProvider fuzzed_data(data, size);
48 
49   // Initialize metadata using the fuzzed data.
50   bool stop_on_error = fuzzed_data.ConsumeBool();
51   WTF::UnencodableHandling unencodable_handling =
52       fuzzed_data.PickValueInArray(kUnencodableHandlingOptions);
53   WTF::FlushBehavior flush_behavior =
54       fuzzed_data.PickValueInArray(kFlushBehavior);
55 
56   // Now, use the rest of the fuzzy data to stress test decoding and encoding.
57   const std::string byte_string = fuzzed_data.ConsumeRemainingBytes();
58   std::unique_ptr<TextCodec> codec = NewTextCodec(encoding);
59 
60   // Treat as bytes-off-the-wire.
61   bool saw_error;
62   const String decoded =
63       codec->Decode(byte_string.data(), byte_string.length(), flush_behavior,
64                     stop_on_error, saw_error);
65 
66   // Treat as blink 8-bit string (latin1).
67   if (size % sizeof(LChar) == 0) {
68     std::unique_ptr<TextCodec> codec = NewTextCodec(encoding);
69     codec->Encode(reinterpret_cast<const LChar*>(byte_string.data()),
70                   byte_string.length() / sizeof(LChar), unencodable_handling);
71   }
72 
73   // Treat as blink 16-bit string (utf-16) if there are an even number of bytes.
74   if (size % sizeof(UChar) == 0) {
75     std::unique_ptr<TextCodec> codec = NewTextCodec(encoding);
76     codec->Encode(reinterpret_cast<const UChar*>(byte_string.data()),
77                   byte_string.length() / sizeof(UChar), unencodable_handling);
78   }
79 
80   if (decoded.IsNull())
81     return 0;
82 
83   // Round trip the bytes (aka encode the decoded bytes).
84   if (decoded.Is8Bit()) {
85     codec->Encode(decoded.Characters8(), decoded.length(),
86                   unencodable_handling);
87   } else {
88     codec->Encode(decoded.Characters16(), decoded.length(),
89                   unencodable_handling);
90   }
91   return 0;
92 }
93