1 // Copyright 2017 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include <stddef.h> 6 #include <stdint.h> 7 8 #include <fuzzer/FuzzedDataProvider.h> 9 10 #include <list> 11 #include <vector> 12 13 #include "net/third_party/quiche/src/quiche/http2/hpack/decoder/hpack_decoder.h" 14 15 // Entry point for LibFuzzer. LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)16extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { 17 // At least 4 bytes of fuzz data are needed to generate a max string size. 18 if (size < 4) 19 return 0; 20 21 FuzzedDataProvider fuzzed_data_provider(data, size); 22 size_t max_string_size = 23 fuzzed_data_provider.ConsumeIntegralInRange<size_t>(1, 10 * size); 24 http2::HpackDecoder decoder(http2::HpackDecoderNoOpListener::NoOpListener(), 25 max_string_size); 26 decoder.StartDecodingBlock(); 27 28 // Store all chunks in a function scope list, as the API requires the caller 29 // to make sure the fragment chunks data is accessible during the whole 30 // decoding process. |http2::DecodeBuffer| does not copy the data, it is just 31 // a wrapper for the chunk provided in its constructor. 32 std::list<std::vector<char>> all_chunks; 33 while (fuzzed_data_provider.remaining_bytes() > 0) { 34 size_t chunk_size = fuzzed_data_provider.ConsumeIntegralInRange(1, 32); 35 all_chunks.emplace_back( 36 fuzzed_data_provider.ConsumeBytes<char>(chunk_size)); 37 const auto& chunk = all_chunks.back(); 38 39 // http2::DecodeBuffer constructor does not accept nullptr buffer. 40 if (chunk.data() == nullptr) 41 continue; 42 43 http2::DecodeBuffer fragment(chunk.data(), chunk.size()); 44 decoder.DecodeFragment(&fragment); 45 } 46 decoder.EndDecodingBlock(); 47 return 0; 48 } 49