1 // Copyright 2017 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include <stddef.h> 6 #include <stdint.h> 7 8 #include <fuzzer/FuzzedDataProvider.h> 9 10 #include <list> 11 #include <vector> 12 13 #include "net/third_party/quiche/src/quiche/http2/decoder/http2_frame_decoder.h" 14 15 // Entry point for LibFuzzer. LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)16extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { 17 FuzzedDataProvider fuzzed_data_provider(data, size); 18 http2::Http2FrameDecoder decoder(nullptr); 19 20 // Store all chunks in a function scope list, as the API requires the caller 21 // to make sure the fragment chunks data is accessible during the whole 22 // decoding process. |http2::DecodeBuffer| does not copy the data, it is just 23 // a wrapper for the chunk provided in its constructor. 24 std::list<std::vector<char>> all_chunks; 25 while (fuzzed_data_provider.remaining_bytes() > 0) { 26 size_t chunk_size = fuzzed_data_provider.ConsumeIntegralInRange(1, 32); 27 all_chunks.emplace_back( 28 fuzzed_data_provider.ConsumeBytes<char>(chunk_size)); 29 const auto& chunk = all_chunks.back(); 30 31 // http2::DecodeBuffer constructor does not accept nullptr buffer. 32 if (chunk.data() == nullptr) 33 continue; 34 35 http2::DecodeBuffer frame_data(chunk.data(), chunk.size()); 36 decoder.DecodeFrame(&frame_data); 37 } 38 return 0; 39 } 40