xref: /aosp_15_r20/external/cronet/net/spdy/fuzzing/http2_frame_decoder_fuzzer.cc (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b)
1 // Copyright 2017 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include <stddef.h>
6 #include <stdint.h>
7 
8 #include <fuzzer/FuzzedDataProvider.h>
9 
10 #include <list>
11 #include <vector>
12 
13 #include "net/third_party/quiche/src/quiche/http2/decoder/http2_frame_decoder.h"
14 
15 // Entry point for LibFuzzer.
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)16 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
17   FuzzedDataProvider fuzzed_data_provider(data, size);
18   http2::Http2FrameDecoder decoder(nullptr);
19 
20   // Store all chunks in a function scope list, as the API requires the caller
21   // to make sure the fragment chunks data is accessible during the whole
22   // decoding process. |http2::DecodeBuffer| does not copy the data, it is just
23   // a wrapper for the chunk provided in its constructor.
24   std::list<std::vector<char>> all_chunks;
25   while (fuzzed_data_provider.remaining_bytes() > 0) {
26     size_t chunk_size = fuzzed_data_provider.ConsumeIntegralInRange(1, 32);
27     all_chunks.emplace_back(
28         fuzzed_data_provider.ConsumeBytes<char>(chunk_size));
29     const auto& chunk = all_chunks.back();
30 
31     // http2::DecodeBuffer constructor does not accept nullptr buffer.
32     if (chunk.data() == nullptr)
33       continue;
34 
35     http2::DecodeBuffer frame_data(chunk.data(), chunk.size());
36     decoder.DecodeFrame(&frame_data);
37   }
38   return 0;
39 }
40