forked from chromium/chromium
-
Notifications
You must be signed in to change notification settings - Fork 28
Expand file tree
/
Copy pathgurl_fuzzer.cc
More file actions
97 lines (86 loc) · 3.36 KB
/
gurl_fuzzer.cc
File metadata and controls
97 lines (86 loc) · 3.36 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
// Copyright 2015 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "url/gurl.h"
#include <string_view>
#include "base/at_exit.h"
#include "base/check_op.h"
#include "base/containers/span.h"
#include "base/i18n/icu_util.h"
#include "base/no_destructor.h"
#include "base/strings/string_view_util.h"
#include "testing/libfuzzer/libfuzzer_base_wrappers.h"
struct TestCase {
TestCase() { CHECK(base::i18n::InitializeICU()); }
// used by ICU integration.
base::AtExitManager at_exit_manager;
};
// Checks that GURL's canonicalization is idempotent. This can help discover
// issues like https://crbug.com/1128999.
void CheckIdempotency(const GURL& url) {
if (!url.is_valid())
return;
const std::string& spec = url.spec();
GURL recanonicalized(spec);
CHECK(recanonicalized.is_valid());
CHECK_EQ(spec, recanonicalized.spec());
}
// Checks that |url.spec()| is preserved across a call to ReplaceComponents with
// zero replacements, which is effectively a copy. This can help discover issues
// like https://crbug.com/1075515.
void CheckReplaceComponentsPreservesSpec(const GURL& url) {
static const base::NoDestructor<GURL::Replacements> no_op;
GURL copy = url.ReplaceComponents(*no_op);
CHECK_EQ(url.is_valid(), copy.is_valid());
if (url.is_valid()) {
CHECK_EQ(url.spec(), copy.spec());
}
}
// Entry point for LibFuzzer.
DEFINE_LLVM_FUZZER_TEST_ONE_INPUT_SPAN(const base::span<const uint8_t> bytes) {
static const base::NoDestructor<TestCase> test_case;
if (bytes.empty()) {
return 0;
}
{
const GURL url_from_string_piece(base::as_string_view(bytes));
CheckIdempotency(url_from_string_piece);
CheckReplaceComponentsPreservesSpec(url_from_string_piece);
}
// Test for std::u16string_view if size is even.
if (bytes.size() % sizeof(char16_t) == 0) {
const GURL url_from_string_piece16(
std::u16string_view(reinterpret_cast<const char16_t*>(bytes.data()),
bytes.size() / sizeof(char16_t)));
CheckIdempotency(url_from_string_piece16);
CheckReplaceComponentsPreservesSpec(url_from_string_piece16);
}
// Resolve relative url tests.
{
constexpr size_t kSizeTBytes = sizeof(size_t);
if (bytes.size() < kSizeTBytes + 1) {
return 0;
}
// `bytes` is split into three spans; `size_bytes`, `relative_chars`, and
// `part_chars`.
auto [size_bytes, payload_bytes] = bytes.split_at(kSizeTBytes);
size_t relative_size;
base::byte_span_from_ref(relative_size).copy_from(size_bytes);
relative_size = relative_size % payload_bytes.size();
auto [relative_chars, part_chars] =
base::as_chars(payload_bytes).split_at(relative_size);
std::string_view relative_string(relative_chars);
std::string_view string_piece_part_input(part_chars);
const GURL url_from_string_piece_part(string_piece_part_input);
CheckIdempotency(url_from_string_piece_part);
CheckReplaceComponentsPreservesSpec(url_from_string_piece_part);
std::ignore = url_from_string_piece_part.Resolve(relative_string);
if (relative_size % sizeof(char16_t) == 0) {
std::u16string relative_string16(
reinterpret_cast<const char16_t*>(relative_chars.data()),
relative_size / sizeof(char16_t));
std::ignore = url_from_string_piece_part.Resolve(relative_string16);
}
}
return 0;
}