third_party/blink/renderer/core/frame/csp/content_security_policy_fuzzer.cc - chromium/src - Git at Google

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include "third_party/blink/renderer/core/frame/csp/content_security_policy.h"

 #include "third_party/blink/renderer/core/testing/dummy_page_holder.h"
 #include "third_party/blink/renderer/platform/heap/handle.h"
 #include "third_party/blink/renderer/platform/heap/thread_state.h"
 #include "third_party/blink/renderer/platform/testing/blink_fuzzer_test_support.h"
 #include "third_party/blink/renderer/platform/wtf/text/wtf_string.h"

 namespace blink {

 // Intentionally leaked during fuzzing.
 // See testing/libfuzzer/efficient_fuzzer.md.
 DummyPageHolder* g_page_holder = nullptr;

 int LLVMFuzzerInitialize(int* argc, char*** argv) {
   static BlinkFuzzerTestSupport test_support = BlinkFuzzerTestSupport();
   // Scope cannot be created before BlinkFuzzerTestSupport because it requires
   // that Oilpan be initialized to access blink::ThreadState::Current.
   LEAK_SANITIZER_DISABLED_SCOPE;
   g_page_holder = DummyPageHolder::Create().release();
   return 0;
 }

 int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   String header = String::FromUTF8(data, size);
   unsigned hash = header.IsNull() ? 0 : header.Impl()->GetHash();

   // Use the 'hash' value to pick header_type and header_source input.
   // 1st bit: header type.
   // 2nd bit: header source: HTTP (or other)
   // 3rd bit: header source: Meta or OriginPolicy (if not HTTP)
   ContentSecurityPolicyHeaderType header_type =
       hash & 0x01 ? kContentSecurityPolicyHeaderTypeEnforce
                   : kContentSecurityPolicyHeaderTypeReport;
   ContentSecurityPolicyHeaderSource header_source =
       kContentSecurityPolicyHeaderSourceHTTP;
   if (hash & 0x02) {
     header_source = (hash & 0x04)
                         ? kContentSecurityPolicyHeaderSourceMeta
                         : kContentSecurityPolicyHeaderSourceOriginPolicy;
   }

   // Construct and initialize a policy from the string.
   ContentSecurityPolicy* csp = ContentSecurityPolicy::Create();
   csp->DidReceiveHeader(header, header_type, header_source);
   g_page_holder->GetDocument().InitContentSecurityPolicy(csp);

   // Force a garbage collection.
   // Specify namespace explicitly. Otherwise it conflicts on Mac OS X with:
   // CoreServices.framework/Frameworks/CarbonCore.framework/Headers/Threads.h.
   blink::ThreadState::Current()->CollectGarbage(
       BlinkGC::kNoHeapPointersOnStack, BlinkGC::kAtomicMarking,
       BlinkGC::kEagerSweeping, BlinkGC::GCReason::kForcedGC);

   return 0;
 }

 }  // namespace blink

 extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) {
   return blink::LLVMFuzzerInitialize(argc, argv);
 }

 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   return blink::LLVMFuzzerTestOneInput(data, size);
 }
	// Copyright 2016 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include "third_party/blink/renderer/core/frame/csp/content_security_policy.h"

	#include "third_party/blink/renderer/core/testing/dummy_page_holder.h"
	#include "third_party/blink/renderer/platform/heap/handle.h"
	#include "third_party/blink/renderer/platform/heap/thread_state.h"
	#include "third_party/blink/renderer/platform/testing/blink_fuzzer_test_support.h"
	#include "third_party/blink/renderer/platform/wtf/text/wtf_string.h"

	namespace blink {

	// Intentionally leaked during fuzzing.
	// See testing/libfuzzer/efficient_fuzzer.md.
	DummyPageHolder* g_page_holder = nullptr;

	int LLVMFuzzerInitialize(int* argc, char*** argv) {
	static BlinkFuzzerTestSupport test_support = BlinkFuzzerTestSupport();
	// Scope cannot be created before BlinkFuzzerTestSupport because it requires
	// that Oilpan be initialized to access blink::ThreadState::Current.
	LEAK_SANITIZER_DISABLED_SCOPE;
	g_page_holder = DummyPageHolder::Create().release();
	return 0;
	}

	int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
	String header = String::FromUTF8(data, size);
	unsigned hash = header.IsNull() ? 0 : header.Impl()->GetHash();

	// Use the 'hash' value to pick header_type and header_source input.
	// 1st bit: header type.
	// 2nd bit: header source: HTTP (or other)
	// 3rd bit: header source: Meta or OriginPolicy (if not HTTP)
	ContentSecurityPolicyHeaderType header_type =
	hash & 0x01 ? kContentSecurityPolicyHeaderTypeEnforce
	: kContentSecurityPolicyHeaderTypeReport;
	ContentSecurityPolicyHeaderSource header_source =
	kContentSecurityPolicyHeaderSourceHTTP;
	if (hash & 0x02) {
	header_source = (hash & 0x04)
	? kContentSecurityPolicyHeaderSourceMeta
	: kContentSecurityPolicyHeaderSourceOriginPolicy;
	}

	// Construct and initialize a policy from the string.
	ContentSecurityPolicy* csp = ContentSecurityPolicy::Create();
	csp->DidReceiveHeader(header, header_type, header_source);
	g_page_holder->GetDocument().InitContentSecurityPolicy(csp);

	// Force a garbage collection.
	// Specify namespace explicitly. Otherwise it conflicts on Mac OS X with:
	// CoreServices.framework/Frameworks/CarbonCore.framework/Headers/Threads.h.
	blink::ThreadState::Current()->CollectGarbage(
	BlinkGC::kNoHeapPointersOnStack, BlinkGC::kAtomicMarking,
	BlinkGC::kEagerSweeping, BlinkGC::GCReason::kForcedGC);

	return 0;
	}

	} // namespace blink

	extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) {
	return blink::LLVMFuzzerInitialize(argc, argv);
	}

	extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
	return blink::LLVMFuzzerTestOneInput(data, size);
	}