ipc/ipc_fuzzing_tests.cc - chromium/src - Git at Google

 // Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include <stdint.h>
 #include <stdio.h>

 #include <limits>
 #include <memory>
 #include <sstream>
 #include <string>

 #include "base/memory/raw_ptr.h"
 #include "base/run_loop.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/threading/platform_thread.h"
 #include "build/build_config.h"
 #include "ipc/ipc_test_base.h"
 #include "testing/gtest/include/gtest/gtest.h"

 // IPC messages for testing ----------------------------------------------------

 #define IPC_MESSAGE_IMPL
 #include "ipc/ipc_message_macros.h"
 #include "ipc/ipc_message_start.h"

 #define IPC_MESSAGE_START TestMsgStart

 // Generic message class that is an int followed by a string16.
 IPC_MESSAGE_CONTROL2(MsgClassIS, int, std::u16string)

 // Generic message class that is a string16 followed by an int.
 IPC_MESSAGE_CONTROL2(MsgClassSI, std::u16string, int)

 // Message to create a mutex in the IPC server, using the received name.
 IPC_MESSAGE_CONTROL2(MsgDoMutex, std::u16string, int)

 // Used to generate an ID for a message that should not exist.
 IPC_MESSAGE_CONTROL0(MsgUnhandled)

 // -----------------------------------------------------------------------------

 namespace {

 TEST(IPCMessageIntegrity, ReadBeyondBufferStr) {
   // This was BUG 984408.
   uint32_t v1 = std::numeric_limits<uint32_t>::max() - 1;
   int v2 = 666;
   IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
   m.WriteInt(v1);
   m.WriteInt(v2);

   base::PickleIterator iter(m);
   std::string vs;
   EXPECT_FALSE(iter.ReadString(&vs));
 }

 TEST(IPCMessageIntegrity, ReadBeyondBufferStr16) {
   // This was BUG 984408.
   uint32_t v1 = std::numeric_limits<uint32_t>::max() - 1;
   int v2 = 777;
   IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
   m.WriteInt(v1);
   m.WriteInt(v2);

   base::PickleIterator iter(m);
   std::u16string vs;
   EXPECT_FALSE(iter.ReadString16(&vs));
 }

 TEST(IPCMessageIntegrity, ReadBytesBadIterator) {
   // This was BUG 1035467.
   IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
   m.WriteInt(1);
   m.WriteInt(2);

   base::PickleIterator iter(m);
   const char* data = nullptr;
   EXPECT_TRUE(iter.ReadBytes(&data, sizeof(int)));
 }

 TEST(IPCMessageIntegrity, ReadVectorNegativeSize) {
   // A slight variation of BUG 984408. Note that the pickling of vector<char>
   // has a specialized template which is not vulnerable to this bug. So here
   // try to hit the non-specialized case vector<P>.
   IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
   m.WriteInt(-1);  // This is the count of elements.
   m.WriteInt(1);
   m.WriteInt(2);
   m.WriteInt(3);

   std::vector<double> vec;
   base::PickleIterator iter(m);
   EXPECT_FALSE(ReadParam(&m, &iter, &vec));
 }

 #if BUILDFLAG(IS_ANDROID)
 #define MAYBE_ReadVectorTooLarge1 DISABLED_ReadVectorTooLarge1
 #else
 #define MAYBE_ReadVectorTooLarge1 ReadVectorTooLarge1
 #endif
 TEST(IPCMessageIntegrity, MAYBE_ReadVectorTooLarge1) {
   // This was BUG 1006367. This is the large but positive length case. Again
   // we try to hit the non-specialized case vector<P>.
   IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
   m.WriteInt(0x21000003);  // This is the count of elements.
   m.WriteInt64(1);
   m.WriteInt64(2);

   std::vector<int64_t> vec;
   base::PickleIterator iter(m);
   EXPECT_FALSE(ReadParam(&m, &iter, &vec));
 }

 TEST(IPCMessageIntegrity, ReadVectorTooLarge2) {
   // This was BUG 1006367. This is the large but positive with an additional
   // integer overflow when computing the actual byte size. Again we try to hit
   // the non-specialized case vector<P>.
   IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
   m.WriteInt(0x71000000);  // This is the count of elements.
   m.WriteInt64(1);
   m.WriteInt64(2);

   std::vector<int64_t> vec;
   base::PickleIterator iter(m);
   EXPECT_FALSE(ReadParam(&m, &iter, &vec));
 }

 // This test needs ~20 seconds in Debug mode, or ~4 seconds in Release mode.
 // See http://crbug.com/741866 for details.
 TEST(IPCMessageIntegrity, DISABLED_ReadVectorTooLarge3) {
   base::Pickle pickle;
   IPC::WriteParam(&pickle, 256 * 1024 * 1024);
   IPC::WriteParam(&pickle, 0);
   IPC::WriteParam(&pickle, 1);
   IPC::WriteParam(&pickle, 2);

   base::PickleIterator iter(pickle);
   std::vector<int> vec;
   EXPECT_FALSE(IPC::ReadParam(&pickle, &iter, &vec));
 }

 }  // namespace
	// Copyright 2012 The Chromium Authors
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include <stdint.h>
	#include <stdio.h>

	#include <limits>
	#include <memory>
	#include <sstream>
	#include <string>

	#include "base/memory/raw_ptr.h"
	#include "base/run_loop.h"
	#include "base/strings/utf_string_conversions.h"
	#include "base/threading/platform_thread.h"
	#include "build/build_config.h"
	#include "ipc/ipc_test_base.h"
	#include "testing/gtest/include/gtest/gtest.h"

	// IPC messages for testing ----------------------------------------------------

	#define IPC_MESSAGE_IMPL
	#include "ipc/ipc_message_macros.h"
	#include "ipc/ipc_message_start.h"

	#define IPC_MESSAGE_START TestMsgStart

	// Generic message class that is an int followed by a string16.
	IPC_MESSAGE_CONTROL2(MsgClassIS, int, std::u16string)

	// Generic message class that is a string16 followed by an int.
	IPC_MESSAGE_CONTROL2(MsgClassSI, std::u16string, int)

	// Message to create a mutex in the IPC server, using the received name.
	IPC_MESSAGE_CONTROL2(MsgDoMutex, std::u16string, int)

	// Used to generate an ID for a message that should not exist.
	IPC_MESSAGE_CONTROL0(MsgUnhandled)

	// -----------------------------------------------------------------------------

	namespace {

	TEST(IPCMessageIntegrity, ReadBeyondBufferStr) {
	// This was BUG 984408.
	uint32_t v1 = std::numeric_limits<uint32_t>::max() - 1;
	int v2 = 666;
	IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
	m.WriteInt(v1);
	m.WriteInt(v2);

	base::PickleIterator iter(m);
	std::string vs;
	EXPECT_FALSE(iter.ReadString(&vs));
	}

	TEST(IPCMessageIntegrity, ReadBeyondBufferStr16) {
	// This was BUG 984408.
	uint32_t v1 = std::numeric_limits<uint32_t>::max() - 1;
	int v2 = 777;
	IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
	m.WriteInt(v1);
	m.WriteInt(v2);

	base::PickleIterator iter(m);
	std::u16string vs;
	EXPECT_FALSE(iter.ReadString16(&vs));
	}

	TEST(IPCMessageIntegrity, ReadBytesBadIterator) {
	// This was BUG 1035467.
	IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
	m.WriteInt(1);
	m.WriteInt(2);

	base::PickleIterator iter(m);
	const char* data = nullptr;
	EXPECT_TRUE(iter.ReadBytes(&data, sizeof(int)));
	}

	TEST(IPCMessageIntegrity, ReadVectorNegativeSize) {
	// A slight variation of BUG 984408. Note that the pickling of vector<char>
	// has a specialized template which is not vulnerable to this bug. So here
	// try to hit the non-specialized case vector<P>.
	IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
	m.WriteInt(-1); // This is the count of elements.
	m.WriteInt(1);
	m.WriteInt(2);
	m.WriteInt(3);

	std::vector<double> vec;
	base::PickleIterator iter(m);
	EXPECT_FALSE(ReadParam(&m, &iter, &vec));
	}

	#if BUILDFLAG(IS_ANDROID)
	#define MAYBE_ReadVectorTooLarge1 DISABLED_ReadVectorTooLarge1
	#else
	#define MAYBE_ReadVectorTooLarge1 ReadVectorTooLarge1
	#endif
	TEST(IPCMessageIntegrity, MAYBE_ReadVectorTooLarge1) {
	// This was BUG 1006367. This is the large but positive length case. Again
	// we try to hit the non-specialized case vector<P>.
	IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
	m.WriteInt(0x21000003); // This is the count of elements.
	m.WriteInt64(1);
	m.WriteInt64(2);

	std::vector<int64_t> vec;
	base::PickleIterator iter(m);
	EXPECT_FALSE(ReadParam(&m, &iter, &vec));
	}

	TEST(IPCMessageIntegrity, ReadVectorTooLarge2) {
	// This was BUG 1006367. This is the large but positive with an additional
	// integer overflow when computing the actual byte size. Again we try to hit
	// the non-specialized case vector<P>.
	IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
	m.WriteInt(0x71000000); // This is the count of elements.
	m.WriteInt64(1);
	m.WriteInt64(2);

	std::vector<int64_t> vec;
	base::PickleIterator iter(m);
	EXPECT_FALSE(ReadParam(&m, &iter, &vec));
	}

	// This test needs ~20 seconds in Debug mode, or ~4 seconds in Release mode.
	// See http://crbug.com/741866 for details.
	TEST(IPCMessageIntegrity, DISABLED_ReadVectorTooLarge3) {
	base::Pickle pickle;
	IPC::WriteParam(&pickle, 256 * 1024 * 1024);
	IPC::WriteParam(&pickle, 0);
	IPC::WriteParam(&pickle, 1);
	IPC::WriteParam(&pickle, 2);

	base::PickleIterator iter(pickle);
	std::vector<int> vec;
	EXPECT_FALSE(IPC::ReadParam(&pickle, &iter, &vec));
	}

	} // namespace