1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
base / strings / string_tokenizer_fuzzer.cc [blame]
// Copyright 2015 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifdef UNSAFE_BUFFERS_BUILD
// TODO(crbug.com/40284755): Remove this and spanify to fix the errors.
#pragma allow_unsafe_buffers
#endif
#include <stddef.h>
#include <stdint.h>
#include <string>
#include <tuple>
#include "base/strings/string_tokenizer.h"
void GetAllTokens(base::StringTokenizer& t) {
while (t.GetNext()) {
std::ignore = t.token();
}
}
// Entry point for LibFuzzer.
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
uint8_t size_t_bytes = sizeof(size_t);
if (size < size_t_bytes + 1) {
return 0;
}
// Calculate pattern size based on remaining bytes, otherwise fuzzing is
// inefficient with bailouts in most cases.
size_t pattern_size =
*reinterpret_cast<const size_t*>(data) % (size - size_t_bytes);
std::string pattern(reinterpret_cast<const char*>(data + size_t_bytes),
pattern_size);
std::string input(
reinterpret_cast<const char*>(data + size_t_bytes + pattern_size),
size - pattern_size - size_t_bytes);
// Allow quote_chars and options to be set. Otherwise full coverage
// won't be possible since IsQuote, FullGetNext and other functions
// won't be called.
for (bool return_delims : {false, true}) {
for (bool return_empty_strings : {false, true}) {
int options = 0;
if (return_delims)
options |= base::StringTokenizer::RETURN_DELIMS;
if (return_empty_strings)
options |= base::StringTokenizer::RETURN_EMPTY_TOKENS;
base::StringTokenizer t(input, pattern);
t.set_options(options);
GetAllTokens(t);
base::StringTokenizer t_quote(input, pattern);
t_quote.set_quote_chars("\"");
t_quote.set_options(options);
GetAllTokens(t_quote);
}
}
return 0;
}