1
    2
    3
    4
    5
    6
    7
    8
    9
   10
   11
   12
   13
   14
   15
   16
   17
   18
   19
   20
   21
   22
   23
   24
   25
   26
   27
   28
   29
   30
   31
   32
   33
   34
   35
   36
   37
   38
   39
   40
   41
   42
   43
   44
   45

mojo / core / user_message_fuzzer.cc [blame]

// Copyright 2018 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifdef UNSAFE_BUFFERS_BUILD
// TODO(crbug.com/351564777): Remove this and convert code to safer constructs.
#pragma allow_unsafe_buffers
#endif

#include <stdint.h>

#include <algorithm>

#include "base/containers/span.h"
#include "mojo/core/entrypoints.h"
#include "mojo/core/node_controller.h"
#include "mojo/core/user_message_impl.h"

// Message deserialization may register handles in the global handle table. We
// need to initialize Core for that to be OK.
struct Environment {
  Environment() { mojo::core::InitializeCore(); }
};

extern "C" int LLVMFuzzerTestOneInput(const unsigned char* data, size_t size) {
  static Environment environment;

  // Try using our fuzz input as the payload of an otherwise well-formed user
  // message event.
  std::unique_ptr<mojo::core::ports::UserMessageEvent> event;
  MojoResult result =
      mojo::core::UserMessageImpl::CreateEventForNewSerializedMessage(
          static_cast<uint32_t>(size), nullptr, 0, &event);
  DCHECK_EQ(result, MOJO_RESULT_OK);
  DCHECK(event);
  auto* message = event->GetMessage<mojo::core::UserMessageImpl>();
  std::copy(data, data + size,
            static_cast<unsigned char*>(message->user_payload()));
  mojo::core::Channel::MessagePtr serialized_event =
      mojo::core::UserMessageImpl::FinalizeEventMessage(std::move(event));
  mojo::core::NodeController::DeserializeMessageAsEventForFuzzer(
      std::move(serialized_event));

  return 0;
}