// Copyright 2021 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "extensions/common/manifest.h"
#include <fuzzer/FuzzedDataProvider.h>
#include <stddef.h>
#include <stdint.h>
#include <optional>
#include <string>
#include <utility>
#include <vector>
#include "base/at_exit.h"
#include "base/check.h"
#include "base/command_line.h"
#include "base/json/json_reader.h"
#include "base/values.h"
#include "extensions/common/extensions_client.h"
#include "extensions/common/install_warning.h"
#include "extensions/common/mojom/manifest.mojom-shared.h"
#include "extensions/test/test_extensions_client.h"
namespace extensions {
namespace {
// Bail out on larger inputs to prevent out-of-memory failures.
constexpr int kMaxInputSizeBytes = 200 * 1024;
const mojom::ManifestLocation kLocations[] = {
mojom::ManifestLocation::kInternal,
mojom::ManifestLocation::kExternalPref,
mojom::ManifestLocation::kExternalRegistry,
mojom::ManifestLocation::kUnpacked,
mojom::ManifestLocation::kComponent,
mojom::ManifestLocation::kExternalPrefDownload,
mojom::ManifestLocation::kExternalPolicyDownload,
mojom::ManifestLocation::kCommandLine,
mojom::ManifestLocation::kExternalPolicy,
mojom::ManifestLocation::kExternalComponent,
};
// Holds state shared across all fuzzer calls.
struct Environment {
Environment() { ExtensionsClient::Set(&extensions_client); }
// Singleton objects needed for the tested code.
base::AtExitManager at_exit;
TestExtensionsClient extensions_client;
};
bool InitFuzzedCommandLine(FuzzedDataProvider& fuzzed_data_provider) {
constexpr int kMaxArgvItems = 100;
const int argc =
fuzzed_data_provider.ConsumeIntegralInRange<int>(0, kMaxArgvItems);
std::vector<std::string> argv;
argv.reserve(argc);
std::vector<const char*> argv_chars;
argv_chars.reserve(argc);
for (int i = 0; i < argc; ++i) {
argv.push_back(fuzzed_data_provider.ConsumeRandomLengthString());
argv_chars.push_back(argv.back().c_str());
}
return base::CommandLine::Init(argc, argv_chars.data());
}
// Holds state during a single fuzzer call.
struct PerInputEnvironment {
explicit PerInputEnvironment(FuzzedDataProvider& fuzzed_data_provider) {
CHECK(InitFuzzedCommandLine(fuzzed_data_provider));
}
~PerInputEnvironment() { base::CommandLine::Reset(); }
};
} // namespace
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
static Environment env;
if (size > kMaxInputSizeBytes) {
return 0;
}
FuzzedDataProvider fuzzed_data_provider(data, size);
PerInputEnvironment per_input_env(fuzzed_data_provider);
std::string extension_id = fuzzed_data_provider.ConsumeRandomLengthString();
if (extension_id.empty())
extension_id.resize(1);
std::optional<base::Value> parsed_json = base::JSONReader::Read(
fuzzed_data_provider.ConsumeRemainingBytesAsString());
if (!parsed_json || !parsed_json->is_dict())
return 0;
for (auto location : kLocations) {
Manifest manifest(location, parsed_json->GetDict().Clone(), extension_id);
std::vector<InstallWarning> install_warning;
manifest.ValidateManifest(&install_warning);
}
return 0;
}
} // namespace extensions
Codebase Browser
chromium