1*3ac0a46fSAndroid Build Coastguard Worker // Copyright 2019 The PDFium Authors
2*3ac0a46fSAndroid Build Coastguard Worker // Use of this source code is governed by a BSD-style license that can be
3*3ac0a46fSAndroid Build Coastguard Worker // found in the LICENSE file.
4*3ac0a46fSAndroid Build Coastguard Worker
5*3ac0a46fSAndroid Build Coastguard Worker #include <fuzzer/FuzzedDataProvider.h>
6*3ac0a46fSAndroid Build Coastguard Worker
7*3ac0a46fSAndroid Build Coastguard Worker #include <cstdint>
8*3ac0a46fSAndroid Build Coastguard Worker #include <vector>
9*3ac0a46fSAndroid Build Coastguard Worker
10*3ac0a46fSAndroid Build Coastguard Worker #include "core/fpdfapi/page/cpdf_streamparser.h"
11*3ac0a46fSAndroid Build Coastguard Worker #include "core/fpdfapi/parser/cpdf_dictionary.h"
12*3ac0a46fSAndroid Build Coastguard Worker #include "core/fpdfapi/parser/cpdf_object.h"
13*3ac0a46fSAndroid Build Coastguard Worker #include "core/fpdfdoc/cpdf_nametree.h"
14*3ac0a46fSAndroid Build Coastguard Worker #include "third_party/base/containers/span.h"
15*3ac0a46fSAndroid Build Coastguard Worker
16*3ac0a46fSAndroid Build Coastguard Worker struct Params {
17*3ac0a46fSAndroid Build Coastguard Worker bool delete_backwards;
18*3ac0a46fSAndroid Build Coastguard Worker uint8_t count;
19*3ac0a46fSAndroid Build Coastguard Worker std::vector<WideString> names;
20*3ac0a46fSAndroid Build Coastguard Worker };
21*3ac0a46fSAndroid Build Coastguard Worker
GetNames(uint8_t count,FuzzedDataProvider * data_provider)22*3ac0a46fSAndroid Build Coastguard Worker std::vector<WideString> GetNames(uint8_t count,
23*3ac0a46fSAndroid Build Coastguard Worker FuzzedDataProvider* data_provider) {
24*3ac0a46fSAndroid Build Coastguard Worker std::vector<WideString> names;
25*3ac0a46fSAndroid Build Coastguard Worker names.reserve(count);
26*3ac0a46fSAndroid Build Coastguard Worker for (size_t i = 0; i < count; ++i) {
27*3ac0a46fSAndroid Build Coastguard Worker // The name is not that interesting here. Keep it short.
28*3ac0a46fSAndroid Build Coastguard Worker constexpr size_t kMaxNameLen = 10;
29*3ac0a46fSAndroid Build Coastguard Worker std::string str = data_provider->ConsumeRandomLengthString(kMaxNameLen);
30*3ac0a46fSAndroid Build Coastguard Worker names.push_back(WideString::FromUTF16LE(
31*3ac0a46fSAndroid Build Coastguard Worker reinterpret_cast<const unsigned short*>(str.data()),
32*3ac0a46fSAndroid Build Coastguard Worker str.size() / sizeof(unsigned short)));
33*3ac0a46fSAndroid Build Coastguard Worker }
34*3ac0a46fSAndroid Build Coastguard Worker return names;
35*3ac0a46fSAndroid Build Coastguard Worker }
36*3ac0a46fSAndroid Build Coastguard Worker
GetParams(FuzzedDataProvider * data_provider)37*3ac0a46fSAndroid Build Coastguard Worker Params GetParams(FuzzedDataProvider* data_provider) {
38*3ac0a46fSAndroid Build Coastguard Worker Params params;
39*3ac0a46fSAndroid Build Coastguard Worker params.delete_backwards = data_provider->ConsumeBool();
40*3ac0a46fSAndroid Build Coastguard Worker params.count = data_provider->ConsumeIntegralInRange(1, 255);
41*3ac0a46fSAndroid Build Coastguard Worker params.names = GetNames(params.count, data_provider);
42*3ac0a46fSAndroid Build Coastguard Worker return params;
43*3ac0a46fSAndroid Build Coastguard Worker }
44*3ac0a46fSAndroid Build Coastguard Worker
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)45*3ac0a46fSAndroid Build Coastguard Worker extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
46*3ac0a46fSAndroid Build Coastguard Worker FuzzedDataProvider data_provider(data, size);
47*3ac0a46fSAndroid Build Coastguard Worker Params params = GetParams(&data_provider);
48*3ac0a46fSAndroid Build Coastguard Worker
49*3ac0a46fSAndroid Build Coastguard Worker // |remaining| needs to outlive |parser|.
50*3ac0a46fSAndroid Build Coastguard Worker std::vector<uint8_t> remaining =
51*3ac0a46fSAndroid Build Coastguard Worker data_provider.ConsumeRemainingBytes<uint8_t>();
52*3ac0a46fSAndroid Build Coastguard Worker if (remaining.empty())
53*3ac0a46fSAndroid Build Coastguard Worker return 0;
54*3ac0a46fSAndroid Build Coastguard Worker
55*3ac0a46fSAndroid Build Coastguard Worker CPDF_StreamParser parser(remaining);
56*3ac0a46fSAndroid Build Coastguard Worker auto dict = pdfium::MakeRetain<CPDF_Dictionary>();
57*3ac0a46fSAndroid Build Coastguard Worker std::unique_ptr<CPDF_NameTree> name_tree =
58*3ac0a46fSAndroid Build Coastguard Worker CPDF_NameTree::CreateForTesting(dict.Get());
59*3ac0a46fSAndroid Build Coastguard Worker for (const auto& name : params.names) {
60*3ac0a46fSAndroid Build Coastguard Worker RetainPtr<CPDF_Object> obj = parser.ReadNextObject(
61*3ac0a46fSAndroid Build Coastguard Worker /*bAllowNestedArray*/ true, /*bInArray=*/false, /*dwRecursionLevel=*/0);
62*3ac0a46fSAndroid Build Coastguard Worker if (!obj)
63*3ac0a46fSAndroid Build Coastguard Worker break;
64*3ac0a46fSAndroid Build Coastguard Worker
65*3ac0a46fSAndroid Build Coastguard Worker name_tree->AddValueAndName(std::move(obj), name);
66*3ac0a46fSAndroid Build Coastguard Worker }
67*3ac0a46fSAndroid Build Coastguard Worker
68*3ac0a46fSAndroid Build Coastguard Worker if (params.delete_backwards) {
69*3ac0a46fSAndroid Build Coastguard Worker for (size_t i = params.count; i > 0; --i)
70*3ac0a46fSAndroid Build Coastguard Worker name_tree->DeleteValueAndName(i);
71*3ac0a46fSAndroid Build Coastguard Worker } else {
72*3ac0a46fSAndroid Build Coastguard Worker for (size_t i = 0; i < params.count; ++i)
73*3ac0a46fSAndroid Build Coastguard Worker name_tree->DeleteValueAndName(0);
74*3ac0a46fSAndroid Build Coastguard Worker }
75*3ac0a46fSAndroid Build Coastguard Worker return 0;
76*3ac0a46fSAndroid Build Coastguard Worker }
77