blob: 8c2d65017a7e2ccfc2f946a3e87abdafd2b6c53f [file] [log] [blame]
// Copyright 2018 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include <fuzzer/FuzzedDataProvider.h>
#include <cstddef>
#include <cstdint>
#include <limits>
#include "absl/strings/string_view.h"
#include "quic/core/qpack/qpack_decoder_stream_receiver.h"
#include "quic/core/quic_error_codes.h"
#include "quic/core/quic_stream.h"
namespace quic {
namespace test {
namespace {
// A QpackDecoderStreamReceiver::Delegate implementation that ignores all
// decoded instructions but keeps track of whether an error has been detected.
class NoOpDelegate : public QpackDecoderStreamReceiver::Delegate {
public:
NoOpDelegate() : error_detected_(false) {}
~NoOpDelegate() override = default;
void OnInsertCountIncrement(uint64_t /*increment*/) override {}
void OnHeaderAcknowledgement(QuicStreamId /*stream_id*/) override {}
void OnStreamCancellation(QuicStreamId /*stream_id*/) override {}
void OnErrorDetected(QuicErrorCode /*error_code*/,
absl::string_view /*error_message*/) override {
error_detected_ = true;
}
bool error_detected() const { return error_detected_; }
private:
bool error_detected_;
};
} // namespace
// This fuzzer exercises QpackDecoderStreamReceiver.
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
NoOpDelegate delegate;
QpackDecoderStreamReceiver receiver(&delegate);
FuzzedDataProvider provider(data, size);
while (!delegate.error_detected() && provider.remaining_bytes() != 0) {
// Process up to 64 kB fragments at a time. Too small upper bound might not
// provide enough coverage, too large might make fuzzing too inefficient.
size_t fragment_size = provider.ConsumeIntegralInRange<uint16_t>(
0, std::numeric_limits<uint16_t>::max());
receiver.Decode(provider.ConsumeRandomLengthString(fragment_size));
}
return 0;
}
} // namespace test
} // namespace quic