summaryrefslogtreecommitdiffstats
path: root/dom/base/fuzztest
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 01:47:29 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 01:47:29 +0000
commit0ebf5bdf043a27fd3dfb7f92e0cb63d88954c44d (patch)
treea31f07c9bcca9d56ce61e9a1ffd30ef350d513aa /dom/base/fuzztest
parentInitial commit. (diff)
downloadfirefox-esr-upstream/115.8.0esr.tar.xz
firefox-esr-upstream/115.8.0esr.zip
Adding upstream version 115.8.0esr.upstream/115.8.0esr
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--dom/base/fuzztest/FuzzStructuredClone.cpp70
-rw-r--r--dom/base/fuzztest/moz.build23
2 files changed, 93 insertions, 0 deletions
diff --git a/dom/base/fuzztest/FuzzStructuredClone.cpp b/dom/base/fuzztest/FuzzStructuredClone.cpp
new file mode 100644
index 0000000000..5473df2c8e
--- /dev/null
+++ b/dom/base/fuzztest/FuzzStructuredClone.cpp
@@ -0,0 +1,70 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "FuzzingInterface.h"
+
+#include "jsapi.h"
+#include "js/StructuredClone.h"
+#include "mozilla/dom/ipc/StructuredCloneData.h"
+#include "mozilla/dom/ScriptSettings.h"
+#include "mozilla/dom/StructuredCloneHolder.h"
+#include "mozilla/dom/SimpleGlobalObject.h"
+#include "mozilla/ErrorResult.h"
+#include "mozilla/ScopeExit.h"
+#include "mozilla/UniquePtr.h"
+
+#include "nsCycleCollector.h"
+
+using namespace mozilla;
+using namespace mozilla::dom;
+using namespace mozilla::dom::ipc;
+
+JS::PersistentRooted<JSObject*> global;
+
+static int FuzzingInitDomSC(int* argc, char*** argv) {
+ JSObject* simpleGlobal =
+ SimpleGlobalObject::Create(SimpleGlobalObject::GlobalType::BindingDetail);
+ global.init(mozilla::dom::RootingCx());
+ global.set(simpleGlobal);
+ return 0;
+}
+
+static int FuzzingRunDomSC(const uint8_t* data, size_t size) {
+ if (size < 8) {
+ return 0;
+ }
+
+ AutoJSAPI jsapi;
+ MOZ_RELEASE_ASSERT(jsapi.Init(global));
+
+ JSContext* cx = jsapi.cx();
+ auto gcGuard = mozilla::MakeScopeExit([&] {
+ JS::PrepareForFullGC(cx);
+ JS::NonIncrementalGC(cx, JS::GCOptions::Normal, JS::GCReason::API);
+ nsCycleCollector_collect(CCReason::API, nullptr);
+ });
+
+ // The internals of SCInput have a release assert about the padding
+ // of the data, so we fix it here to avoid performance problems
+ // during fuzzing.
+ size -= size % 8;
+
+ StructuredCloneData scdata;
+ if (!scdata.CopyExternalData(reinterpret_cast<const char*>(data), size)) {
+ return 0;
+ }
+
+ JS::Rooted<JS::Value> result(cx);
+ ErrorResult rv;
+ scdata.Read(cx, &result, rv);
+
+ rv.SuppressException();
+
+ return 0;
+}
+
+MOZ_FUZZING_INTERFACE_RAW(FuzzingInitDomSC, FuzzingRunDomSC,
+ StructuredCloneReaderDOM);
diff --git a/dom/base/fuzztest/moz.build b/dom/base/fuzztest/moz.build
new file mode 100644
index 0000000000..f2d65a3a8d
--- /dev/null
+++ b/dom/base/fuzztest/moz.build
@@ -0,0 +1,23 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+Library("FuzzingDomBase")
+
+SOURCES += [
+ "FuzzStructuredClone.cpp",
+]
+
+LOCAL_INCLUDES += [
+ "/dom/base",
+ "/dom/ipc",
+]
+
+include("/ipc/chromium/chromium-config.mozbuild")
+
+# Add libFuzzer configuration directives
+include("/tools/fuzzing/libfuzzer-config.mozbuild")
+
+FINAL_LIBRARY = "xul-gtest"