From 26a029d407be480d791972afb5975cf62c9360a6 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 02:47:55 +0200 Subject: Adding upstream version 124.0.1. Signed-off-by: Daniel Baumann --- dom/base/fuzztest/FuzzStructuredClone.cpp | 70 +++++++++++++++++++++++++++++++ dom/base/fuzztest/moz.build | 23 ++++++++++ 2 files changed, 93 insertions(+) create mode 100644 dom/base/fuzztest/FuzzStructuredClone.cpp create mode 100644 dom/base/fuzztest/moz.build (limited to 'dom/base/fuzztest') diff --git a/dom/base/fuzztest/FuzzStructuredClone.cpp b/dom/base/fuzztest/FuzzStructuredClone.cpp new file mode 100644 index 0000000000..5473df2c8e --- /dev/null +++ b/dom/base/fuzztest/FuzzStructuredClone.cpp @@ -0,0 +1,70 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this file, + * You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "FuzzingInterface.h" + +#include "jsapi.h" +#include "js/StructuredClone.h" +#include "mozilla/dom/ipc/StructuredCloneData.h" +#include "mozilla/dom/ScriptSettings.h" +#include "mozilla/dom/StructuredCloneHolder.h" +#include "mozilla/dom/SimpleGlobalObject.h" +#include "mozilla/ErrorResult.h" +#include "mozilla/ScopeExit.h" +#include "mozilla/UniquePtr.h" + +#include "nsCycleCollector.h" + +using namespace mozilla; +using namespace mozilla::dom; +using namespace mozilla::dom::ipc; + +JS::PersistentRooted global; + +static int FuzzingInitDomSC(int* argc, char*** argv) { + JSObject* simpleGlobal = + SimpleGlobalObject::Create(SimpleGlobalObject::GlobalType::BindingDetail); + global.init(mozilla::dom::RootingCx()); + global.set(simpleGlobal); + return 0; +} + +static int FuzzingRunDomSC(const uint8_t* data, size_t size) { + if (size < 8) { + return 0; + } + + AutoJSAPI jsapi; + MOZ_RELEASE_ASSERT(jsapi.Init(global)); + + JSContext* cx = jsapi.cx(); + auto gcGuard = mozilla::MakeScopeExit([&] { + JS::PrepareForFullGC(cx); + JS::NonIncrementalGC(cx, JS::GCOptions::Normal, JS::GCReason::API); + nsCycleCollector_collect(CCReason::API, nullptr); + }); + + // The internals of SCInput have a release assert about the padding + // of the data, so we fix it here to avoid performance problems + // during fuzzing. + size -= size % 8; + + StructuredCloneData scdata; + if (!scdata.CopyExternalData(reinterpret_cast(data), size)) { + return 0; + } + + JS::Rooted result(cx); + ErrorResult rv; + scdata.Read(cx, &result, rv); + + rv.SuppressException(); + + return 0; +} + +MOZ_FUZZING_INTERFACE_RAW(FuzzingInitDomSC, FuzzingRunDomSC, + StructuredCloneReaderDOM); diff --git a/dom/base/fuzztest/moz.build b/dom/base/fuzztest/moz.build new file mode 100644 index 0000000000..f2d65a3a8d --- /dev/null +++ b/dom/base/fuzztest/moz.build @@ -0,0 +1,23 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +Library("FuzzingDomBase") + +SOURCES += [ + "FuzzStructuredClone.cpp", +] + +LOCAL_INCLUDES += [ + "/dom/base", + "/dom/ipc", +] + +include("/ipc/chromium/chromium-config.mozbuild") + +# Add libFuzzer configuration directives +include("/tools/fuzzing/libfuzzer-config.mozbuild") + +FINAL_LIBRARY = "xul-gtest" -- cgit v1.2.3