diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
commit | 36d22d82aa202bb199967e9512281e9a53db42c9 (patch) | |
tree | 105e8c98ddea1c1e4784a60a5a6410fa416be2de /js/src/fuzz-tests/testStructuredCloneReader.cpp | |
parent | Initial commit. (diff) | |
download | firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.tar.xz firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.zip |
Adding upstream version 115.7.0esr.upstream/115.7.0esr
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'js/src/fuzz-tests/testStructuredCloneReader.cpp')
-rw-r--r-- | js/src/fuzz-tests/testStructuredCloneReader.cpp | 84 |
1 files changed, 84 insertions, 0 deletions
diff --git a/js/src/fuzz-tests/testStructuredCloneReader.cpp b/js/src/fuzz-tests/testStructuredCloneReader.cpp new file mode 100644 index 0000000000..6b70d8bc52 --- /dev/null +++ b/js/src/fuzz-tests/testStructuredCloneReader.cpp @@ -0,0 +1,84 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * vim: set ts=8 sts=2 et sw=2 tw=80: + */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "mozilla/ScopeExit.h" + +#include "jsapi.h" + +#include "fuzz-tests/tests.h" +#include "js/StructuredClone.h" +#include "vm/Interpreter.h" + +#include "vm/JSContext-inl.h" + +using namespace js; + +// These are defined and pre-initialized by the harness (in tests.cpp). +extern JS::PersistentRootedObject gGlobal; +extern JSContext* gCx; + +static int testStructuredCloneReaderInit(int* argc, char*** argv) { return 0; } + +static int testStructuredCloneReaderFuzz(const uint8_t* buf, size_t size) { + auto gcGuard = mozilla::MakeScopeExit([&] { + JS::PrepareForFullGC(gCx); + JS::NonIncrementalGC(gCx, JS::GCOptions::Normal, JS::GCReason::API); + }); + + if (!size) return 0; + + // Make sure to pad the buffer to a multiple of kSegmentAlignment + const size_t kSegmentAlignment = 8; + size_t buf_size = RoundUp(size, kSegmentAlignment); + + JS::StructuredCloneScope scope = JS::StructuredCloneScope::DifferentProcess; + + auto clonebuf = MakeUnique<JSStructuredCloneData>(scope); + if (!clonebuf || !clonebuf->Init(buf_size)) { + ReportOutOfMemory(gCx); + return 0; + } + + // Copy buffer then pad with zeroes. + if (!clonebuf->AppendBytes((const char*)buf, size)) { + ReportOutOfMemory(gCx); + return 0; + } + char padding[kSegmentAlignment] = {0}; + if (!clonebuf->AppendBytes(padding, buf_size - size)) { + ReportOutOfMemory(gCx); + return 0; + } + + JS::CloneDataPolicy policy; + RootedValue deserialized(gCx); + if (!JS_ReadStructuredClone(gCx, *clonebuf, JS_STRUCTURED_CLONE_VERSION, + scope, &deserialized, policy, nullptr, nullptr)) { + return 0; + } + + /* If we succeeded in deserializing, we should try to reserialize the data. + This has two main advantages: + + 1) It tests parts of the serializer as well. + 2) The deserialized data is actually used, making it more likely to detect + further memory-related problems. + + Tests show that this also doesn't cause a serious performance penalty. + */ + mozilla::Maybe<JSAutoStructuredCloneBuffer> clonebufOut; + + clonebufOut.emplace(scope, nullptr, nullptr); + if (!clonebufOut->write(gCx, deserialized, UndefinedHandleValue, policy)) { + return 0; + } + + return 0; +} + +MOZ_FUZZING_INTERFACE_RAW(testStructuredCloneReaderInit, + testStructuredCloneReaderFuzz, StructuredCloneReader); |