1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "FuzzingInterface.h"
#include "jsapi.h"
#include "js/StructuredClone.h"
#include "mozilla/dom/ipc/StructuredCloneData.h"
#include "mozilla/dom/ScriptSettings.h"
#include "mozilla/dom/StructuredCloneHolder.h"
#include "mozilla/dom/SimpleGlobalObject.h"
#include "mozilla/ErrorResult.h"
#include "mozilla/ScopeExit.h"
#include "mozilla/UniquePtr.h"
#include "nsCycleCollector.h"
using namespace mozilla;
using namespace mozilla::dom;
using namespace mozilla::dom::ipc;
JS::PersistentRooted<JSObject*> global;
static int FuzzingInitDomSC(int* argc, char*** argv) {
JSObject* simpleGlobal =
SimpleGlobalObject::Create(SimpleGlobalObject::GlobalType::BindingDetail);
global.init(mozilla::dom::RootingCx());
global.set(simpleGlobal);
return 0;
}
static int FuzzingRunDomSC(const uint8_t* data, size_t size) {
if (size < 8) {
return 0;
}
AutoJSAPI jsapi;
MOZ_RELEASE_ASSERT(jsapi.Init(global));
JSContext* cx = jsapi.cx();
auto gcGuard = mozilla::MakeScopeExit([&] {
JS::PrepareForFullGC(cx);
JS::NonIncrementalGC(cx, JS::GCOptions::Normal, JS::GCReason::API);
nsCycleCollector_collect(CCReason::API, nullptr);
});
// The internals of SCInput have a release assert about the padding
// of the data, so we fix it here to avoid performance problems
// during fuzzing.
size -= size % 8;
StructuredCloneData scdata;
if (!scdata.CopyExternalData(reinterpret_cast<const char*>(data), size)) {
return 0;
}
JS::Rooted<JS::Value> result(cx);
ErrorResult rv;
scdata.Read(cx, &result, rv);
rv.SuppressException();
return 0;
}
MOZ_FUZZING_INTERFACE_RAW(FuzzingInitDomSC, FuzzingRunDomSC,
StructuredCloneReaderDOM);
|
