summaryrefslogtreecommitdiffstats
path: root/tools/fuzzing/ipc/ProtocolFuzzer.h
diff options
context:
space:
mode:
Diffstat (limited to 'tools/fuzzing/ipc/ProtocolFuzzer.h')
-rw-r--r--tools/fuzzing/ipc/ProtocolFuzzer.h112
1 files changed, 112 insertions, 0 deletions
diff --git a/tools/fuzzing/ipc/ProtocolFuzzer.h b/tools/fuzzing/ipc/ProtocolFuzzer.h
new file mode 100644
index 0000000000..b5708a258d
--- /dev/null
+++ b/tools/fuzzing/ipc/ProtocolFuzzer.h
@@ -0,0 +1,112 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_ipc_ProtocolFuzzer_h
+#define mozilla_ipc_ProtocolFuzzer_h
+
+#include "chrome/common/ipc_message.h"
+
+#include "mozilla/RefPtr.h"
+#include "mozilla/UniquePtrExtensions.h"
+#include "mozilla/dom/ContentParent.h"
+
+namespace mozilla {
+namespace ipc {
+
+class ProtocolFuzzerHelper {
+ public:
+ static mozilla::dom::ContentParent* CreateContentParent(
+ const nsACString& aRemoteType);
+
+ static void CompositorBridgeParentSetup();
+
+ static void AddShmemToProtocol(IToplevelProtocol* aProtocol,
+ Shmem::SharedMemory* aSegment, int32_t aId) {
+ MOZ_ASSERT(!aProtocol->mShmemMap.Contains(aId),
+ "Don't insert with an existing ID");
+ aProtocol->mShmemMap.InsertOrUpdate(aId, aSegment);
+ }
+
+ static void RemoveShmemFromProtocol(IToplevelProtocol* aProtocol,
+ int32_t aId) {
+ aProtocol->mShmemMap.Remove(aId);
+ }
+};
+
+template <typename T>
+void FuzzProtocol(T* aProtocol, const uint8_t* aData, size_t aSize,
+ const nsTArray<nsCString>& aIgnoredMessageTypes) {
+ while (true) {
+ uint32_t msg_size =
+ IPC::Message::MessageSize(reinterpret_cast<const char*>(aData),
+ reinterpret_cast<const char*>(aData) + aSize);
+ if (msg_size == 0 || msg_size > aSize) {
+ break;
+ }
+ IPC::Message m(reinterpret_cast<const char*>(aData), msg_size);
+ aSize -= msg_size;
+ aData += msg_size;
+
+ // We ignore certain message types
+ if (aIgnoredMessageTypes.Contains(m.name())) {
+ continue;
+ }
+
+ uint8_t num_shmems = 0;
+ if (aSize) {
+ num_shmems = *aData;
+ aData++;
+ aSize--;
+
+ for (uint32_t i = 0; i < num_shmems; i++) {
+ if (aSize < sizeof(uint16_t)) {
+ break;
+ }
+ size_t shmem_size = *reinterpret_cast<const uint16_t*>(aData);
+ aData += sizeof(uint16_t);
+ aSize -= sizeof(uint16_t);
+
+ if (shmem_size > aSize) {
+ break;
+ }
+ RefPtr<Shmem::SharedMemory> segment(Shmem::Alloc(shmem_size, false));
+ if (!segment) {
+ break;
+ }
+
+ Shmem shmem(segment.get(), i + 1);
+ memcpy(shmem.get<uint8_t>(), aData, shmem_size);
+ ProtocolFuzzerHelper::AddShmemToProtocol(
+ aProtocol, segment.forget().take(), i + 1);
+
+ aData += shmem_size;
+ aSize -= shmem_size;
+ }
+ }
+ // TODO: attach |m.header().num_fds| file descriptors to |m|. MVP can be
+ // empty files, next implementation maybe read a length header from |data|
+ // and then that many bytes.
+
+ if (m.is_sync()) {
+ UniquePtr<IPC::Message> reply;
+ aProtocol->OnMessageReceived(m, reply);
+ } else {
+ aProtocol->OnMessageReceived(m);
+ }
+ for (uint32_t i = 0; i < num_shmems; i++) {
+ Shmem::SharedMemory* segment = aProtocol->LookupSharedMemory(i + 1);
+ Shmem::Dealloc(segment);
+ ProtocolFuzzerHelper::RemoveShmemFromProtocol(aProtocol, i + 1);
+ }
+ }
+}
+
+nsTArray<nsCString> LoadIPCMessageBlacklist(const char* aPath);
+
+} // namespace ipc
+} // namespace mozilla
+
+#endif