tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

FuzzStructuredClone.cpp (2023B)

      1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
      2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
      3 /* This Source Code Form is subject to the terms of the Mozilla Public
      4 * License, v. 2.0. If a copy of the MPL was not distributed with this file,
      5 * You can obtain one at http://mozilla.org/MPL/2.0/. */
      6 
      7 #include "FuzzingInterface.h"
      8 #include "js/StructuredClone.h"
      9 #include "jsapi.h"
     10 #include "mozilla/ErrorResult.h"
     11 #include "mozilla/ScopeExit.h"
     12 #include "mozilla/dom/ScriptSettings.h"
     13 #include "mozilla/dom/SimpleGlobalObject.h"
     14 #include "mozilla/dom/StructuredCloneHolder.h"
     15 #include "mozilla/dom/ipc/StructuredCloneData.h"
     16 #include "nsCycleCollector.h"
     17 
     18 using namespace mozilla;
     19 using namespace mozilla::dom;
     20 using namespace mozilla::dom::ipc;
     21 
     22 MOZ_RUNINIT JS::PersistentRooted<JSObject*> global;
     23 
     24 static int FuzzingInitDomSC(int* argc, char*** argv) {
     25  JSObject* simpleGlobal =
     26      SimpleGlobalObject::Create(SimpleGlobalObject::GlobalType::BindingDetail);
     27  global.init(mozilla::dom::RootingCx());
     28  global.set(simpleGlobal);
     29  return 0;
     30 }
     31 
     32 static int FuzzingRunDomSC(const uint8_t* data, size_t size) {
     33  if (size < 8) {
     34    return 0;
     35  }
     36 
     37  AutoJSAPI jsapi;
     38  MOZ_RELEASE_ASSERT(jsapi.Init(global));
     39 
     40  JSContext* cx = jsapi.cx();
     41  auto gcGuard = mozilla::MakeScopeExit([&] {
     42    JS::PrepareForFullGC(cx);
     43    JS::NonIncrementalGC(cx, JS::GCOptions::Normal, JS::GCReason::API);
     44    nsCycleCollector_collect(CCReason::API, nullptr);
     45  });
     46 
     47  // The internals of SCInput have a release assert about the padding
     48  // of the data, so we fix it here to avoid performance problems
     49  // during fuzzing.
     50  size -= size % 8;
     51 
     52  StructuredCloneData scdata;
     53  if (!scdata.CopyExternalData(reinterpret_cast<const char*>(data), size)) {
     54    return 0;
     55  }
     56 
     57  JS::Rooted<JS::Value> result(cx);
     58  ErrorResult rv;
     59  scdata.Read(cx, &result, rv);
     60 
     61  rv.SuppressException();
     62 
     63  return 0;
     64 }
     65 
     66 MOZ_FUZZING_INTERFACE_RAW(FuzzingInitDomSC, FuzzingRunDomSC,
     67                          StructuredCloneReaderDOM);