tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

testStructuredCloneReader.cpp (2643B)

      1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
      2 * vim: set ts=8 sts=2 et sw=2 tw=80:
      3 */
      4 /* This Source Code Form is subject to the terms of the Mozilla Public
      5 * License, v. 2.0. If a copy of the MPL was not distributed with this
      6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
      7 
      8 #include "mozilla/ScopeExit.h"
      9 
     10 #include "jsapi.h"
     11 
     12 #include "fuzz-tests/tests.h"
     13 #include "js/StructuredClone.h"
     14 #include "vm/Interpreter.h"
     15 
     16 #include "vm/JSContext-inl.h"
     17 
     18 using namespace js;
     19 
     20 // These are defined and pre-initialized by the harness (in tests.cpp).
     21 extern JS::PersistentRootedObject gGlobal;
     22 extern JSContext* gCx;
     23 
     24 static int testStructuredCloneReaderInit(int* argc, char*** argv) { return 0; }
     25 
     26 static int testStructuredCloneReaderFuzz(const uint8_t* buf, size_t size) {
     27  auto gcGuard = mozilla::MakeScopeExit([&] {
     28    JS::PrepareForFullGC(gCx);
     29    JS::NonIncrementalGC(gCx, JS::GCOptions::Normal, JS::GCReason::API);
     30  });
     31 
     32  if (!size) return 0;
     33 
     34  // Make sure to pad the buffer to a multiple of kSegmentAlignment
     35  const size_t kSegmentAlignment = 8;
     36  size_t buf_size = RoundUp(size, kSegmentAlignment);
     37 
     38  JS::StructuredCloneScope scope = JS::StructuredCloneScope::DifferentProcess;
     39 
     40  auto clonebuf = MakeUnique<JSStructuredCloneData>(scope);
     41  if (!clonebuf || !clonebuf->Init(buf_size)) {
     42    ReportOutOfMemory(gCx);
     43    return 0;
     44  }
     45 
     46  // Copy buffer then pad with zeroes.
     47  if (!clonebuf->AppendBytes((const char*)buf, size)) {
     48    ReportOutOfMemory(gCx);
     49    return 0;
     50  }
     51  char padding[kSegmentAlignment] = {0};
     52  if (!clonebuf->AppendBytes(padding, buf_size - size)) {
     53    ReportOutOfMemory(gCx);
     54    return 0;
     55  }
     56 
     57  JS::CloneDataPolicy policy;
     58  RootedValue deserialized(gCx);
     59  if (!JS_ReadStructuredClone(gCx, *clonebuf, JS_STRUCTURED_CLONE_VERSION,
     60                              scope, &deserialized, policy, nullptr, nullptr)) {
     61    return 0;
     62  }
     63 
     64  /* If we succeeded in deserializing, we should try to reserialize the data.
     65     This has two main advantages:
     66 
     67     1) It tests parts of the serializer as well.
     68     2) The deserialized data is actually used, making it more likely to detect
     69        further memory-related problems.
     70 
     71     Tests show that this also doesn't cause a serious performance penalty.
     72  */
     73  mozilla::Maybe<JSAutoStructuredCloneBuffer> clonebufOut;
     74 
     75  clonebufOut.emplace(scope, nullptr, nullptr);
     76  if (!clonebufOut->write(gCx, deserialized, UndefinedHandleValue, policy)) {
     77    return 0;
     78  }
     79 
     80  return 0;
     81 }
     82 
     83 MOZ_FUZZING_INTERFACE_RAW(testStructuredCloneReaderInit,
     84                          testStructuredCloneReaderFuzz, StructuredCloneReader);