File: hpack_fuzz_util.h

package info (click to toggle)
chromium 139.0.7258.127-1
  • links: PTS, VCS
  • area: main
  • in suites:
  • size: 6,122,068 kB
  • sloc: cpp: 35,100,771; ansic: 7,163,530; javascript: 4,103,002; python: 1,436,920; asm: 946,517; xml: 746,709; pascal: 187,653; perl: 88,691; sh: 88,436; objc: 79,953; sql: 51,488; cs: 44,583; fortran: 24,137; makefile: 22,147; tcl: 15,277; php: 13,980; yacc: 8,984; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (117 lines) | stat: -rw-r--r-- 4,105 bytes parent folder | download | duplicates (6) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
 
// Copyright 2014 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef NET_SPDY_FUZZING_HPACK_FUZZ_UTIL_H_
#define NET_SPDY_FUZZING_HPACK_FUZZ_UTIL_H_

#include <stddef.h>
#include <stdint.h>

#include <memory>
#include <vector>

#include "base/containers/span.h"
#include "net/third_party/quiche/src/quiche/http2/core/recording_headers_handler.h"
#include "net/third_party/quiche/src/quiche/http2/hpack/hpack_decoder_adapter.h"
#include "net/third_party/quiche/src/quiche/http2/hpack/hpack_encoder.h"

namespace quiche {
class HttpHeaderBlock;
}

namespace spdy {

class HpackFuzzUtil {
 public:
  // A GeneratorContext holds ordered header names & values which are
  // initially seeded and then expanded with dynamically generated data.
  struct GeneratorContext {
    GeneratorContext();
    ~GeneratorContext();
    std::vector<std::string> names;
    std::vector<std::string> values;
  };

  // Initializes a GeneratorContext with a random seed and name/value fixtures.
  static void InitializeGeneratorContext(GeneratorContext* context);

  // Generates a header set from the generator context.
  static quiche::HttpHeaderBlock NextGeneratedHeaderSet(
      GeneratorContext* context);

  // Samples a size from the exponential distribution with mean |mean|,
  // upper-bounded by |sanity_bound|.
  static size_t SampleExponential(size_t mean, size_t sanity_bound);

  // Holds an input string, and manages an offset into that string.
  struct Input {
    Input();  // Initializes |offset| to zero.
    ~Input();

    // Returns a span over the next `bytes` many characters in the buffer, and
    // advances the buffer offset past them.
    base::span<const uint8_t> ReadSpan(size_t bytes) {
      auto out = RemainingBytes().first(bytes);
      offset += bytes;
      return out;
    }
    // Returns a span over the next `bytes` many characters in the buffer, and
    // advances the buffer offset past them.
    //
    // This version takes a compile-time size and returns a fixed-size span.
    template <size_t bytes>
    base::span<const uint8_t, bytes> ReadSpan() {
      auto out = RemainingBytes().first<bytes>();
      offset += bytes;
      return out;
    }

    // Returns a span over all remaining bytes in the input buffer.
    base::span<const uint8_t> RemainingBytes() {
      return base::as_byte_span(input).subspan(offset);
    }

    std::string input;
    size_t offset = 0;
  };

  // Returns true if the next header block was set at |out|. Returns
  // false if no input header blocks remain.
  static bool NextHeaderBlock(Input* input, std::string_view* out);

  // Returns the serialized header block length prefix for a block of
  // |block_size| bytes.
  static std::string HeaderBlockPrefix(size_t block_size);

  // A FuzzerContext holds fuzzer input, as well as each of the decoder and
  // encoder stages which fuzzed header blocks are processed through.
  struct FuzzerContext {
    FuzzerContext();
    ~FuzzerContext();
    std::unique_ptr<HpackDecoderAdapter> first_stage;
    std::unique_ptr<RecordingHeadersHandler> first_stage_handler;
    std::unique_ptr<HpackEncoder> second_stage;
    std::unique_ptr<HpackDecoderAdapter> third_stage;
    std::unique_ptr<RecordingHeadersHandler> third_stage_handler;
  };

  static void InitializeFuzzerContext(FuzzerContext* context);

  // Runs |input_block| through |first_stage| and, iff that succeeds,
  // |second_stage| and |third_stage| as well. Returns whether all stages
  // processed the input without error.
  static bool RunHeaderBlockThroughFuzzerStages(FuzzerContext* context,
                                                std::string_view input_block);

  // Flips random bits within |buffer|. The total number of flips is
  // |flip_per_thousand| bits for every 1,024 bytes of |buffer_length|,
  // rounding up.
  static void FlipBits(uint8_t* buffer,
                       size_t buffer_length,
                       size_t flip_per_thousand);
};

}  // namespace spdy

#endif  // NET_SPDY_FUZZING_HPACK_FUZZ_UTIL_H_