Add fuzzer for FDE CSS syntax parser.

This CL adds a fuzzer for the CSS Syntax parser in XFA.

BUG=chromium:587126

Review-Url: https://codereview.chromium.org/2068513002

5 files changed, 66 insertions, 3 deletions

diff --git a/testing/DEPS b/testing/DEPS
index 2e7767721a..44e064607f 100644
--- a/testing/DEPS
+++ b/testing/DEPS
@@ -6,6 +6,8 @@ include_rules = [
   '+fpdfsdk/jsapi/include',
   '+public',
   '+v8',
+  '+xfa/fde',
+  '+xfa/fgas',
   '+xfa/fxfa/parser',
   '+xfa/fxfa/fm2js',
 ]
diff --git a/testing/libfuzzer/BUILD.gn b/testing/libfuzzer/BUILD.gn
index 5382313e01..3659c36225 100644
--- a/testing/libfuzzer/BUILD.gn
+++ b/testing/libfuzzer/BUILD.gn
@@ -5,6 +5,8 @@
 import("../../pdfium.gni")
 
 config("libfuzzer_config") {
+  configs = [ "//third_party/pdfium:pdfium_core_config" ]
+
   defines = [
     "PNG_PREFIX",
     "PNG_USE_READ_MACROS",
@@ -122,6 +124,20 @@ if (pdf_enable_xfa) {
       ":libfuzzer_config",
     ]
   }
+  source_set("pdf_css_fuzzer") {
+    testonly = true
+    sources = [
+      "pdf_css_fuzzer.cc",
+    ]
+    deps = [
+      "//third_party/pdfium:pdfium",
+    ]
+    configs -= [ "//build/config/compiler:chromium_code" ]
+    configs += [
+      "//build/config/compiler:no_chromium_code",
+      ":libfuzzer_config",
+    ]
+  }
 }
 
 source_set("pdf_jpx_fuzzer") {
diff --git a/testing/libfuzzer/fuzzers.gyp b/testing/libfuzzer/fuzzers.gyp
index 3f1d8123b6..5f2a4d1bd9 100644
--- a/testing/libfuzzer/fuzzers.gyp
+++ b/testing/libfuzzer/fuzzers.gyp
@@ -15,6 +15,8 @@
     'include_dirs': [
       # This is implicit in GN.
       '<(DEPTH)',
+      '../../third_party/freetype/include',
+      '../../third_party/freetype/include/freetype',
     ],
     'conditions': [
       ['pdf_enable_v8==1', {
@@ -119,6 +121,17 @@
             'xfa_codec_fuzzer.h',
           ],
         },
+        {
+          'target_name': 'pdf_css_fuzzer',
+          'type': 'executable',
+          'dependencies': [
+            '../../pdfium.gyp:pdfium',
+          ],
+          'sources': [
+            'pdf_css_fuzzer.cc',
+            'unittest_main.cc',
+          ],
+        },
       ],
     }],
     ['OS=="linux"', {
diff --git a/testing/libfuzzer/pdf_css_fuzzer.cc b/testing/libfuzzer/pdf_css_fuzzer.cc
new file mode 100644
index 0000000000..da8b1f53f6
--- /dev/null
+++ b/testing/libfuzzer/pdf_css_fuzzer.cc
@@ -0,0 +1,31 @@
+// Copyright 2016 The PDFium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <memory>
+
+#include "core/fxcrt/include/fx_string.h"
+#include "xfa/fde/css/fde_css.h"
+#include "xfa/fde/css/fde_csssyntax.h"
+#include "xfa/fgas/crt/fgas_stream.h"
+#include "xfa/fxfa/parser/xfa_utils.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  CFDE_CSSSyntaxParser parser;
+
+  CFX_WideString input = CFX_WideString::FromUTF8(
+      CFX_ByteStringC(data, static_cast<FX_STRSIZE>(size)));
+  std::unique_ptr<IFX_Stream, ReleaseDeleter<IFX_Stream>> stream(
+      XFA_CreateWideTextRead(input));
+  if (!stream)
+    return 0;
+
+  parser.Init(stream.get(), 1024);
+
+  FDE_CSSSYNTAXSTATUS status = parser.DoSyntaxParse();
+  while (status != FDE_CSSSYNTAXSTATUS_Error &&
+         status != FDE_CSSSYNTAXSTATUS_EOS)
+    status = parser.DoSyntaxParse();
+
+  return 0;
+}
diff --git a/xfa/fxfa/parser/xfa_basic_imp.cpp b/xfa/fxfa/parser/xfa_basic_imp.cpp
index 86a96bbd63..f7c2606501 100644
--- a/xfa/fxfa/parser/xfa_basic_imp.cpp
+++ b/xfa/fxfa/parser/xfa_basic_imp.cpp
@@ -557,9 +557,10 @@ int32_t CXFA_WideTextRead::ReadString(FX_WCHAR* pStr,
                                       int32_t iMaxLength,
                                       FX_BOOL& bEOS,
                                       int32_t const* pByteSize) {
-  if (iMaxLength > m_wsBuffer.GetLength() - m_iPosition) {
-    iMaxLength = m_wsBuffer.GetLength() - m_iPosition;
-  }
+  iMaxLength = std::min(iMaxLength, m_wsBuffer.GetLength() - m_iPosition);
+  if (iMaxLength == 0)
+    return 0;
+
   FXSYS_wcsncpy(pStr, m_wsBuffer.c_str() + m_iPosition, iMaxLength);
   m_iPosition += iMaxLength;
   bEOS = IsEOF();