From 26853181af1b28ba8070b955d90fb7a17fec2713 Mon Sep 17 00:00:00 2001
From: Nicolas Pena <npm@chromium.org>
Date: Wed, 17 May 2017 17:10:36 -0400
Subject: Add font loading fuzzer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bug: pdfium:667
Change-Id: Ibef9a2131b97da1a1e6b9469d389aa5fb914c797
Reviewed-on: https://pdfium-review.googlesource.com/5631
Commit-Queue: Nicolás Peña <npm@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
---
 testing/libfuzzer/BUILD.gn           |  7 +++++++
 testing/libfuzzer/pdf_font_fuzzer.cc | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+)
 create mode 100644 testing/libfuzzer/pdf_font_fuzzer.cc

diff --git a/testing/libfuzzer/BUILD.gn b/testing/libfuzzer/BUILD.gn
index b64cc386c3..6e61827fb4 100644
--- a/testing/libfuzzer/BUILD.gn
+++ b/testing/libfuzzer/BUILD.gn
@@ -29,6 +29,7 @@ group("libfuzzer") {
     ":pdf_codec_icc_fuzzer",
     ":pdf_codec_jbig2_fuzzer",
     ":pdf_codec_rle_fuzzer",
+    ":pdf_font_fuzzer",
     ":pdf_hint_table_fuzzer",
     ":pdf_jpx_fuzzer",
     ":pdf_psengine_fuzzer",
@@ -168,6 +169,12 @@ pdfium_fuzzer("pdf_codec_rle_fuzzer") {
   ]
 }
 
+pdfium_fuzzer("pdf_font_fuzzer") {
+  sources = [
+    "pdf_font_fuzzer.cc",
+  ]
+}
+
 pdfium_fuzzer("pdf_hint_table_fuzzer") {
   sources = [
     "pdf_hint_table_fuzzer.cc",
diff --git a/testing/libfuzzer/pdf_font_fuzzer.cc b/testing/libfuzzer/pdf_font_fuzzer.cc
new file mode 100644
index 0000000000..aed66613fa
--- /dev/null
+++ b/testing/libfuzzer/pdf_font_fuzzer.cc
@@ -0,0 +1,33 @@
+// Copyright 2017 The PDFium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <cstring>
+#include <memory>
+
+#include "public/cpp/fpdf_deleters.h"
+#include "public/fpdf_edit.h"
+#include "public/fpdfview.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  if (size < 2)
+    return 0;
+
+  std::unique_ptr<void, FPDFDocumentDeleter> doc(FPDF_CreateNewDocument());
+  std::unique_ptr<void, FPDFPageDeleter> page(
+      FPDFPage_New(doc.get(), 0, 612, 792));
+  int font_type = data[0];
+  FPDF_BOOL cid = data[1];
+  data += 2;
+  size -= 2;
+  std::unique_ptr<void, FPDFFontDeleter> font(
+      FPDFText_LoadFont(doc.get(), data, size, font_type, cid));
+  if (!font)
+    return 0;
+
+  FPDF_PAGEOBJECT text_object =
+      FPDFPageObj_CreateTextObj(doc.get(), font.get(), 12.0f);
+  FPDFPage_InsertObject(page.get(), text_object);
+  FPDFPage_GenerateContent(page.get());
+  return 0;
+}
-- 
cgit v1.2.3