From 5e0b271b69355b5692b6afd1cd2c04d08c3b380c Mon Sep 17 00:00:00 2001
From: Dan Sinclair <dsinclair@chromium.org>
Date: Thu, 10 May 2018 21:21:05 +0000
Subject: Fixup ASSERT in Bidi handling; Add bidi fuzzer.

This CL converts several asserts in the FX_Bidi code to continue instead
of asserting in the face of unexpected input.

A BIDI fuzzer has been added as well.

Bug: chromium:839695
Change-Id: If61f822bde7442c008d50be58f7cecffb6e5d658
Reviewed-on: https://pdfium-review.googlesource.com/32191
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
---
 testing/libfuzzer/BUILD.gn           |  7 +++++++
 testing/libfuzzer/pdf_bidi_fuzzer.cc | 36 ++++++++++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+)
 create mode 100644 testing/libfuzzer/pdf_bidi_fuzzer.cc

(limited to 'testing')

diff --git a/testing/libfuzzer/BUILD.gn b/testing/libfuzzer/BUILD.gn
index 2b2c19389b..aeceb259cd 100644
--- a/testing/libfuzzer/BUILD.gn
+++ b/testing/libfuzzer/BUILD.gn
@@ -38,6 +38,7 @@ group("libfuzzer") {
   ]
   if (pdf_enable_xfa) {
     deps += [
+      ":pdf_bidi_fuzzer",
       ":pdf_cfx_barcode_fuzzer",
       ":pdf_codec_jpeg_fuzzer",
       ":pdf_css_fuzzer",
@@ -81,6 +82,12 @@ template("pdfium_fuzzer") {
 }
 
 if (pdf_enable_xfa) {
+  pdfium_fuzzer("pdf_bidi_fuzzer") {
+    sources = [
+      "pdf_bidi_fuzzer.cc",
+    ]
+  }
+
   pdfium_fuzzer("pdf_cfx_barcode_fuzzer") {
     sources = [
       "pdf_cfx_barcode_fuzzer.cc",
diff --git a/testing/libfuzzer/pdf_bidi_fuzzer.cc b/testing/libfuzzer/pdf_bidi_fuzzer.cc
new file mode 100644
index 0000000000..8e52688a10
--- /dev/null
+++ b/testing/libfuzzer/pdf_bidi_fuzzer.cc
@@ -0,0 +1,36 @@
+// Copyright 2018 The PDFium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <cstdint>
+
+#include "core/fxcrt/fx_bidi.h"
+#include "core/fxcrt/widestring.h"
+#include "core/fxge/cfx_font.h"
+#include "third_party/base/span.h"
+#include "xfa/fgas/font/cfgas_fontmgr.h"
+#include "xfa/fgas/font/cfgas_gefont.h"
+#include "xfa/fgas/layout/cfx_rtfbreak.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  auto fontmgr = pdfium::MakeUnique<CFGAS_FontMgr>();
+
+  auto font = pdfium::MakeUnique<CFX_Font>();
+  font->LoadSubst("Arial", true, 0, FXFONT_FW_NORMAL, 0, 0, 0);
+  assert(font);
+
+  CFX_RTFBreak rtf_break(FX_LAYOUTSTYLE_ExpandTab);
+  rtf_break.SetLineBreakTolerance(1);
+  rtf_break.SetFont(CFGAS_GEFont::LoadFont(std::move(font), fontmgr.get()));
+  rtf_break.SetFontSize(12);
+
+  WideString input =
+      WideString::FromUTF16LE(reinterpret_cast<const unsigned short*>(data),
+                              size / sizeof(unsigned short));
+  for (auto& ch : input)
+    rtf_break.AppendChar(ch);
+
+  auto chars = rtf_break.GetCurrentLineForTesting()->m_LineChars;
+  FX_BidiLine(&chars, chars.size());
+  return 0;
+}
-- 
cgit v1.2.3