Add a fuzzer for the feature policy string parser.

Review-Url: https://codereview.chromium.org/2420013004
Cr-Commit-Position: refs/heads/master@{#429705}

testing/libfuzzer/fuzzers/dicts/feature_policy.dict

@@ -0,0 +1,20 @@
+# Copyright 2016 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+"\"cookie\""
+"\"domain\""
+"\"docwrite\""
+"\"geolocation\""
+"\"midi\""
+"\"notifications\""
+"\"payment\""
+"\"push\""
+"\"sync-script\""
+"\"sync-xhr\""
+"\"usermedia\""
+"\"vibrate\""
+"\"webrtc\""
+"\"https://example.com/\""
+"*"
+"\"self\""

testing/libfuzzer/fuzzers/feature_policy_corpus/1

@@ -0,0 +1 @@
+Not a JSON literal

testing/libfuzzer/fuzzers/feature_policy_corpus/10

@@ -0,0 +1 @@
+{"vibrate": ["self", "https://example.com/"]},{"vibrate": ["self", "https://example.net/"]}

testing/libfuzzer/fuzzers/feature_policy_corpus/11

@@ -0,0 +1 @@
+{"vibrate": ["self", "https://example.org/"]}

testing/libfuzzer/fuzzers/feature_policy_corpus/12

@@ -0,0 +1 @@
+{"docwrite": ["self", "https://example.org/"]}

testing/libfuzzer/fuzzers/feature_policy_corpus/13

@@ -0,0 +1 @@
+{"vibrate": ["self", "https://example.net/"]}, {"docwrite": ["self"]}

testing/libfuzzer/fuzzers/feature_policy_corpus/14

@@ -0,0 +1 @@
+{"vibrate": ["*"]}, {"docwrite": ["*"]}

testing/libfuzzer/fuzzers/feature_policy_corpus/2

@@ -0,0 +1 @@
+"Not a JSON array"

testing/libfuzzer/fuzzers/feature_policy_corpus/3

@@ -0,0 +1 @@
+{"Also": "Not a JSON array"}

testing/libfuzzer/fuzzers/feature_policy_corpus/4

@@ -0,0 +1 @@
+1.0

testing/libfuzzer/fuzzers/feature_policy_corpus/5

@@ -0,0 +1 @@
+[{"vibrate": ["self"]}]

testing/libfuzzer/fuzzers/feature_policy_corpus/6

@@ -0,0 +1 @@
+{"vibrate": ["https://example.com/"]}

testing/libfuzzer/fuzzers/feature_policy_corpus/7

@@ -0,0 +1 @@
+{"docwrite": []}

testing/libfuzzer/fuzzers/feature_policy_corpus/8

@@ -0,0 +1 @@
+{"docwrite": ["self"]}

testing/libfuzzer/fuzzers/feature_policy_corpus/9

@@ -0,0 +1 @@
+{"vibrate": ["*"]}

third_party/WebKit/Source/platform/BUILD.gn

@@ -1952,6 +1952,19 @@ fuzzer_test("blink_json_parser_fuzzer") {
   dict = "//testing/libfuzzer/fuzzers/dicts/json.dict"
 }
 
+# Fuzzer for blink::FeaturePolicy.
+fuzzer_test("feature_policy_fuzzer") {
+  sources = [
+    "feature_policy/FeaturePolicyFuzzer.cpp",
+  ]
+  deps = [
+    ":blink_fuzzer_test_support",
+    ":platform",
+  ]
+  dict = "//testing/libfuzzer/fuzzers/dicts/feature_policy.dict"
+  seed_corpus = "//testing/libfuzzer/fuzzers/feature_policy_corpus"
+}
+
 # NOTE: These are legacy unit tests and tests that require a Platform
 # object. Do not add more unless the test requires a Platform object.
 # These tests are a part of the webkit_unit_tests binary.

third_party/WebKit/Source/platform/feature_policy/FeaturePolicyFuzzer.cpp

@@ -0,0 +1,29 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "platform/feature_policy/FeaturePolicy.h"
+
+#include "platform/heap/Handle.h"
+#include "platform/testing/BlinkFuzzerTestSupport.h"
+#include "platform/weborigin/SecurityOrigin.h"
+#include "wtf/Vector.h"
+#include "wtf/text/WTFString.h"
+#include <memory>
+#include <stddef.h>
+#include <stdint.h>
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  WTF::Vector<WTF::String> messages;
+  RefPtr<blink::SecurityOrigin> origin =
+      blink::SecurityOrigin::createFromString("https://example.com/");
+  std::unique_ptr<blink::FeaturePolicy> policy =
+      blink::FeaturePolicy::createFromParentPolicy(nullptr, origin);
+  policy->setHeaderPolicy(WTF::String(data, size), messages);
+  return 0;
+}
+
+extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) {
+  blink::InitializeBlinkFuzzTest(argc, argv);
+  return 0;
+}