| // Copyright 2021 The PDFium Authors |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include <fuzzer/FuzzedDataProvider.h> |
| |
| #include <string> |
| #include <vector> |
| |
| #include "core/fxcrt/containers/adapters.h" |
| #include "public/fpdf_formfill.h" |
| #include "testing/fuzzers/pdf_fuzzer_templates.h" |
| #include "testing/fuzzers/pdfium_fuzzer_helper.h" |
| |
| class PDFiumXFAFuzzer : public PDFiumFuzzerHelper { |
| public: |
| PDFiumXFAFuzzer() = default; |
| ~PDFiumXFAFuzzer() override = default; |
| |
| int GetFormCallbackVersion() const override { return 2; } |
| |
| void SetFdp(FuzzedDataProvider* fdp) { fdp_ = fdp; } |
| |
| // Return false if XFA doesn't load as otherwise we're duplicating the work |
| // done by the non-xfa fuzzer. |
| bool OnFormFillEnvLoaded(FPDF_DOCUMENT doc) override { |
| int form_type = FPDF_GetFormType(doc); |
| if (form_type != FORMTYPE_XFA_FULL && form_type != FORMTYPE_XFA_FOREGROUND) |
| return false; |
| return FPDF_LoadXFA(doc); |
| } |
| |
| void FormActionHandler(FPDF_FORMHANDLE form, |
| FPDF_DOCUMENT doc, |
| FPDF_PAGE page) override { |
| if (!fdp_) { |
| return; |
| } |
| char local_buf[50]; |
| int number_of_calls = fdp_->ConsumeIntegralInRange<int>(0, 250); |
| for (int i = 0; i < number_of_calls; i++) { |
| UserInteraction selector = fdp_->ConsumeEnum<UserInteraction>(); |
| switch (selector) { |
| case kOnLButtonUp: { |
| FORM_OnLButtonUp(form, page, fdp_->ConsumeIntegral<int>(), |
| fdp_->ConsumeIntegralInRange<int>(-100, 1000), |
| fdp_->ConsumeIntegralInRange<int>(-100, 1000)); |
| break; |
| } |
| case kOnRButtonUp: { |
| FORM_OnRButtonUp(form, page, fdp_->ConsumeIntegral<int>(), |
| fdp_->ConsumeIntegralInRange<int>(-100, 1000), |
| fdp_->ConsumeIntegralInRange<int>(-100, 1000)); |
| break; |
| } |
| case kOnLButtonDown: { |
| FORM_OnLButtonDown(form, page, fdp_->ConsumeIntegral<int>(), |
| fdp_->ConsumeIntegralInRange<int>(-100, 1000), |
| fdp_->ConsumeIntegralInRange<int>(-100, 1000)); |
| break; |
| } |
| case kOnRButtonDown: { |
| FORM_OnRButtonDown(form, page, fdp_->ConsumeIntegral<int>(), |
| fdp_->ConsumeIntegralInRange<int>(-100, 1000), |
| fdp_->ConsumeIntegralInRange<int>(-100, 1000)); |
| break; |
| } |
| case kOnChar: { |
| FORM_OnChar(form, page, fdp_->ConsumeIntegral<int>(), |
| fdp_->ConsumeIntegral<int>()); |
| break; |
| } |
| case kOnKeyDown: { |
| FORM_OnKeyDown(form, page, fdp_->ConsumeIntegral<int>(), |
| fdp_->ConsumeIntegral<int>()); |
| break; |
| } |
| case kOnKeyUp: { |
| FORM_OnKeyUp(form, page, fdp_->ConsumeIntegral<int>(), |
| fdp_->ConsumeIntegral<int>()); |
| break; |
| } |
| case kOnLButtonDoubleClick: { |
| FORM_OnLButtonDoubleClick(form, page, fdp_->ConsumeIntegral<int>(), |
| fdp_->ConsumeIntegral<int>(), |
| fdp_->ConsumeIntegral<int>()); |
| break; |
| } |
| case kOnMouseMove: { |
| FORM_OnMouseMove(form, page, fdp_->ConsumeIntegral<int>(), |
| fdp_->ConsumeIntegral<int>(), |
| fdp_->ConsumeIntegral<int>()); |
| break; |
| } |
| case kOnMouseWheel: { |
| const FS_POINTF point = {fdp_->ConsumeFloatingPoint<float>(), |
| fdp_->ConsumeFloatingPoint<float>()}; |
| FORM_OnMouseWheel(form, page, fdp_->ConsumeIntegral<int>(), &point, |
| fdp_->ConsumeIntegral<int>(), |
| fdp_->ConsumeIntegral<int>()); |
| break; |
| } |
| case kOnFocus: { |
| FORM_OnFocus(form, page, fdp_->ConsumeIntegral<int>(), |
| fdp_->ConsumeIntegral<int>(), |
| fdp_->ConsumeIntegral<int>()); |
| break; |
| } |
| case kUndo: { |
| if (FORM_CanUndo(form, page)) { |
| FORM_Undo(form, page); |
| } |
| break; |
| } |
| case kSelectAllText: { |
| FORM_SelectAllText(form, page); |
| break; |
| } |
| case kRedo: { |
| if (FORM_CanRedo(form, page)) { |
| FORM_Redo(form, page); |
| } |
| break; |
| } |
| case kAnnot: { |
| FPDF_ANNOTATION annot = nullptr; |
| int page_index = -2; |
| FORM_GetFocusedAnnot(form, &page_index, &annot); |
| if (annot) { |
| FORM_SetFocusedAnnot(form, annot); |
| } |
| break; |
| } |
| case kSetIndexSelected: { |
| FORM_SetIndexSelected(form, page, fdp_->ConsumeIntegral<int>(), |
| fdp_->ConsumeBool()); |
| break; |
| } |
| case kIsIndexSelected: { |
| FORM_IsIndexSelected(form, page, fdp_->ConsumeIntegral<int>()); |
| break; |
| } |
| case kHasFormFieldAtPoint: { |
| FPDFPage_HasFormFieldAtPoint(form, page, fdp_->ConsumeIntegral<int>(), |
| fdp_->ConsumeIntegral<int>()); |
| break; |
| } |
| case kFormFieldZOrderAtPoint: { |
| FPDFPage_FormFieldZOrderAtPoint(form, page, |
| fdp_->ConsumeIntegral<int>(), |
| fdp_->ConsumeIntegral<int>()); |
| break; |
| } |
| case kGetSelectedText: { |
| FORM_GetSelectedText(form, page, local_buf, sizeof(local_buf)); |
| break; |
| } |
| case kGetFocusedText: { |
| FORM_GetFocusedText(form, page, local_buf, sizeof(local_buf)); |
| break; |
| } |
| } |
| } |
| } |
| |
| private: |
| enum UserInteraction { |
| kOnLButtonUp = 0, |
| kOnRButtonUp, |
| kOnLButtonDown, |
| kOnRButtonDown, |
| kOnChar, |
| kOnKeyDown, |
| kOnKeyUp, |
| kOnLButtonDoubleClick, |
| kOnMouseMove, |
| kOnMouseWheel, |
| kOnFocus, |
| kUndo, |
| kSelectAllText, |
| kRedo, |
| kAnnot, |
| kSetIndexSelected, |
| kIsIndexSelected, |
| kHasFormFieldAtPoint, |
| kFormFieldZOrderAtPoint, |
| kGetSelectedText, |
| kGetFocusedText, |
| kMaxValue = kGetFocusedText |
| }; |
| FuzzedDataProvider* fdp_ = nullptr; |
| }; |
| |
| // Possible names of an XFA FormCalc script function |
| std::string GenXfaFormCalcScriptFuncName(FuzzedDataProvider* data_provider) { |
| static const char* const kXfaScriptFuncs[] = { |
| "Abs", "Apr", "At", "Avg", "Ceil", |
| "Choose", "Concat", "Count", "Cterm", "Date", |
| "Date2Num", "DateFmt", "Decode", "Encode", "Eval", |
| "Exists", "Floor", "Format", "FV", "Get", |
| "HasValue", "If", "Ipmt", "IsoDate2Num", "IsoTime2Num", |
| "Left", "Len", "LocalDateFmt", "LocalTimeFmt", "Lower", |
| "Ltrim", "Max", "Min", "Mod", "NPV", |
| "Num2Date", "Num2GMTime", "Num2Time", "Oneof", "Parse", |
| "Pmt", "Post", "PPmt", "Put", "PV", |
| "Rate", "Ref", "Replace", "Right", "Round", |
| "Rtrim", "Space", "Str", "Stuff", "Substr", |
| "Sum", "Term", "Time", "Time2Num", "TimeFmt", |
| "Translate", "UnitType", "UnitValue", "Upper", "Uuid", |
| "Within", "WordNum", |
| }; |
| |
| size_t elem_selector = data_provider->ConsumeIntegralInRange<size_t>( |
| 0, std::size(kXfaScriptFuncs) - 1); |
| return kXfaScriptFuncs[elem_selector]; |
| } |
| |
| std::string MaybeQuote(FuzzedDataProvider* data_provider, std::string body) { |
| if (data_provider->ConsumeIntegralInRange<uint32_t>(0, 100) < 20) { |
| return "\"" + body + "\""; |
| } |
| return body; |
| } |
| |
| // Possible arguments to a XFA script function |
| std::string GenXfaScriptParam(FuzzedDataProvider* data_provider) { |
| static const char* const kXfaFuncParams[] = { |
| "$", |
| "-0", |
| "04/13/2019", |
| ".05", |
| "-1", |
| "1", |
| " 1 | 0", |
| "10 * 10 * 10 * 9 * 123", |
| "1024", |
| "10 * a + 9", |
| "1.2131", |
| "[1,2,3]", |
| "%123", |
| "[1,2,3][0]", |
| "123124", |
| "123342123", |
| "13:13:13", |
| "13:13:13 GMT", |
| "19960315T20:20:20", |
| "1 and 1", |
| "1 and 2", |
| "2", |
| "20000201", |
| "2009-06-01T13:45:30", |
| "2009-06-15T01:45:30", |
| "2009-06-15T13:45:30-07:00", |
| "2009-06-15T13:45:30.5275000", |
| " 2 < 3 + 1", |
| "2 + 3 + 9", |
| "3", |
| "3 * 1", |
| "3 -9", |
| "5 < 5", |
| "-99", |
| "99", |
| "9999999", |
| "99999999999", |
| "A", |
| "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", |
| "\xc3\x81\xc3\x82\xc3\x83\xc3\x84\xc3\x85\xc3\x86", |
| "<a><b></b></a>", |
| "Â", |
| "ÆÁÂÁ", |
| "Amount[*]", |
| "~!@#$%^&*()_+", |
| "&|", |
| "&apos", |
| "apr", |
| "april", |
| "B", |
| "<br>", |
| "C", |
| "de_DE", |
| "es_ES", |
| "feb", |
| "febuary", |
| "HH:MM:SS", |
| "<html>", |
| "html", |
| "HTML", |
| "jan", |
| "january", |
| "json", |
| "lkdjfglsdkfgj", |
| "mar", |
| "march", |
| "name[0]", |
| "name1", |
| "name2", |
| "name3", |
| "name4", |
| "name[*].numAmount", |
| """, |
| "Space", |
| "Str", |
| "url", |
| "xhtml", |
| "xml", |
| "XML"", |
| }; |
| |
| size_t elem_selector = data_provider->ConsumeIntegralInRange<size_t>( |
| 0, std::size(kXfaFuncParams) - 1); |
| return MaybeQuote(data_provider, kXfaFuncParams[elem_selector]); |
| } |
| |
| // Possible XFA tags |
| std::string GenXfaTag(FuzzedDataProvider* data_provider) { |
| static const char* const kXfaElemTags[] = { |
| "accessibleContent", |
| "acrobat", |
| "acrobat", |
| "acrobat7", |
| "ADBE_JSConsole", |
| "ADBE_JSDebugger", |
| "addSilentPrint", |
| "addViewerPreferences", |
| "adjustData", |
| "adobeExtensionLevel", |
| "agent", |
| "alwaysEmbed", |
| "amd", |
| "appearanceFilter", |
| "arc", |
| "area", |
| "assist", |
| "attributes", |
| "autoSave", |
| "barcode", |
| "base", |
| "batchOutput", |
| "behaviorOverride", |
| "bind", |
| "bindItems", |
| "bookend", |
| "boolean", |
| "border", |
| "break", |
| "breakAfter", |
| "breakBefore", |
| "button", |
| "cache", |
| "calculate", |
| "calendarSymbols", |
| "caption", |
| "certificate", |
| "certificates", |
| "change", |
| "checkButton", |
| "choiceList", |
| "color", |
| "comb", |
| "command", |
| "common", |
| "compress", |
| "compression", |
| "compressLogicalStructure", |
| "compressObjectStream", |
| "config", |
| "config", |
| "conformance", |
| "connect", |
| "connectionSet", |
| "connectString", |
| "contentArea", |
| "contentCopy", |
| "copies", |
| "corner", |
| "creator", |
| "currencySymbol", |
| "currencySymbols", |
| "currentPage", |
| "data", |
| "dataGroup", |
| "dataModel", |
| "dataValue", |
| "dataWindow", |
| "date", |
| "datePattern", |
| "datePatterns", |
| "dateTime", |
| "dateTimeEdit", |
| "dateTimeSymbols", |
| "day", |
| "dayNames", |
| "debug", |
| "decimal", |
| "defaultTypeface", |
| "defaultUi", |
| "delete", |
| "delta", |
| "deltas", |
| "desc", |
| "destination", |
| "digestMethod", |
| "digestMethods", |
| "documentAssembly", |
| "draw", |
| "driver", |
| "dSigData", |
| "duplexOption", |
| "dynamicRender", |
| "edge", |
| "effectiveInputPolicy", |
| "effectiveOutputPolicy", |
| "embed", |
| "encoding", |
| "encodings", |
| "encrypt", |
| "encryption", |
| "encryptionLevel", |
| "encryptionMethod", |
| "encryptionMethods", |
| "enforce", |
| "equate", |
| "equateRange", |
| "era", |
| "eraNames", |
| "event", |
| "eventPseudoModel", |
| "exclGroup", |
| "exclude", |
| "excludeNS", |
| "exData", |
| "execute", |
| "exObject", |
| "extras", |
| "field", |
| "fill", |
| "filter", |
| "flipLabel", |
| "float", |
| "font", |
| "fontInfo", |
| "form", |
| "format", |
| "formFieldFilling", |
| "groupParent", |
| "handler", |
| "hostPseudoModel", |
| "hyphenation", |
| "ifEmpty", |
| "image", |
| "imageEdit", |
| "includeXDPContent", |
| "incrementalLoad", |
| "incrementalMerge", |
| "insert", |
| "instanceManager", |
| "integer", |
| "interactive", |
| "issuers", |
| "items", |
| "jog", |
| "keep", |
| "keyUsage", |
| "labelPrinter", |
| "layout", |
| "layoutPseudoModel", |
| "level", |
| "line", |
| "linear", |
| "linearized", |
| "list", |
| "locale", |
| "localeSet", |
| "lockDocument", |
| "log", |
| "logPseudoModel", |
| "manifest", |
| "map", |
| "margin", |
| "mdp", |
| "medium", |
| "mediumInfo", |
| "meridiem", |
| "meridiemNames", |
| "message", |
| "messaging", |
| "mode", |
| "modifyAnnots", |
| "month", |
| "monthNames", |
| "msgId", |
| "nameAttr", |
| "neverEmbed", |
| "numberOfCopies", |
| "numberPattern", |
| "numberPatterns", |
| "numberSymbol", |
| "numberSymbols", |
| "numericEdit", |
| "object", |
| "occur", |
| "oid", |
| "oids", |
| "openAction", |
| "operation", |
| "output", |
| "outputBin", |
| "outputXSL", |
| "overflow", |
| "overprint", |
| "packet", |
| "packets", |
| "pageArea", |
| "pageOffset", |
| "pageRange", |
| "pageSet", |
| "pagination", |
| "paginationOverride", |
| "para", |
| "part", |
| "password", |
| "passwordEdit", |
| "pattern", |
| "pcl", |
| "pdf", |
| "pdfa", |
| "permissions", |
| "pickTrayByPDFSize", |
| "picture", |
| "plaintextMetadata", |
| "presence", |
| "present", |
| "present", |
| "print", |
| "printerName", |
| "printHighQuality", |
| "printScaling", |
| "producer", |
| "proto", |
| "ps", |
| "psMap", |
| "query", |
| "radial", |
| "range", |
| "reason", |
| "reasons", |
| "record", |
| "recordSet", |
| "rectangle", |
| "ref", |
| "relevant", |
| "rename", |
| "renderPolicy", |
| "rootElement", |
| "runScripts", |
| "script", |
| "scriptModel", |
| "select", |
| "setProperty", |
| "severity", |
| "signature", |
| "signatureProperties", |
| "signaturePseudoModel", |
| "signData", |
| "signing", |
| "silentPrint", |
| "soapAction", |
| "soapAddress", |
| "solid", |
| "source", |
| "sourceSet", |
| "speak", |
| "staple", |
| "startNode", |
| "startPage", |
| "stipple", |
| "subform", |
| "subform", |
| "subformSet", |
| "subjectDN", |
| "subjectDNs", |
| "submit", |
| "submitFormat", |
| "submitUrl", |
| "subsetBelow", |
| "suppressBanner", |
| "tagged", |
| "template", |
| "template", |
| "templateCache", |
| "#text", |
| "text", |
| "textedit", |
| "textEdit", |
| "threshold", |
| "time", |
| "timePattern", |
| "timePatterns", |
| "timeStamp", |
| "to", |
| "toolTip", |
| "trace", |
| "transform", |
| "traversal", |
| "traverse", |
| "treeList", |
| "type", |
| "typeface", |
| "typefaces", |
| "ui", |
| "update", |
| "uri", |
| "user", |
| "validate", |
| "validate", |
| "validateApprovalSignatures", |
| "validationMessaging", |
| "value", |
| "variables", |
| "version", |
| "versionControl", |
| "viewerPreferences", |
| "webClient", |
| "whitespace", |
| "window", |
| "wsdlAddress", |
| "wsdlConnection", |
| "xdc", |
| "xdp", |
| "xfa", |
| "#xHTML", |
| "#xml", |
| "xmlConnection", |
| "xsdConnection", |
| "xsl", |
| "zpl", |
| }; |
| |
| size_t elem_selector = data_provider->ConsumeIntegralInRange<size_t>( |
| 0, std::size(kXfaElemTags) - 1); |
| return kXfaElemTags[elem_selector]; |
| } |
| |
| // Possible XFA attributes values |
| std::string GenXfaTagValue(FuzzedDataProvider* data_provider) { |
| static const char* const kXfaTagVals[] = { |
| "0", "0pt", "-1", |
| "123", "1pt", "203.2mm", |
| "22.1404mm", "255", "256", |
| "321", "5431.21mm", "6.35mm", |
| "8in", "8pt", "application/x-javascript", |
| "bold", "bold", "change", |
| "click", "consumeData", "docReady", |
| "en_US", "form1", "initialize", |
| "italic", "middle", "name2", |
| "name3", "name4", "name5", |
| "onEnter", "Page1", "RadioList[0]", |
| "subform_1", "tb", "Verdana", |
| }; |
| |
| size_t elem_selector = data_provider->ConsumeIntegralInRange<size_t>( |
| 0, std::size(kXfaTagVals) - 1); |
| return MaybeQuote(data_provider, kXfaTagVals[elem_selector]); |
| } |
| |
| // possible XFA attributes |
| std::string GenXfaTagName(FuzzedDataProvider* data_provider) { |
| static const char* const kXfaTagNames[] = { |
| "activity", "baselineShift", |
| "contentType", "h", |
| "id", "layout", |
| "layout", "leftInset", |
| "locale", "long", |
| "marginLeft", "marginRight", |
| "marginRight", "mergeMode", |
| "name", "ref", |
| "scriptTest", "short", |
| "size", "spaceAbove", |
| "spaceBelow", "startNew", |
| "stock", "textIndent", |
| "timeStamp", "typeface", |
| "uuid", "vAlign", |
| "value", "w", |
| "weight", "x", |
| "y", |
| }; |
| size_t elem_selector = data_provider->ConsumeIntegralInRange<size_t>( |
| 0, std::size(kXfaTagNames) - 1); |
| return kXfaTagNames[elem_selector]; |
| } |
| |
| // Will create a simple XFA FormCalc script that calls a single function. |
| std::string GenXfaFormCalcScript(FuzzedDataProvider* data_provider) { |
| std::string xfa_string = GenXfaFormCalcScriptFuncName(data_provider); |
| xfa_string += "("; |
| |
| // Generate parameters |
| size_t num_params = data_provider->ConsumeIntegralInRange<size_t>(0, 3); |
| for (size_t i = 0; i < num_params; i++) { |
| if (i != 0) { |
| xfa_string += ","; |
| } |
| xfa_string += GenXfaScriptParam(data_provider); |
| } |
| xfa_string += ")"; |
| return xfa_string; |
| } |
| |
| // XFA Javascript logic |
| std::string GenXfaName(FuzzedDataProvider* data_provider) { |
| return "name" + std::to_string(data_provider->ConsumeIntegralInRange(0, 25)); |
| } |
| |
| std::string GetXfaJSPrimitiveType(FuzzedDataProvider* data_provider) { |
| return GenXfaScriptParam(data_provider); |
| } |
| |
| std::string GenXfaJSRValue(FuzzedDataProvider* data_provider) { |
| if (data_provider->ConsumeBool()) { |
| return GenXfaScriptParam(data_provider); |
| } |
| |
| std::string xfa_string; |
| if (data_provider->ConsumeBool()) { |
| xfa_string += "xfa.form."; |
| } |
| |
| // Handle the possibility of nested names |
| size_t num_nests = data_provider->ConsumeIntegralInRange<size_t>(1, 3); |
| for (size_t i = 0; i < num_nests; i++) { |
| if (i != 0) { |
| xfa_string += "."; |
| } |
| xfa_string += GenXfaName(data_provider); |
| } |
| return MaybeQuote(data_provider, xfa_string); |
| } |
| |
| std::string GenXfaJSAssignment(FuzzedDataProvider* data_provider) { |
| return GenXfaName(data_provider) + " = " + GenXfaJSRValue(data_provider); |
| } |
| |
| std::string GenXfaJSMethodCall(FuzzedDataProvider* data_provider) { |
| static const char* const kXfaJSFuncs[] = { |
| "addItem", |
| "boundItem", |
| "clearItems", |
| "deleteItem", |
| "execCalculate", |
| "execEvent", |
| "execInitialize", |
| "execValidate", |
| "getDisplayItem", |
| "getItemState", |
| "getSaveItem", |
| "exec.form.formNodes", |
| "exec.form.recalculate", |
| "setItemState", |
| "xfa.container.getDelta", |
| "xfa.container.getDeltas", |
| "xfa.event.emit", |
| "xfa.event.reset", |
| "xfa.form.execCalculat", |
| "xfa.form.execInitialize", |
| "xfa.form.execValidate", |
| "xfa.form.remerge", |
| "xfa.host.beep", |
| "xfa.host.documentCountInBatch", |
| "xfa.host.documentInBatch", |
| "xfa.host.exportData", |
| "xfa.host.getFocus", |
| "xfa.host.gotoURL", |
| "xfa.host.importData", |
| "xfa.host.messageBox", |
| "xfa.host.openList", |
| "xfa.host.pageDown", |
| "xfa.host.pageUp", |
| "xfa.host.print", |
| "xfa.host.resetData", |
| "xfa.host.setFocus", |
| "xfa.host.response", |
| "xfa.resolveNode", |
| }; |
| |
| std::string xfa_string = data_provider->PickValueInArray(kXfaJSFuncs); |
| xfa_string += "("; |
| |
| // Get the params |
| size_t param_count = data_provider->ConsumeIntegralInRange<size_t>(0, 3); |
| for (size_t i = 0; i < param_count; i++) { |
| if (i != 0) { |
| xfa_string += ","; |
| } |
| xfa_string += GenXfaJSRValue(data_provider); |
| } |
| xfa_string += ")"; |
| return xfa_string; |
| } |
| |
| // This is a simple generator of xfa-based javascript. The function creates |
| // simple javascript statements that are related to XFA logic and the goal is |
| // not to create fully-fleged javascript programs but rather use simple |
| // statements to ensure XFA code is covered. |
| enum XFAJSStatement { |
| kAssignment = 0, |
| kJSMethodCall, |
| kJSObjectCall, |
| kMaxValue = kJSObjectCall |
| }; |
| |
| std::string GenXfaJSScript(FuzzedDataProvider* data_provider) { |
| std::string xfa_string; |
| |
| size_t num_stmts = data_provider->ConsumeIntegralInRange<size_t>(1, 10); |
| for (size_t i = 0; i < num_stmts; i++) { |
| XFAJSStatement stmt = data_provider->ConsumeEnum<XFAJSStatement>(); |
| switch (stmt) { |
| case kAssignment: |
| xfa_string += GenXfaJSAssignment(data_provider); |
| break; |
| case kJSMethodCall: |
| xfa_string += GenXfaJSMethodCall(data_provider); |
| break; |
| case kJSObjectCall: |
| xfa_string += GenXfaName(data_provider); |
| xfa_string += "."; |
| xfa_string += GenXfaJSMethodCall(data_provider); |
| break; |
| } |
| xfa_string += ";\n"; |
| } |
| return xfa_string; |
| } |
| |
| std::string GenXfacript(FuzzedDataProvider* data_provider) { |
| // Determine if this should be a FormCalc script or Javascript, 50/50 chance |
| // for each. |
| if (data_provider->ConsumeBool()) { |
| return GenXfaFormCalcScript(data_provider); |
| } |
| return GenXfaJSScript(data_provider); |
| } |
| |
| // Will create a single XFA attributes, with both lhs and rhs. |
| std::string getXfaElemAttributes(FuzzedDataProvider* data_provider) { |
| // Generate a set of tags, and a set of values for the tags. |
| return GenXfaTagName(data_provider) + "=" + GenXfaTagValue(data_provider); |
| } |
| |
| // Creates an XFA structure wrapped in <xdp tags. |
| std::string GenXfaTree(FuzzedDataProvider* data_provider) { |
| std::string xfa_string = "<xdp xmlns=\"http://ns.adobe.com/xdp/\">"; |
| |
| // One stack iteration |
| int stack_iterations = data_provider->ConsumeIntegralInRange(1, 3); |
| for (int si = 0; si < stack_iterations; si++) { |
| int elem_count = data_provider->ConsumeIntegralInRange(1, 6); |
| std::vector<std::string> xml_stack; |
| xml_stack.reserve(elem_count); |
| for (int i = 0; i < elem_count; i++) { |
| std::string tag = GenXfaTag(data_provider); |
| xfa_string += "<" + tag; |
| |
| // in 30% of cases, add attributes |
| if (data_provider->ConsumeIntegralInRange(1, 100) > 70) { |
| size_t attribute_count = data_provider->ConsumeIntegralInRange(1, 5); |
| for (; 0 < attribute_count; attribute_count--) { |
| xfa_string += " " + getXfaElemAttributes(data_provider); |
| } |
| } |
| xfa_string += ">"; |
| |
| // If needed, add a body to the tag |
| if (tag == "script") { |
| xfa_string += GenXfacript(data_provider); |
| } |
| |
| // Push the tag to the stack so we can close it when done |
| xml_stack.push_back(tag); |
| } |
| for (const std::string& tag : pdfium::Reversed(xml_stack)) { |
| xfa_string += "</" + tag + ">"; |
| } |
| } |
| xfa_string += "</xdp>"; |
| return xfa_string; |
| } |
| |
| extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { |
| FuzzedDataProvider data_provider(data, size); |
| std::string xfa_string = GenXfaTree(&data_provider); |
| |
| // Add 1 for newline before endstream. |
| std::string xfa_stream_len = std::to_string(xfa_string.size() + 1); |
| |
| // Compose the fuzzer |
| std::string xfa_final_str = std::string(kSimplePdfTemplate); |
| xfa_final_str.replace(xfa_final_str.find("$1"), 2, xfa_stream_len); |
| xfa_final_str.replace(xfa_final_str.find("$2"), 2, xfa_string); |
| |
| #ifdef PDFIUM_FUZZER_DUMP |
| for (size_t i = 0; i < xfa_final_str.size(); i++) { |
| putc(xfa_final_str[i], stdout); |
| } |
| #endif |
| |
| PDFiumXFAFuzzer fuzzer; |
| fuzzer.SetFdp(&data_provider); |
| fuzzer.RenderPdf(xfa_final_str.c_str(), xfa_final_str.size()); |
| return 0; |
| } |