From bca9bc6b92cfdba1118f74c1d1d6fdb1301f5c81 Mon Sep 17 00:00:00 2001
From: Garret Rieger <grieger@google.com>
Date: Thu, 6 Feb 2020 13:02:58 -0800
Subject: [PATCH] Add hb-set-fuzzer. It fuzzes all of the hb_set process
 methods (intersection, subtraction, union, and symmetric difference).

---
 test/fuzzing/Makefile.am      | 11 +++++
 test/fuzzing/hb-set-fuzzer.cc | 77 +++++++++++++++++++++++++++++++++++
 2 files changed, 88 insertions(+)
 create mode 100644 test/fuzzing/hb-set-fuzzer.cc

diff --git a/test/fuzzing/Makefile.am b/test/fuzzing/Makefile.am
index 5bd2d7e6d..0d19ed000 100644
--- a/test/fuzzing/Makefile.am
+++ b/test/fuzzing/Makefile.am
@@ -26,6 +26,7 @@ EXTRA_DIST += \
 check_PROGRAMS = \
 	hb-shape-fuzzer \
 	hb-subset-fuzzer \
+	hb-set-fuzzer \
 	$(NULL)
 
 AM_CPPFLAGS = \
@@ -54,6 +55,16 @@ hb_subset_fuzzer_LDADD = \
 hb_subset_fuzzer_CPPFLAGS = $(AM_CPPFLAGS)
 hb_subset_fuzzer_DEPENDENCIES = $(top_builddir)/src/libharfbuzz-subset.la
 
+hb_set_fuzzer_SOURCES = \
+	hb-fuzzer.hh \
+	hb-set-fuzzer.cc \
+	main.cc \
+	$(NULL)
+hb_set_fuzzer_LDADD = $(top_builddir)/src/libharfbuzz.la
+hb_set_fuzzer_CPPFLAGS = $(AM_CPPFLAGS)
+hb_set_fuzzer_DEPENDENCIES = $(top_builddir)/src/libharfbuzz.la
+
+
 check:
 	EXEEXT="$(EXEEXT)" srcdir="$(srcdir)" builddir="$(builddir)" LIBTOOL="$(LIBTOOL)" $(srcdir)/run-shape-fuzzer-tests.py
 	EXEEXT="$(EXEEXT)" srcdir="$(srcdir)" builddir="$(builddir)" LIBTOOL="$(LIBTOOL)" $(srcdir)/run-subset-fuzzer-tests.py
diff --git a/test/fuzzing/hb-set-fuzzer.cc b/test/fuzzing/hb-set-fuzzer.cc
new file mode 100644
index 000000000..1f4f61ab0
--- /dev/null
+++ b/test/fuzzing/hb-set-fuzzer.cc
@@ -0,0 +1,77 @@
+#include "hb-fuzzer.hh"
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <assert.h>
+
+#include "hb.h"
+
+enum set_operation_t : uint8_t
+{
+  INTERSECT,
+  UNION,
+  SUBTRACT,
+  SYMMETRIC_DIFFERENCE
+};
+
+struct instructions_t
+{
+  set_operation_t operation;
+  uint32_t first_set_size;
+};
+
+static hb_set_t* create_set (const uint32_t* value_array, int count)
+{
+  hb_set_t* set = hb_set_create ();
+  for (int i = 0; i < count; i++) {
+    hb_set_add (set, value_array[i]);
+  }
+  return set;
+}
+
+
+extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
+{
+  if (size < sizeof(instructions_t*))
+    return 0;
+
+  const instructions_t* instructions = reinterpret_cast<const instructions_t*> (data);
+  data += sizeof(instructions_t);
+  size -= sizeof(instructions_t);
+
+  const uint32_t* values = reinterpret_cast<const uint32_t*> (data);
+  size = size / sizeof(uint32_t);
+
+  if (size < instructions->first_set_size)
+    return 0;
+
+  hb_set_t* set_a = create_set (values, instructions->first_set_size);
+
+  values += instructions->first_set_size;
+  size -= instructions->first_set_size;
+  hb_set_t* set_b = create_set (values, size);
+
+  switch (instructions->operation)
+  {
+    case INTERSECT:
+      hb_set_intersect (set_a, set_b);
+      break;
+    case UNION:
+      hb_set_union (set_a, set_b);
+      break;
+    case SUBTRACT:
+      hb_set_subtract (set_a, set_b);
+      break;
+    case SYMMETRIC_DIFFERENCE:
+      hb_set_symmetric_difference (set_a, set_b);
+      break;
+    default:
+      break;
+  }
+
+  hb_set_destroy (set_a);
+  hb_set_destroy (set_b);
+
+  return 0;
+}