// Copyright 2016 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "base/test/fuzzed_data_provider.h"

#include <algorithm>
#include <limits>

#include "base/logging.h"

namespace base {

FuzzedDataProvider::FuzzedDataProvider(const uint8_t* data, size_t size)
    : remaining_data_(reinterpret_cast<const char*>(data), size) {}

FuzzedDataProvider::~FuzzedDataProvider() = default;

std::string FuzzedDataProvider::ConsumeBytes(size_t num_bytes) {
  num_bytes = std::min(num_bytes, remaining_data_.length());
  StringPiece result(remaining_data_.data(), num_bytes);
  remaining_data_ = remaining_data_.substr(num_bytes);
  return result.as_string();
}

std::string FuzzedDataProvider::ConsumeRemainingBytes() {
  return ConsumeBytes(remaining_data_.length());
}

uint32_t FuzzedDataProvider::ConsumeUint32InRange(uint32_t min, uint32_t max) {
  CHECK_LE(min, max);

  uint32_t range = max - min;
  uint32_t offset = 0;
  uint32_t result = 0;

  while (offset < 32 && (range >> offset) > 0 && !remaining_data_.empty()) {
    // Pull bytes off the end of the seed data. Experimentally, this seems to
    // allow the fuzzer to more easily explore the input space. This makes
    // sense, since it works by modifying inputs that caused new code to run,
    // and this data is often used to encode length of data read by
    // ConsumeBytes. Separating out read lengths makes it easier modify the
    // contents of the data that is actually read.
    uint8_t next_byte = remaining_data_.back();
    remaining_data_.remove_suffix(1);
    result = (result << 8) | next_byte;
    offset += 8;
  }

  // Avoid division by 0, in the case |range + 1| results in overflow.
  if (range == std::numeric_limits<uint32_t>::max())
    return result;

  return min + result % (range + 1);
}

std::string FuzzedDataProvider::ConsumeRandomLengthString(size_t max_length) {
  // Reads bytes from start of |remaining_data_|. Maps "\\" to "\", and maps "\"
  // followed by anything else to the end of the string. As a result of this
  // logic, a fuzzer can insert characters into the string, and the string will
  // be lengthened to include those new characters, resulting in a more stable
  // fuzzer than picking the length of a string independently from picking its
  // contents.
  std::string out;
  for (size_t i = 0; i < max_length && !remaining_data_.empty(); ++i) {
    char next = remaining_data_[0];
    remaining_data_.remove_prefix(1);
    if (next == '\\' && !remaining_data_.empty()) {
      next = remaining_data_[0];
      remaining_data_.remove_prefix(1);
      if (next != '\\')
        return out;
    }
    out += next;
  }
  return out;
}

int FuzzedDataProvider::ConsumeInt32InRange(int min, int max) {
  CHECK_LE(min, max);

  uint32_t range = max - min;
  return min + ConsumeUint32InRange(0, range);
}

bool FuzzedDataProvider::ConsumeBool() {
  return (ConsumeUint8() & 0x01) == 0x01;
}

uint8_t FuzzedDataProvider::ConsumeUint8() {
  return ConsumeUint32InRange(0, 0xFF);
}

uint16_t FuzzedDataProvider::ConsumeUint16() {
  return ConsumeUint32InRange(0, 0xFFFF);
}

}  // namespace base