// Copyright 2015 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifdef UNSAFE_BUFFERS_BUILD
// TODO(crbug.com/40284755): Remove this and spanify to fix the errors.
#pragma allow_unsafe_buffers
#endif

#include "net/http/http_chunked_decoder.h"

#include <stddef.h>
#include <stdint.h>

#include <algorithm>
#include <vector>

#include "base/containers/to_vector.h"

// Entry point for LibFuzzer.
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data_ptr, size_t size) {
  // SAFETY: libfuzzer provides a valid pointer and size pair.
  auto data = UNSAFE_BUFFERS(base::span(data_ptr, size));
  net::HttpChunkedDecoder decoder;

  // Feed data to decoder.FilterBuf() by blocks of "random" size.
  size_t block_size = 0;
  for (size_t offset = 0; offset < size; offset += block_size) {
    // Since there is no input for block_size values, but it should be strictly
    // determined, let's calculate these values using a couple of data bytes.
    uint8_t temp_block_size = data[offset] ^ data[size - offset - 1];

    // Let temp_block_size be in range from 0 to 0x3F (0b00111111).
    temp_block_size &= 0x3F;

    // XOR with previous block size to get different values for different data.
    block_size ^= temp_block_size;

    // Prevent infinite loop if block_size == 0.
    block_size = std::max(block_size, static_cast<size_t>(1));

    // Prevent out-of-bounds access.
    block_size = std::min(block_size, size - offset);

    // Create new buffer with current block of data and feed it to the decoder.
    std::vector<uint8_t> buffer =
        base::ToVector(data.subspan(offset, block_size));
    int result = decoder.FilterBuf(buffer);
    if (result < 0)
      return 0;
  }

  return 0;
}