Make SignedExchangeHeader fuzzer use encoded header length

Before this patch, SignedExchangeHeader fuzzer passed the entire input
to the parser. But the seed corpus (htxg files) have 3-byte encoded
length prefix and exchange body.

After this patch, the fuzzer extracts the encoded header length, and
create parser input based on it. This will increase the chance the
CBOR parser gets valid input, so the fuzzer exercises more code.

Bug: 803774
Change-Id: I7334017c4c3e56a95f5699d6c3750eed7e62bc81
Reviewed-on: https://chromium-review.googlesource.com/985336
Reviewed-by: Kouhei Ueno <kouhei@chromium.org>
Reviewed-by: Max Moroz <mmoroz@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Commit-Queue: Kunihiko Sakamoto <ksakamoto@chromium.org>
Cr-Commit-Position: refs/heads/master@{#546730}

content/test/fuzzer/signed_exchange_header_fuzzer.cc

@@ -18,7 +18,19 @@ struct IcuEnvironment {
 IcuEnvironment* env = new IcuEnvironment();
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
-  SignedExchangeHeader::Parse(base::make_span(data, size));
+  if (size < SignedExchangeHeader::kEncodedHeaderLengthInBytes)
+    return 0;
+  auto encoded_length =
+      base::make_span(data, SignedExchangeHeader::kEncodedHeaderLengthInBytes);
+  size_t header_len = SignedExchangeHeader::ParseHeadersLength(encoded_length);
+  data += SignedExchangeHeader::kEncodedHeaderLengthInBytes;
+  size -= SignedExchangeHeader::kEncodedHeaderLengthInBytes;
+
+  // Copy the header into a separate buffer so that out-of-bounds access can be
+  // detected.
+  std::vector<uint8_t> header(data, data + std::min(size, header_len));
+
+  SignedExchangeHeader::Parse(base::make_span(header));
   return 0;
 }