Yeah good point Matt!

Looking through the current implementation of SniffMimeType (and it has been static for a while), the interesting cases are covered by:

-------------
URL
-------------

*.crx
NOT *.crx

-------------
Type hint
-------------

<Empty String>
text/xml
text/plain
application/octet-stream
application/msword
application/unknown



This seems like few enough permutations that it could be covered by just inlining those 12 cases directly. Or generating them from the first byte.

I agree that fuzzing the full URL seems like overkill since the only codepath that at first glance makes a difference is whether it ends in *.crx. So at most generating 4 or 5 characters for the URL suffix should get us all the good stuff.

I don't think limiting the length really helps us much - there's a ton of logic for escaping / unescaping characters, unicode sequences, query strings, flying goats (I didn't even realize those could appear in URLs, but I bet there's a unicode character for a flying goat emoticon now), etc.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5552a6a020ac21565f4a92a36d545e8115c56132

commit 5552a6a020ac21565f4a92a36d545e8115c56132
Author: mmenke <mmenke@chromium.org>
Date: Mon Mar 28 23:11:59 2016

Rework the mime sniffer fuzzer.

In particular, make it fuzz the URL and content-type
header, and make it check the other top level mime
sniffing function.

Also, rename it so it's more clearly associated with
mime_sniffer.h.

BUG= 598397 

Review URL: https://codereview.chromium.org/1834303002

Cr-Commit-Position: refs/heads/master@{#383597}

[modify] https://crrev.com/5552a6a020ac21565f4a92a36d545e8115c56132/net/BUILD.gn
[add] https://crrev.com/5552a6a020ac21565f4a92a36d545e8115c56132/net/base/mime_sniffer_fuzzer.cc
[delete] https://crrev.com/b541cf76bc983ee2d8b1c5c87d43d775303fa856/net/base/sniff_mime_type_fuzzer.cc