kc3-lang/libxml2/fuzz/xml.c
-
Show log
Commit
-
Hash : d463733f
Author :
Date : 2024-02-01T19:31:03
fuzz: Reenable malloc failure check when serializing
-
fuzz/xml.c
-
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152
/* * xml.c: a libFuzzer target to test several XML parser interfaces. * * See Copyright for the status of this software. */ #include <libxml/catalog.h> #include <libxml/parser.h> #include <libxml/tree.h> #include <libxml/xmlerror.h> #include <libxml/xmlreader.h> #include <libxml/xmlsave.h> #include "fuzz.h" int LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED, char ***argv ATTRIBUTE_UNUSED) { xmlFuzzMemSetup(); xmlInitParser(); #ifdef LIBXML_CATALOG_ENABLED xmlInitializeCatalog(); xmlCatalogSetDefaults(XML_CATA_ALLOW_NONE); #endif xmlSetGenericErrorFunc(NULL, xmlFuzzErrorFunc); xmlSetExternalEntityLoader(xmlFuzzEntityLoader); return 0; } int LLVMFuzzerTestOneInput(const char *data, size_t size) { xmlParserCtxtPtr ctxt; xmlDocPtr doc; const char *docBuffer, *docUrl; size_t maxAlloc, docSize; int opts; xmlFuzzDataInit(data, size); opts = (int) xmlFuzzReadInt(4); /* * Disable options that are known to cause timeouts */ opts &= ~XML_PARSE_XINCLUDE & ~XML_PARSE_DTDVALID & ~XML_PARSE_SAX1; maxAlloc = xmlFuzzReadInt(4) % (size + 100); xmlFuzzReadEntities(); docBuffer = xmlFuzzMainEntity(&docSize); docUrl = xmlFuzzMainUrl(); if (docBuffer == NULL) goto exit; /* Pull parser */ xmlFuzzMemSetLimit(maxAlloc); ctxt = xmlNewParserCtxt(); if (ctxt != NULL) { doc = xmlCtxtReadMemory(ctxt, docBuffer, docSize, docUrl, NULL, opts); xmlFuzzCheckMallocFailure("xmlCtxtReadMemory", doc == NULL && ctxt->errNo == XML_ERR_NO_MEMORY); if (doc != NULL) { #ifdef LIBXML_OUTPUT_ENABLED xmlBufferPtr buffer; xmlSaveCtxtPtr save; /* Also test the serializer. */ buffer = xmlBufferCreate(); save = xmlSaveToBuffer(buffer, NULL, 0); if (save != NULL) { int errNo; xmlSaveDoc(save, doc); errNo = xmlSaveFinish(save); xmlFuzzCheckMallocFailure("xmlSaveDoc", errNo == XML_ERR_NO_MEMORY); } xmlBufferFree(buffer); #endif xmlFreeDoc(doc); } xmlFreeParserCtxt(ctxt); } /* Push parser */ #ifdef LIBXML_PUSH_ENABLED { static const size_t maxChunkSize = 128; size_t consumed, chunkSize; xmlFuzzMemSetLimit(maxAlloc); ctxt = xmlCreatePushParserCtxt(NULL, NULL, NULL, 0, docUrl); if (ctxt != NULL) { xmlCtxtUseOptions(ctxt, opts); for (consumed = 0; consumed < docSize; consumed += chunkSize) { chunkSize = docSize - consumed; if (chunkSize > maxChunkSize) chunkSize = maxChunkSize; xmlParseChunk(ctxt, docBuffer + consumed, chunkSize, 0); } xmlParseChunk(ctxt, NULL, 0, 1); xmlFuzzCheckMallocFailure("xmlParseChunk", ctxt->errNo == XML_ERR_NO_MEMORY); xmlFreeDoc(ctxt->myDoc); xmlFreeParserCtxt(ctxt); } } #endif /* Reader */ #ifdef LIBXML_READER_ENABLED { xmlTextReaderPtr reader; const xmlError *error; int j; xmlFuzzMemSetLimit(maxAlloc); reader = xmlReaderForMemory(docBuffer, docSize, NULL, NULL, opts); if (reader != NULL) { while (xmlTextReaderRead(reader) == 1) { if (xmlTextReaderNodeType(reader) == XML_ELEMENT_NODE) { int i, n = xmlTextReaderAttributeCount(reader); for (i=0; i<n; i++) { xmlTextReaderMoveToAttributeNo(reader, i); while (xmlTextReaderReadAttributeValue(reader) == 1); } } } for (j = 0; j < 10; j++) xmlTextReaderRead(reader); error = xmlTextReaderGetLastError(reader); xmlFuzzCheckMallocFailure("xmlTextReaderRead", error->code == XML_ERR_NO_MEMORY); xmlFreeTextReader(reader); } } #endif exit: xmlFuzzMemSetLimit(0); xmlFuzzDataCleanup(); xmlResetLastError(); return(0); }