fuzz

Diff

Show log
Commit

Hash : c6c6d8af
Author :
Date : 2024-12-11T16:24:23

fuzz: Mutate fuzz data chunks separately

Implement a custom mutator that takes a list of fixed-size chunks which
are mutated with a given probability. This makes sure that values like
parser options or failure position are mutated regularly even as the
fuzz data grows large. Values can also be adjusted temporarily to make
the fuzzer focus on failure injection, for example.

Thanks to David Kilzer for the idea.

Properties

Git HTTP	https://git.kmx.io/kc3-lang/libxml2.git
Git SSH	git@git.kmx.io:kc3-lang/libxml2.git
Public access ?	public
Description	GNOME libxml2 Upstream GNOME Gitlab Github Fork Github
Users
Tags	v2.9.9-rc2 v2.9.9-rc1 v2.9.9 v2.9.8-rc1 v2.9.8 v2.9.7-rc1 v2.9.7 v2.9.6-rc1 v2.9.6 v2.9.5-rc2 v2.9.5-rc1 v2.9.5 v2.9.4-rc2 v2.9.4-rc1 v2.9.4 v2.9.3 v2.9.2-rc2 v2.9.2-rc1 v2.9.2 v2.9.14 v2.9.13 v2.9.12 v2.9.11 v2.9.10-rc1 v2.9.10 v2.9.1 v2.9.0-rc2 v2.9.0 v2.8.0-rc2 v2.8.0-rc1 v2.8.0 v2.7.8 v2.7.7 v2.7.6 v2.7.5 v2.7.4 v2.15.1 v2.15.0 v2.14.6 v2.14.5 v2.14.4 v2.14.3 v2.14.2 v2.14.1 v2.14.0 v2.13.9 v2.13.8 v2.13.7 v2.13.6 v2.13.5 v2.13.4 v2.13.3 v2.13.2 v2.13.1 v2.13.0 v2.12.9 v2.12.8 v2.12.7 v2.12.6 v2.12.5 v2.12.4 v2.12.3 v2.12.2 v2.12.10 v2.12.1 v2.12.0 v2.11.9 v2.11.8 v2.11.7 v2.11.6 v2.11.5 v2.11.4 v2.11.3 v2.11.2 v2.11.1 v2.11.0 v2.10.4 v2.10.3 v2.10.2 v2.10.1 v2.10.0 help PRE_MUCKUP3 PRE_MUCKUP2 PRE_MUCKUP LIB_XML_1_X LIB_XML_1_8_3 LIB_XML_1_7_3 LIB_XML_1_7_1 LIB_XML_1_7_0 LIB_XML_1_6_2 LIB_XML_1_6_1 LIB_XML_1_4 LIB_XML_1_3 LIB_XML_1_1 LIBXML_TEST_2_0_0 LIBXML_2_6_10 LIBXML_2_5_6 LIBXML_2_5_5 LIBXML_2_5_4 LIBXML_2_5_3 LIBXML_2_5_2 LIBXML_2_5_1 LIBXML_2_4_7 LIBXML_2_4_6 LIBXML_2_4_4 LIBXML_2_4_30 LIBXML_2_4_3 LIBXML_2_4_29 LIBXML_2_4_27 LIBXML_2_4_26 LIBXML_2_4_25 LIBXML_2_4_24 LIBXML_2_4_23 LIBXML_2_4_22 LIBXML_2_4_20 LIBXML_2_4_2 LIBXML_2_4_18 LIBXML_2_4_16 LIBXML_2_4_14 LIBXML_2_4_13 LIBXML_2_4_12 LIBXML_2_4_11 LIBXML_2_4_0 LIBXML_2_3_9 LIBXML_2_3_8 LIBXML_2_3_7 LIBXML_2_3_6 LIBXML_2_3_5 LIBXML_2_3_4 LIBXML_2_3_3 LIBXML_2_3_2 LIBXML_2_3_14 LIBXML_2_3_13 LIBXML_2_3_12 LIBXML_2_3_11 LIBXML_2_3_10 LIBXML_2_3_0 LIBXML_2_2_8 LIBXML_2_2_7 LIBXML_2_2_6 LIBXML_2_2_4 LIBXML_2_2_3 LIBXML_2_2_1 LIBXML_2_1_1 LIBXML_2_1_0 LIBXML_2_0_0 LIBXML_1_8_9 LIBXML_1_8_8 LIBXML_1_8_6 LIBXML_1_8_5 LIBXML_1_8_17 LIBXML_1_8_16 LIBXML_1_8_14 LIBXML_1_8_12 LIBXML_1_8_10_REAL LIBXML_1_8_10 LIBXML_1_5_0 LIBXML_0_99 LIBXML2_6_0 LIBXML2_2_6_9 LIBXML2_2_6_8 LIBXML2_2_6_7 LIBXML2_2_6_6 LIBXML2_2_6_5 LIBXML2_2_6_4 LIBXML2_2_6_3 LIBXML2_2_6_28 LIBXML2_2_6_27 LIBXML2_2_6_26 LIBXML2_2_6_24 LIBXML2_2_6_23 LIBXML2_2_6_22 LIBXML2_2_6_21 LIBXML2_2_6_20 LIBXML2_2_6_2 LIBXML2_2_6_19 LIBXML2_2_6_18 LIBXML2_2_6_16 LIBXML2_2_6_15 LIBXML2_2_6_14 LIBXML2_2_6_13 LIBXML2_2_6_12 LIBXML2_2_6_11 LIBXML2_2_6_1 LIBXML2_2_5_x LIBXML2_2_5_9 LIBXML2_2_5_8 LIBXML2_2_5_7 LIBXML2_2_5_11 LIBXML2_2_5_10 LIBXML2_2_5_0 LIBXML2_2_4_21 LIBXML2.7.3 LIBXML2.7.2 LIBXML2.7.1 LIBXML2.7.0 LIBXML2.6.32 GNUMERIC_FIRST_PUBLIC_RELEASE GNOME_PRINT_0_24 GNOME_0_30 FOR_GNOME_0_99_1 EAZEL-NAUTILUS-MS-AUG07 ChangeLog CVE-2021-3541 CVE-2016-4483 CVE-2016-4449 CVE-2016-3705 CVE-2016-3627 CVE-2016-1840 CVE-2016-1839 CVE-2016-1838 CVE-2016-1837 CVE-2016-1836 CVE-2016-1835 CVE-2016-1834 CVE-2016-1833 CVE-2016-1762 CVE-2015-8317 CVE-2015-8242 CVE-2015-8035 CVE-2015-7942-2 CVE-2015-7942 CVE-2015-7941_2 CVE-2015-7941_1 CVE-2015-7500 CVE-2015-7499-2 CVE-2015-7499-1 CVE-2015-7498 CVE-2015-7497 CVE-2015-5312 CVE-2015-1819 CVE-2014-3660 CVE-2014-0191 CVE-2013-2877

README.md
libFuzzer instructions for libxml2

Set compiler and options. Make sure to enable at least basic optimizations to avoid excessive stack usage. Also enable some debug output to get meaningful stack traces.
```
export CC=clang
export CFLAGS=" \
    -O1 -gline-tables-only \
    -fsanitize=fuzzer-no-link,address,undefined \
    -fno-sanitize-recover=all \
    -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION"
```
Other options that can improve stack traces:
```
-fno-omit-frame-pointer
-fno-inline
-fno-optimize-sibling-calls (disables tail call optimization)
```
Build libxml2 with instrumentation:
```
./configure --without-python
make
```
Run fuzzers:
```
make -C fuzz fuzz-xml
```
The environment variable XML_FUZZ_OPTIONS can be used to pass additional flags to the fuzzer.

Malloc failure injection

Most fuzzers inject malloc failures to cover code paths handling these errors. This can lead to surprises when debugging crashes. You can set the macro XML_FUZZ_MALLOC_ABORT in fuzz/fuzz.c to make the fuzz target abort at the malloc invocation which would fail. This tells you if and where a malloc failure was injected.

Some fuzzers also test whether malloc failures are reported. To debug failures which aren’t reported, it’s helpful to enable XML_FUZZ_MALLOC_ABORT to see which allocation failed. Debugging failures which are erroneously reported can be harder. If the report goes through xmlRaiseMemoryError, you can abort() there to get a stack trace.

kc3-lang/libxml2/fuzz

Commit

Files

Properties

README.md

libFuzzer instructions for libxml2

Malloc failure injection