kc3-lang/libxml2/fuzz/xpath.c

• Show log

  Commit

• Hash : 6f1470a5
  Author :
  Date : 2020-08-25T18:50:45
  

  Hardcode maximum XPath recursion depth
  
  Always limit nested functions calls to 5000. This avoids call stack
  overflows with deeply nested expressions.
  
  The expression parser produces about 10 nested function calls when
  parsing a subexpression in parentheses, so the effective nesting limit
  is about 500 which should be more than enough.
  
  Use a lower limit when fuzzing to account for increased memory usage
  when using sanitizers.
  

Download

• fuzz/xpath.c

• /*
   * xpath.c: a libFuzzer target to test XPath and XPointer expressions.
   *
   * See Copyright for the status of this software.
   */
  
  #include <libxml/parser.h>
  #include <libxml/xpointer.h>
  #include "fuzz.h"
  
  int
  LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
                       char ***argv ATTRIBUTE_UNUSED) {
      xmlInitParser();
      xmlSetGenericErrorFunc(NULL, xmlFuzzErrorFunc);
  
      return 0;
  }
  
  int
  LLVMFuzzerTestOneInput(const char *data, size_t size) {
      xmlDocPtr doc;
      const char *expr, *xml;
      size_t exprSize, xmlSize;
  
      xmlFuzzDataInit(data, size);
  
      expr = xmlFuzzReadString(&exprSize);
      xml = xmlFuzzReadString(&xmlSize);
  
      /* Recovery mode allows more input to be fuzzed. */
      doc = xmlReadMemory(xml, xmlSize, NULL, NULL, XML_PARSE_RECOVER);
      if (doc != NULL) {
          xmlXPathContextPtr xpctxt = xmlXPathNewContext(doc);
  
          /* Operation limit to avoid timeout */
          xpctxt->opLimit = 500000;
  
          xmlXPathFreeObject(xmlXPtrEval(BAD_CAST expr, xpctxt));
          xmlXPathFreeContext(xpctxt);
      }
      xmlFreeDoc(doc);
  
      xmlFuzzDataCleanup();
  
      return(0);
  }
  
  

Download