From 63dfcca67057a4b3207736192594d3e95444ada9 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 16 Dec 2024 01:34:29 +0100
Subject: [PATCH] fuzz: Reduce initial array size

---
 HTMLparser.c | 18 ++++++++++++------
 SAX2.c       | 10 +++++++---
 valid.c      |  7 +++++--
 xpath.c      | 24 ++++++++++++++++++------
 4 files changed, 42 insertions(+), 17 deletions(-)

diff --git a/HTMLparser.c b/HTMLparser.c
index 64a16255..66a090ce 100644
--- a/HTMLparser.c
+++ b/HTMLparser.c
@@ -4550,6 +4550,12 @@ static int
 htmlInitParserCtxt(htmlParserCtxtPtr ctxt, const htmlSAXHandler *sax,
                    void *userData)
 {
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+    size_t initialNodeTabSize = 1;
+#else
+    size_t initialNodeTabSize = 10;
+#endif
+
     if (ctxt == NULL) return(-1);
     memset(ctxt, 0, sizeof(htmlParserCtxt));
 
@@ -4572,11 +4578,11 @@ htmlInitParserCtxt(htmlParserCtxtPtr ctxt, const htmlSAXHandler *sax,
 
     /* Allocate the Input stack */
     ctxt->inputTab = (htmlParserInputPtr *)
-                      xmlMalloc(5 * sizeof(htmlParserInputPtr));
+                      xmlMalloc(sizeof(htmlParserInputPtr));
     if (ctxt->inputTab == NULL)
 	return(-1);
     ctxt->inputNr = 0;
-    ctxt->inputMax = 5;
+    ctxt->inputMax = 1;
     ctxt->input = NULL;
     ctxt->version = NULL;
     ctxt->encoding = NULL;
@@ -4584,19 +4590,19 @@ htmlInitParserCtxt(htmlParserCtxtPtr ctxt, const htmlSAXHandler *sax,
     ctxt->instate = XML_PARSER_START;
 
     /* Allocate the Node stack */
-    ctxt->nodeTab = (htmlNodePtr *) xmlMalloc(10 * sizeof(htmlNodePtr));
+    ctxt->nodeTab = xmlMalloc(initialNodeTabSize * sizeof(htmlNodePtr));
     if (ctxt->nodeTab == NULL)
 	return(-1);
     ctxt->nodeNr = 0;
-    ctxt->nodeMax = 10;
+    ctxt->nodeMax = initialNodeTabSize;
     ctxt->node = NULL;
 
     /* Allocate the Name stack */
-    ctxt->nameTab = (const xmlChar **) xmlMalloc(10 * sizeof(xmlChar *));
+    ctxt->nameTab = xmlMalloc(initialNodeTabSize * sizeof(xmlChar *));
     if (ctxt->nameTab == NULL)
 	return(-1);
     ctxt->nameNr = 0;
-    ctxt->nameMax = 10;
+    ctxt->nameMax = initialNodeTabSize;
     ctxt->name = NULL;
 
     ctxt->nodeInfoTab = NULL;
diff --git a/SAX2.c b/SAX2.c
index 702041f9..1d6b3b52 100644
--- a/SAX2.c
+++ b/SAX2.c
@@ -289,6 +289,11 @@ xmlSAX2ExternalSubset(void *ctx, const xmlChar *name,
 	const xmlChar *oldencoding;
         unsigned long consumed;
         size_t buffered;
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+        int inputMax = 1;
+#else
+        int inputMax = 5;
+#endif
 
 	/*
 	 * Ask the Entity resolver to load the damn thing
@@ -316,14 +321,13 @@ xmlSAX2ExternalSubset(void *ctx, const xmlChar *name,
 	oldencoding = ctxt->encoding;
 	ctxt->encoding = NULL;
 
-	ctxt->inputTab = (xmlParserInputPtr *)
-	                 xmlMalloc(5 * sizeof(xmlParserInputPtr));
+	ctxt->inputTab = xmlMalloc(inputMax * sizeof(xmlParserInputPtr));
 	if (ctxt->inputTab == NULL) {
 	    xmlSAX2ErrMemory(ctxt);
             goto error;
 	}
 	ctxt->inputNr = 0;
-	ctxt->inputMax = 5;
+	ctxt->inputMax = inputMax;
 	ctxt->input = NULL;
 	if (xmlCtxtPushInput(ctxt, input) < 0)
             goto error;
diff --git a/valid.c b/valid.c
index 6a8ae1fb..a99c0137 100644
--- a/valid.c
+++ b/valid.c
@@ -5175,9 +5175,12 @@ fail:
     /*
      * Allocate the stack
      */
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
     ctxt->vstateMax = 8;
-    ctxt->vstateTab = (xmlValidState *) xmlMalloc(
-		 ctxt->vstateMax * sizeof(ctxt->vstateTab[0]));
+#else
+    ctxt->vstateMax = 1;
+#endif
+    ctxt->vstateTab = xmlMalloc(ctxt->vstateMax * sizeof(ctxt->vstateTab[0]));
     if (ctxt->vstateTab == NULL) {
 	xmlVErrMemory(ctxt);
 	return(-1);
diff --git a/xpath.c b/xpath.c
index c81178a4..0289b467 100644
--- a/xpath.c
+++ b/xpath.c
@@ -957,7 +957,11 @@ xmlXPathNewCompExpr(void) {
     if (cur == NULL)
 	return(NULL);
     memset(cur, 0, sizeof(xmlXPathCompExpr));
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+    cur->maxStep = 1;
+#else
     cur->maxStep = 10;
+#endif
     cur->nbStep = 0;
     cur->steps = (xmlXPathStepOp *) xmlMalloc(cur->maxStep *
 	                                   sizeof(xmlXPathStepOp));
@@ -5057,15 +5061,18 @@ xmlXPathCompParserContext(xmlXPathCompExprPtr comp, xmlXPathContextPtr ctxt) {
     memset(ret, 0 , sizeof(xmlXPathParserContext));
 
     /* Allocate the value stack */
-    ret->valueTab = (xmlXPathObjectPtr *)
-                     xmlMalloc(10 * sizeof(xmlXPathObjectPtr));
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+    ret->valueMax = 1;
+#else
+    ret->valueMax = 10;
+#endif
+    ret->valueTab = xmlMalloc(ret->valueMax * sizeof(xmlXPathObjectPtr));
     if (ret->valueTab == NULL) {
 	xmlFree(ret);
 	xmlXPathErrMemory(ctxt);
 	return(NULL);
     }
     ret->valueNr = 0;
-    ret->valueMax = 10;
     ret->value = NULL;
 
     ret->context = ctxt;
@@ -12044,15 +12051,20 @@ xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool)
 	return(-1);
 
     if (ctxt->valueTab == NULL) {
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+        int valueMax = 1;
+#else
+        int valueMax = 10;
+#endif
+
 	/* Allocate the value stack */
-	ctxt->valueTab = (xmlXPathObjectPtr *)
-			 xmlMalloc(10 * sizeof(xmlXPathObjectPtr));
+	ctxt->valueTab = xmlMalloc(valueMax * sizeof(xmlXPathObjectPtr));
 	if (ctxt->valueTab == NULL) {
 	    xmlXPathPErrMemory(ctxt);
 	    return(-1);
 	}
 	ctxt->valueNr = 0;
-	ctxt->valueMax = 10;
+	ctxt->valueMax = valueMax;
 	ctxt->value = NULL;
     }
 #ifdef XPATH_STREAMING