fuzz: Inject IO failures into serialization code

2025-03-28 21:33:13 +00:00 · 2024-12-17 18:26:24 +01:00 · 2024-12-17 18:26:24 +01:00 · 72f84dd739
commit 72f84dd739
parent 0160076f39
4 changed files with 45 additions and 10 deletions
--- a/fuzz/api.c
+++ b/fuzz/api.c
@ -1002,6 +1002,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
        size_t readSize;
        int op = xmlFuzzReadInt(1);
        int oomReport = -1; /* -1 means unknown */
+        int ioReport = 0;

        vars->opName = "[unset]";

@ -3301,7 +3302,8 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
                }

                incStrIdx();
-                output = xmlAllocOutputBuffer(NULL);
+                output = xmlOutputBufferCreateIO(xmlFuzzOutputWrite,
+                                                 xmlFuzzOutputClose, NULL, NULL);
                xmlFuzzResetFailure();
                node = getNode(0);
                doc = node ? node->doc : NULL;
@ -3353,16 +3355,17 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
                if (closed) {
                    if (res >= 0)
                        oomReport = 0;
+                    else
+                        ioReport = -1;
                    moveStr(0, NULL);
                } else {
-                    oomReport =
-                        (output != NULL &&
-                         output->error == XML_ERR_NO_MEMORY);
                    if (argsOk && !output->error)
                        copyStr(0, xmlBufContent(output->buffer));
                    else
                        moveStr(0, NULL);
-                    xmlOutputBufferClose(output);
+                    res = xmlOutputBufferClose(output);
+                    oomReport = (res == -XML_ERR_NO_MEMORY);
+                    ioReport  = (res == -XML_IO_EIO);
                }
                endOp();
                break;
@ -3570,7 +3573,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
                break;
        }

-        xmlFuzzCheckFailureReport(vars->opName, oomReport, 0);
+        xmlFuzzCheckFailureReport(vars->opName, oomReport, ioReport);
    }

    for (i = 0; i < REG_MAX; i++)
--- a/fuzz/fuzz.c
+++ b/fuzz/fuzz.c
@ -481,3 +481,20 @@ xmlSlurpFile(const char *path, size_t *sizeRet) {
    return(data);
 }

+int
+xmlFuzzOutputWrite(void *ctxt ATTRIBUTE_UNUSED,
+                   const char *buffer ATTRIBUTE_UNUSED, int len) {
+    if (xmlFuzzTryIo() < 0)
+        return -XML_IO_EIO;
+
+    return len;
+}
+
+int
+xmlFuzzOutputClose(void *ctxt ATTRIBUTE_UNUSED) {
+    if (xmlFuzzTryIo() < 0)
+        return XML_IO_EIO;
+
+    return 0;
+}
+
--- a/fuzz/fuzz.h
+++ b/fuzz/fuzz.h
@ -119,6 +119,12 @@ xmlFuzzResourceLoader(void *data, const char *URL, const char *ID,
 char *
 xmlSlurpFile(const char *path, size_t *size);

+int
+xmlFuzzOutputWrite(void *ctxt, const char *buffer, int len);
+
+int
+xmlFuzzOutputClose(void *ctxt);
+
 #ifdef __cplusplus
 }
 #endif
--- a/fuzz/xml.c
+++ b/fuzz/xml.c
@ -31,6 +31,10 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
    const char *docBuffer, *docUrl;
    size_t failurePos, docSize;
    int opts;
+#ifdef LIBXML_OUTPUT_ENABLED
+    const char *saveEncoding;
+    int saveOpts;
+#endif

    xmlFuzzDataInit(data, size);
    opts = (int) xmlFuzzReadInt(4);
@ -42,6 +46,12 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
            ~XML_PARSE_SAX1;
    failurePos = xmlFuzzReadInt(4) % (size + 100);

+#ifdef LIBXML_OUTPUT_ENABLED
+    /* TODO: Take from fuzz data */
+    saveOpts = 0;
+    saveEncoding = NULL;
+#endif
+
    xmlFuzzReadEntities();
    docBuffer = xmlFuzzMainEntity(&docSize);
    docUrl = xmlFuzzMainUrl();
@ -62,12 +72,12 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {

        if (doc != NULL) {
 #ifdef LIBXML_OUTPUT_ENABLED
-            xmlBufferPtr buffer;
            xmlSaveCtxtPtr save;

            /* Also test the serializer. */
-            buffer = xmlBufferCreate();
-            save = xmlSaveToBuffer(buffer, NULL, 0);
+            save = xmlSaveToIO(xmlFuzzOutputWrite, xmlFuzzOutputClose, NULL,
+                               saveEncoding, saveOpts);
+
            if (save != NULL) {
                int errNo;

@ -77,7 +87,6 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
                                          errNo == XML_ERR_NO_MEMORY,
                                          errNo == XML_IO_EIO);
            }
-            xmlBufferFree(buffer);
 #endif
            xmlFreeDoc(doc);
        }