mirror of
https://gitlab.gnome.org/GNOME/libxml2
synced 2025-03-28 21:33:13 +00:00
00ed736eec
- XML fuzzer Currently tests the pull parser, push parser and reader, as well as serialization. Supports splitting fuzz data into multiple documents for things like external DTDs or entities. The seed corpus is built from parts of the test suite. - Regexp fuzzer Seed corpus was statically generated from test suite. - URI fuzzer Tests parsing and most other functions from uri.c.
91 lines
2.3 KiB
C
91 lines
2.3 KiB
C
/*
|
|
* xml.c: a libFuzzer target to test several XML parser interfaces.
|
|
*
|
|
* See Copyright for the status of this software.
|
|
*/
|
|
|
|
#include <libxml/parser.h>
|
|
#include <libxml/tree.h>
|
|
#include <libxml/xmlerror.h>
|
|
#include <libxml/xmlreader.h>
|
|
#include "fuzz.h"
|
|
|
|
int
|
|
LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
|
|
char ***argv ATTRIBUTE_UNUSED) {
|
|
xmlInitParser();
|
|
xmlSetGenericErrorFunc(NULL, xmlFuzzErrorFunc);
|
|
xmlSetExternalEntityLoader(xmlFuzzEntityLoader);
|
|
|
|
return 0;
|
|
}
|
|
|
|
int
|
|
LLVMFuzzerTestOneInput(const char *data, size_t size) {
|
|
static const size_t maxChunkSize = 128;
|
|
xmlDocPtr doc;
|
|
xmlParserCtxtPtr ctxt;
|
|
xmlTextReaderPtr reader;
|
|
xmlChar *out;
|
|
const char *docBuffer;
|
|
size_t docSize, consumed, chunkSize;
|
|
int opts, outSize;
|
|
|
|
xmlFuzzDataInit(data, size);
|
|
opts = xmlFuzzReadInt();
|
|
/* XML_PARSE_HUGE still causes timeouts. */
|
|
opts &= ~XML_PARSE_HUGE;
|
|
|
|
xmlFuzzReadEntities();
|
|
docBuffer = xmlFuzzMainEntity(&docSize);
|
|
if (docBuffer == NULL) {
|
|
xmlFuzzDataCleanup();
|
|
return(0);
|
|
}
|
|
|
|
/* Pull parser */
|
|
|
|
doc = xmlReadMemory(docBuffer, docSize, NULL, NULL, opts);
|
|
/* Also test the serializer. */
|
|
xmlDocDumpMemory(doc, &out, &outSize);
|
|
xmlFree(out);
|
|
xmlFreeDoc(doc);
|
|
|
|
/* Push parser */
|
|
|
|
ctxt = xmlCreatePushParserCtxt(NULL, NULL, NULL, 0, NULL);
|
|
xmlCtxtUseOptions(ctxt, opts);
|
|
|
|
for (consumed = 0; consumed < docSize; consumed += chunkSize) {
|
|
chunkSize = docSize - consumed;
|
|
if (chunkSize > maxChunkSize)
|
|
chunkSize = maxChunkSize;
|
|
xmlParseChunk(ctxt, docBuffer + consumed, chunkSize, 0);
|
|
}
|
|
|
|
xmlParseChunk(ctxt, NULL, 0, 1);
|
|
xmlFreeDoc(ctxt->myDoc);
|
|
xmlFreeParserCtxt(ctxt);
|
|
|
|
/* Reader */
|
|
|
|
reader = xmlReaderForMemory(docBuffer, docSize, NULL, NULL, opts);
|
|
while (xmlTextReaderRead(reader) == 1) {
|
|
if (xmlTextReaderNodeType(reader) == XML_ELEMENT_NODE) {
|
|
int i, n = xmlTextReaderAttributeCount(reader);
|
|
for (i=0; i<n; i++) {
|
|
xmlTextReaderMoveToAttributeNo(reader, i);
|
|
while (xmlTextReaderReadAttributeValue(reader) == 1);
|
|
}
|
|
}
|
|
}
|
|
xmlFreeTextReader(reader);
|
|
|
|
/* Cleanup */
|
|
|
|
xmlFuzzDataCleanup();
|
|
|
|
return(0);
|
|
}
|
|
|