From 30d839776aaed66831133447612ea8224ce061ce Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Thu, 4 Jan 2024 15:18:14 +0100 Subject: [PATCH] fuzz: Disable catalogs The catalogs API doesn't report OOM errors. It's basically impossible to use it safely in its current form. --- fuzz/html.c | 1 + fuzz/schema.c | 1 + fuzz/valid.c | 1 + fuzz/xinclude.c | 1 + fuzz/xml.c | 1 + fuzz/xpath.c | 4 ++++ parser.c | 6 ++++++ 7 files changed, 15 insertions(+) diff --git a/fuzz/html.c b/fuzz/html.c index a2fd1413..e879d879 100644 --- a/fuzz/html.c +++ b/fuzz/html.c @@ -16,6 +16,7 @@ LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED, xmlInitParser(); #ifdef LIBXML_CATALOG_ENABLED xmlInitializeCatalog(); + xmlCatalogSetDefaults(XML_CATA_ALLOW_NONE); #endif xmlSetGenericErrorFunc(NULL, xmlFuzzErrorFunc); diff --git a/fuzz/schema.c b/fuzz/schema.c index e87670a0..611deeca 100644 --- a/fuzz/schema.c +++ b/fuzz/schema.c @@ -15,6 +15,7 @@ LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED, xmlInitParser(); #ifdef LIBXML_CATALOG_ENABLED xmlInitializeCatalog(); + xmlCatalogSetDefaults(XML_CATA_ALLOW_NONE); #endif xmlSetGenericErrorFunc(NULL, xmlFuzzErrorFunc); xmlSetExternalEntityLoader(xmlFuzzEntityLoader); diff --git a/fuzz/valid.c b/fuzz/valid.c index 2b8782f4..c5cb43a0 100644 --- a/fuzz/valid.c +++ b/fuzz/valid.c @@ -18,6 +18,7 @@ LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED, xmlInitParser(); #ifdef LIBXML_CATALOG_ENABLED xmlInitializeCatalog(); + xmlCatalogSetDefaults(XML_CATA_ALLOW_NONE); #endif xmlSetGenericErrorFunc(NULL, xmlFuzzErrorFunc); xmlSetExternalEntityLoader(xmlFuzzEntityLoader); diff --git a/fuzz/xinclude.c b/fuzz/xinclude.c index cd0b564d..cad269b8 100644 --- a/fuzz/xinclude.c +++ b/fuzz/xinclude.c @@ -19,6 +19,7 @@ LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED, xmlInitParser(); #ifdef LIBXML_CATALOG_ENABLED xmlInitializeCatalog(); + xmlCatalogSetDefaults(XML_CATA_ALLOW_NONE); #endif xmlSetGenericErrorFunc(NULL, xmlFuzzErrorFunc); xmlSetExternalEntityLoader(xmlFuzzEntityLoader); diff --git a/fuzz/xml.c b/fuzz/xml.c index 3955d245..7df8d186 100644 --- a/fuzz/xml.c +++ b/fuzz/xml.c @@ -19,6 +19,7 @@ LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED, xmlInitParser(); #ifdef LIBXML_CATALOG_ENABLED xmlInitializeCatalog(); + xmlCatalogSetDefaults(XML_CATA_ALLOW_NONE); #endif xmlSetGenericErrorFunc(NULL, xmlFuzzErrorFunc); xmlSetExternalEntityLoader(xmlFuzzEntityLoader); diff --git a/fuzz/xpath.c b/fuzz/xpath.c index f95320bf..3ab60272 100644 --- a/fuzz/xpath.c +++ b/fuzz/xpath.c @@ -13,6 +13,10 @@ LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED, char ***argv ATTRIBUTE_UNUSED) { xmlFuzzMemSetup(); xmlInitParser(); +#ifdef LIBXML_CATALOG_ENABLED + xmlInitializeCatalog(); + xmlCatalogSetDefaults(XML_CATA_ALLOW_NONE); +#endif xmlSetGenericErrorFunc(NULL, xmlFuzzErrorFunc); return 0; diff --git a/parser.c b/parser.c index aa5cd841..6c141c06 100644 --- a/parser.c +++ b/parser.c @@ -5382,6 +5382,12 @@ xmlParseCatalogPI(xmlParserCtxtPtr ctxt, const xmlChar *catalog) { goto error; if (URL != NULL) { + /* + * Unfortunately, the catalog API doesn't report OOM errors. + * xmlGetLastError isn't very helpful since we don't know + * where the last error came from. We'd have to reset it + * before this call and restore it afterwards. + */ ctxt->catalogs = xmlCatalogAddLocal(ctxt->catalogs, URL); xmlFree(URL); }