fuzz: Reduce initial array size

2025-03-24 06:50:08 +03:00 · 2024-12-16 01:34:29 +01:00 · 2024-12-16 01:34:29 +01:00 · 63dfcca670
commit 63dfcca670
parent 6f903d434f
4 changed files with 42 additions and 17 deletions
--- a/HTMLparser.c
+++ b/HTMLparser.c
@ -4550,6 +4550,12 @@ static int
 htmlInitParserCtxt(htmlParserCtxtPtr ctxt, const htmlSAXHandler *sax,
                   void *userData)
 {
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+    size_t initialNodeTabSize = 1;
+#else
+    size_t initialNodeTabSize = 10;
+#endif
+
    if (ctxt == NULL) return(-1);
    memset(ctxt, 0, sizeof(htmlParserCtxt));

@ -4572,11 +4578,11 @@ htmlInitParserCtxt(htmlParserCtxtPtr ctxt, const htmlSAXHandler *sax,

    /* Allocate the Input stack */
    ctxt->inputTab = (htmlParserInputPtr *)
-                      xmlMalloc(5 * sizeof(htmlParserInputPtr));
+                      xmlMalloc(sizeof(htmlParserInputPtr));
    if (ctxt->inputTab == NULL)
 	return(-1);
    ctxt->inputNr = 0;
-    ctxt->inputMax = 5;
+    ctxt->inputMax = 1;
    ctxt->input = NULL;
    ctxt->version = NULL;
    ctxt->encoding = NULL;
@ -4584,19 +4590,19 @@ htmlInitParserCtxt(htmlParserCtxtPtr ctxt, const htmlSAXHandler *sax,
    ctxt->instate = XML_PARSER_START;

    /* Allocate the Node stack */
-    ctxt->nodeTab = (htmlNodePtr *) xmlMalloc(10 * sizeof(htmlNodePtr));
+    ctxt->nodeTab = xmlMalloc(initialNodeTabSize * sizeof(htmlNodePtr));
    if (ctxt->nodeTab == NULL)
 	return(-1);
    ctxt->nodeNr = 0;
-    ctxt->nodeMax = 10;
+    ctxt->nodeMax = initialNodeTabSize;
    ctxt->node = NULL;

    /* Allocate the Name stack */
-    ctxt->nameTab = (const xmlChar **) xmlMalloc(10 * sizeof(xmlChar *));
+    ctxt->nameTab = xmlMalloc(initialNodeTabSize * sizeof(xmlChar *));
    if (ctxt->nameTab == NULL)
 	return(-1);
    ctxt->nameNr = 0;
-    ctxt->nameMax = 10;
+    ctxt->nameMax = initialNodeTabSize;
    ctxt->name = NULL;

    ctxt->nodeInfoTab = NULL;
--- a/SAX2.c
+++ b/SAX2.c
@ -289,6 +289,11 @@ xmlSAX2ExternalSubset(void *ctx, const xmlChar *name,
 	const xmlChar *oldencoding;
        unsigned long consumed;
        size_t buffered;
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+        int inputMax = 1;
+#else
+        int inputMax = 5;
+#endif

 	/*
 	 * Ask the Entity resolver to load the damn thing
@ -316,14 +321,13 @@ xmlSAX2ExternalSubset(void *ctx, const xmlChar *name,
 	oldencoding = ctxt->encoding;
 	ctxt->encoding = NULL;

-	ctxt->inputTab = (xmlParserInputPtr *)
-	                 xmlMalloc(5 * sizeof(xmlParserInputPtr));
+	ctxt->inputTab = xmlMalloc(inputMax * sizeof(xmlParserInputPtr));
 	if (ctxt->inputTab == NULL) {
 	    xmlSAX2ErrMemory(ctxt);
            goto error;
 	}
 	ctxt->inputNr = 0;
-	ctxt->inputMax = 5;
+	ctxt->inputMax = inputMax;
 	ctxt->input = NULL;
 	if (xmlCtxtPushInput(ctxt, input) < 0)
            goto error;
--- a/valid.c
+++ b/valid.c
@ -5175,9 +5175,12 @@ fail:
    /*
     * Allocate the stack
     */
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
    ctxt->vstateMax = 8;
-    ctxt->vstateTab = (xmlValidState *) xmlMalloc(
-		 ctxt->vstateMax * sizeof(ctxt->vstateTab[0]));
+#else
+    ctxt->vstateMax = 1;
+#endif
+    ctxt->vstateTab = xmlMalloc(ctxt->vstateMax * sizeof(ctxt->vstateTab[0]));
    if (ctxt->vstateTab == NULL) {
 	xmlVErrMemory(ctxt);
 	return(-1);
--- a/xpath.c
+++ b/xpath.c
@ -957,7 +957,11 @@ xmlXPathNewCompExpr(void) {
    if (cur == NULL)
 	return(NULL);
    memset(cur, 0, sizeof(xmlXPathCompExpr));
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+    cur->maxStep = 1;
+#else
    cur->maxStep = 10;
+#endif
    cur->nbStep = 0;
    cur->steps = (xmlXPathStepOp *) xmlMalloc(cur->maxStep *
 	                                   sizeof(xmlXPathStepOp));
@ -5057,15 +5061,18 @@ xmlXPathCompParserContext(xmlXPathCompExprPtr comp, xmlXPathContextPtr ctxt) {
    memset(ret, 0 , sizeof(xmlXPathParserContext));

    /* Allocate the value stack */
-    ret->valueTab = (xmlXPathObjectPtr *)
-                     xmlMalloc(10 * sizeof(xmlXPathObjectPtr));
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+    ret->valueMax = 1;
+#else
+    ret->valueMax = 10;
+#endif
+    ret->valueTab = xmlMalloc(ret->valueMax * sizeof(xmlXPathObjectPtr));
    if (ret->valueTab == NULL) {
 	xmlFree(ret);
 	xmlXPathErrMemory(ctxt);
 	return(NULL);
    }
    ret->valueNr = 0;
-    ret->valueMax = 10;
    ret->value = NULL;

    ret->context = ctxt;
@ -12044,15 +12051,20 @@ xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool)
 	return(-1);

    if (ctxt->valueTab == NULL) {
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+        int valueMax = 1;
+#else
+        int valueMax = 10;
+#endif
+
 	/* Allocate the value stack */
-	ctxt->valueTab = (xmlXPathObjectPtr *)
-			 xmlMalloc(10 * sizeof(xmlXPathObjectPtr));
+	ctxt->valueTab = xmlMalloc(valueMax * sizeof(xmlXPathObjectPtr));
 	if (ctxt->valueTab == NULL) {
 	    xmlXPathPErrMemory(ctxt);
 	    return(-1);
 	}
 	ctxt->valueNr = 0;
-	ctxt->valueMax = 10;
+	ctxt->valueMax = valueMax;
 	ctxt->value = NULL;
    }
 #ifdef XPATH_STREAMING