1
0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2024-12-23 17:33:50 +03:00

Enforce maximum length of fuzz input

Remove the libfuzzer max_len option which doesn't apply to other
fuzzing engines. Enforce the maximum length directly in the fuzz
targets. For the xml target, lower the maximum when expanding entities
to avoid timeout and OOM errors.
This commit is contained in:
Nick Wellnhofer 2020-12-16 15:41:52 +01:00
parent 1fe385304f
commit 9086988ffa
11 changed files with 20 additions and 9 deletions

View File

@ -1,3 +1,2 @@
[libfuzzer]
max_len = 1000000
timeout = 20

View File

@ -21,6 +21,9 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
char *str[2] = { NULL, NULL };
size_t numStrings;
if (size > 200)
return(0);
numStrings = xmlFuzzExtractStrings(data, size, str, 2);
/* CUR_SCHAR doesn't handle invalid UTF-8 and may cause infinite loops. */

View File

@ -1,3 +1,2 @@
[libfuzzer]
max_len = 200
timeout = 5

View File

@ -21,6 +21,9 @@ int
LLVMFuzzerTestOneInput(const char *data, size_t size) {
xmlSchemaParserCtxtPtr pctxt;
if (size > 50000)
return(0);
xmlFuzzDataInit(data, size);
xmlFuzzReadEntities();

View File

@ -1,3 +1,2 @@
[libfuzzer]
max_len = 80000
timeout = 20

View File

@ -13,6 +13,9 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
char *str[2] = { NULL, NULL };
size_t numStrings;
if (size > 10000)
return(0);
numStrings = xmlFuzzExtractStrings(data, size, str, 2);
uri = xmlParseURI(str[0]);

View File

@ -1,3 +1,2 @@
[libfuzzer]
max_len = 10000
timeout = 5

View File

@ -29,13 +29,18 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
xmlTextReaderPtr reader;
xmlChar *out;
const char *docBuffer, *docUrl;
size_t docSize, consumed, chunkSize;
size_t maxSize, docSize, consumed, chunkSize;
int opts, outSize;
xmlFuzzDataInit(data, size);
opts = xmlFuzzReadInt();
/* XML_PARSE_HUGE still causes timeouts. */
opts &= ~XML_PARSE_HUGE;
/* Lower maximum size when processing entities for now. */
maxSize = opts & XML_PARSE_NOENT ? 50000 : 500000;
if (size > maxSize) {
xmlFuzzDataCleanup();
return(0);
}
xmlFuzzReadEntities();
docBuffer = xmlFuzzMainEntity(&docSize);

View File

@ -1,3 +1,2 @@
[libfuzzer]
max_len = 80000
timeout = 20

View File

@ -23,6 +23,9 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
const char *expr, *xml;
size_t exprSize, xmlSize;
if (size > 10000)
return(0);
xmlFuzzDataInit(data, size);
expr = xmlFuzzReadString(&exprSize);

View File

@ -1,3 +1,2 @@
[libfuzzer]
max_len = 10000
timeout = 20