mirror of
https://gitlab.gnome.org/GNOME/libxml2.git
synced 2024-12-23 17:33:50 +03:00
Enforce maximum length of fuzz input
Remove the libfuzzer max_len option which doesn't apply to other fuzzing engines. Enforce the maximum length directly in the fuzz targets. For the xml target, lower the maximum when expanding entities to avoid timeout and OOM errors.
This commit is contained in:
parent
1fe385304f
commit
9086988ffa
@ -1,3 +1,2 @@
|
||||
[libfuzzer]
|
||||
max_len = 1000000
|
||||
timeout = 20
|
||||
|
@ -21,6 +21,9 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
|
||||
char *str[2] = { NULL, NULL };
|
||||
size_t numStrings;
|
||||
|
||||
if (size > 200)
|
||||
return(0);
|
||||
|
||||
numStrings = xmlFuzzExtractStrings(data, size, str, 2);
|
||||
|
||||
/* CUR_SCHAR doesn't handle invalid UTF-8 and may cause infinite loops. */
|
||||
|
@ -1,3 +1,2 @@
|
||||
[libfuzzer]
|
||||
max_len = 200
|
||||
timeout = 5
|
||||
|
@ -21,6 +21,9 @@ int
|
||||
LLVMFuzzerTestOneInput(const char *data, size_t size) {
|
||||
xmlSchemaParserCtxtPtr pctxt;
|
||||
|
||||
if (size > 50000)
|
||||
return(0);
|
||||
|
||||
xmlFuzzDataInit(data, size);
|
||||
xmlFuzzReadEntities();
|
||||
|
||||
|
@ -1,3 +1,2 @@
|
||||
[libfuzzer]
|
||||
max_len = 80000
|
||||
timeout = 20
|
||||
|
@ -13,6 +13,9 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
|
||||
char *str[2] = { NULL, NULL };
|
||||
size_t numStrings;
|
||||
|
||||
if (size > 10000)
|
||||
return(0);
|
||||
|
||||
numStrings = xmlFuzzExtractStrings(data, size, str, 2);
|
||||
|
||||
uri = xmlParseURI(str[0]);
|
||||
|
@ -1,3 +1,2 @@
|
||||
[libfuzzer]
|
||||
max_len = 10000
|
||||
timeout = 5
|
||||
|
11
fuzz/xml.c
11
fuzz/xml.c
@ -29,13 +29,18 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
|
||||
xmlTextReaderPtr reader;
|
||||
xmlChar *out;
|
||||
const char *docBuffer, *docUrl;
|
||||
size_t docSize, consumed, chunkSize;
|
||||
size_t maxSize, docSize, consumed, chunkSize;
|
||||
int opts, outSize;
|
||||
|
||||
xmlFuzzDataInit(data, size);
|
||||
opts = xmlFuzzReadInt();
|
||||
/* XML_PARSE_HUGE still causes timeouts. */
|
||||
opts &= ~XML_PARSE_HUGE;
|
||||
|
||||
/* Lower maximum size when processing entities for now. */
|
||||
maxSize = opts & XML_PARSE_NOENT ? 50000 : 500000;
|
||||
if (size > maxSize) {
|
||||
xmlFuzzDataCleanup();
|
||||
return(0);
|
||||
}
|
||||
|
||||
xmlFuzzReadEntities();
|
||||
docBuffer = xmlFuzzMainEntity(&docSize);
|
||||
|
@ -1,3 +1,2 @@
|
||||
[libfuzzer]
|
||||
max_len = 80000
|
||||
timeout = 20
|
||||
|
@ -23,6 +23,9 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
|
||||
const char *expr, *xml;
|
||||
size_t exprSize, xmlSize;
|
||||
|
||||
if (size > 10000)
|
||||
return(0);
|
||||
|
||||
xmlFuzzDataInit(data, size);
|
||||
|
||||
expr = xmlFuzzReadString(&exprSize);
|
||||
|
@ -1,3 +1,2 @@
|
||||
[libfuzzer]
|
||||
max_len = 10000
|
||||
timeout = 20
|
||||
|
Loading…
Reference in New Issue
Block a user