shaba/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-03-21 22:50:08 +03:00
Code

Handle malloc failures in fuzzing code

Browse Source 
Avoid misdiagnosis in OOM situations.
This commit is contained in:
Nick Wellnhofer 2020-12-18 00:50:34 +01:00
parent a67b63d183
commit e2b975c317
2 changed files with 15 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
fuzz/fuzz.c
View File

@ -211,6 +211,8 @@ xmlFuzzReadEntities(void) {
if (xmlHashLookup(fuzzData.entities, (xmlChar *)url) == NULL) {
entityInfo = xmlMalloc(sizeof(xmlFuzzEntityInfo));
if (entityInfo == NULL)
break;
entityInfo->data = entity;
entityInfo->size = entitySize;
@ -271,6 +273,10 @@ xmlFuzzEntityLoader(const char *URL, const char *ID ATTRIBUTE_UNUSED,
input->filename = NULL;
input->buf = xmlParserInputBufferCreateMem(entity->data, entity->size,
XML_CHAR_ENCODING_NONE);
if (input->buf == NULL) {
xmlFreeInputStream(input);
return(NULL);
}
input->base = input->cur = xmlBufContent(input->buf->buffer);
input->end = input->base + entity->size;

20
fuzz/xml.c
View File

@ -37,18 +37,14 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
/* Lower maximum size when processing entities for now. */
maxSize = opts & XML_PARSE_NOENT ? 50000 : 500000;
if (size > maxSize) {
xmlFuzzDataCleanup();
return(0);
}
if (size > maxSize)
goto exit;
xmlFuzzReadEntities();
docBuffer = xmlFuzzMainEntity(&docSize);
docUrl = xmlFuzzMainUrl();
if (docBuffer == NULL) {
xmlFuzzDataCleanup();
return(0);
}
if (docBuffer == NULL)
goto exit;
/* Pull parser */
@ -63,6 +59,8 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
/* Push parser */
ctxt = xmlCreatePushParserCtxt(NULL, NULL, NULL, 0, docUrl);
if (ctxt == NULL)
goto exit;
xmlCtxtUseOptions(ctxt, opts);
for (consumed = 0; consumed < docSize; consumed += chunkSize) {
@ -81,6 +79,8 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
/* Reader */
reader = xmlReaderForMemory(docBuffer, docSize, NULL, NULL, opts);
if (reader == NULL)
goto exit;
while (xmlTextReaderRead(reader) == 1) {
if (xmlTextReaderNodeType(reader) == XML_ELEMENT_NODE) {
int i, n = xmlTextReaderAttributeCount(reader);
@ -92,10 +92,8 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
}
xmlFreeTextReader(reader);
/* Cleanup */
exit:
xmlFuzzDataCleanup();
return(0);
}