mirror of
https://gitlab.gnome.org/GNOME/libxml2.git
synced 2024-12-23 17:33:50 +03:00
fuzz: New tree API fuzzer
This commit is contained in:
parent
2469d5d065
commit
ee0c1f87c0
@ -656,11 +656,6 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) {
|
||||
l = 4;
|
||||
val = xmlGetUTF8Char(cur, &l);
|
||||
if (val < 0) {
|
||||
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
|
||||
fprintf(stderr, "xmlEncodeEntitiesInternal: "
|
||||
"invalid UTF-8\n");
|
||||
abort();
|
||||
#endif
|
||||
val = 0xFFFD;
|
||||
cur++;
|
||||
} else {
|
||||
|
3
error.c
3
error.c
@ -698,8 +698,7 @@ xmlVRaiseError(xmlStructuredErrorFunc schannel,
|
||||
if (code == XML_ERR_OK)
|
||||
return(0);
|
||||
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
|
||||
if ((code == XML_ERR_INTERNAL_ERROR) ||
|
||||
(code == XML_ERR_ARGUMENT)) {
|
||||
if (code == XML_ERR_INTERNAL_ERROR) {
|
||||
fprintf(stderr, "Unexpected error: %d\n", code);
|
||||
abort();
|
||||
}
|
||||
|
1
fuzz/.gitignore
vendored
1
fuzz/.gitignore
vendored
@ -1,3 +1,4 @@
|
||||
api
|
||||
corpus/
|
||||
genSeed
|
||||
html
|
||||
|
@ -1,5 +1,5 @@
|
||||
AUTOMAKE_OPTIONS = -Wno-syntax
|
||||
EXTRA_PROGRAMS = genSeed html regexp schema uri valid xinclude xml xpath
|
||||
EXTRA_PROGRAMS = api genSeed html regexp schema uri valid xinclude xml xpath
|
||||
check_PROGRAMS = testFuzzer
|
||||
EXTRA_DIST = html.dict regexp.dict schema.dict xml.dict xpath.dict \
|
||||
static_seed/uri static_seed/regexp fuzz.h
|
||||
@ -123,6 +123,20 @@ fuzz-html: html$(EXEEXT) seed/html.stamp
|
||||
-use_value_profile=1 \
|
||||
corpus/html seed/html
|
||||
|
||||
# API fuzzer
|
||||
|
||||
api_SOURCES = api.c fuzz.c
|
||||
api_LDFLAGS = -fsanitize=fuzzer
|
||||
|
||||
fuzz-api: api$(EXEEXT)
|
||||
@mkdir -p corpus/api
|
||||
./api$(EXEEXT) \
|
||||
-max_len=100 \
|
||||
-timeout=20 \
|
||||
-use_value_profile=1 \
|
||||
-jobs=4 -workers=4 \
|
||||
corpus/api
|
||||
|
||||
# Regexp fuzzer
|
||||
|
||||
seed/regexp.stamp:
|
||||
|
3416
fuzz/api.c
Normal file
3416
fuzz/api.c
Normal file
File diff suppressed because it is too large
Load Diff
15
fuzz/fuzz.c
15
fuzz/fuzz.c
@ -119,12 +119,13 @@ xmlFuzzResetMallocFailed(void) {
|
||||
}
|
||||
|
||||
void
|
||||
xmlFuzzCheckMallocFailure(const char *func, int expect) {
|
||||
if (fuzzAllocFailed != expect) {
|
||||
xmlFuzzCheckMallocFailure(const char *func, int error) {
|
||||
if (error >= 0 && fuzzAllocFailed != error) {
|
||||
fprintf(stderr, "%s: malloc failure %s reported\n",
|
||||
func, fuzzAllocFailed ? "not" : "erroneously");
|
||||
abort();
|
||||
}
|
||||
fuzzAllocFailed = 0;
|
||||
}
|
||||
|
||||
/**
|
||||
@ -202,6 +203,16 @@ xmlFuzzReadInt(int size) {
|
||||
return ret;
|
||||
}
|
||||
|
||||
/**
|
||||
* xmlFuzzBytesRemaining:
|
||||
*
|
||||
* Return number of remaining bytes in fuzz data.
|
||||
*/
|
||||
size_t
|
||||
xmlFuzzBytesRemaining(void) {
|
||||
return(fuzzData.remaining);
|
||||
}
|
||||
|
||||
/**
|
||||
* xmlFuzzReadRemaining:
|
||||
* @size: size of string in bytes
|
||||
|
@ -77,6 +77,9 @@ xmlFuzzWriteInt(FILE *out, size_t v, int size);
|
||||
size_t
|
||||
xmlFuzzReadInt(int size);
|
||||
|
||||
size_t
|
||||
xmlFuzzBytesRemaining(void);
|
||||
|
||||
const char *
|
||||
xmlFuzzReadRemaining(size_t *size);
|
||||
|
||||
|
@ -62,16 +62,14 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
|
||||
* own buffer to avoid encoding the output. The HTML encoding is
|
||||
* excruciatingly slow (see htmlEntityValueLookup).
|
||||
*/
|
||||
xmlFuzzResetMallocFailed();
|
||||
out = xmlAllocOutputBuffer(NULL);
|
||||
htmlDocContentDumpOutput(out, doc, NULL);
|
||||
content = xmlOutputBufferGetContent(out);
|
||||
xmlOutputBufferClose(out);
|
||||
xmlFuzzCheckMallocFailure("htmlDocContentDumpOutput",
|
||||
content == NULL);
|
||||
xmlOutputBufferClose(out);
|
||||
#endif
|
||||
|
||||
xmlFuzzResetMallocFailed();
|
||||
copy = xmlCopyDoc(doc, 1);
|
||||
xmlFuzzCheckMallocFailure("xmlCopyNode", copy == NULL);
|
||||
xmlFreeDoc(copy);
|
||||
|
@ -58,7 +58,6 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
|
||||
xmlFuzzCheckMallocFailure("xmlCtxtReadMemory",
|
||||
ctxt->errNo == XML_ERR_NO_MEMORY);
|
||||
|
||||
xmlFuzzResetMallocFailed();
|
||||
xinc = xmlXIncludeNewContext(doc);
|
||||
xmlXIncludeSetFlags(xinc, opts);
|
||||
xmlXIncludeProcessNode(xinc, (xmlNodePtr) doc);
|
||||
|
@ -247,10 +247,6 @@ xmlEscapeEntities(unsigned char* out, int *outlen,
|
||||
val = xmlGetUTF8Char(in, &len);
|
||||
|
||||
if (val < 0) {
|
||||
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
|
||||
fprintf(stderr, "xmlEscapeEntities: invalid UTF-8\n");
|
||||
abort();
|
||||
#endif
|
||||
val = 0xFFFD;
|
||||
in++;
|
||||
} else {
|
||||
@ -2358,10 +2354,6 @@ xmlBufAttrSerializeTxtContent(xmlOutputBufferPtr buf, xmlDocPtr doc,
|
||||
|
||||
val = xmlGetUTF8Char(cur, &l);
|
||||
if (val < 0) {
|
||||
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
|
||||
fprintf(stderr, "xmlEscapeEntities: invalid UTF-8\n");
|
||||
abort();
|
||||
#endif
|
||||
val = 0xFFFD;
|
||||
cur++;
|
||||
} else {
|
||||
|
Loading…
Reference in New Issue
Block a user