1
0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2024-12-23 17:33:50 +03:00

fuzz: New tree API fuzzer

This commit is contained in:
Nick Wellnhofer 2024-02-29 14:51:49 +01:00
parent 2469d5d065
commit ee0c1f87c0
10 changed files with 3450 additions and 22 deletions

View File

@ -656,11 +656,6 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) {
l = 4;
val = xmlGetUTF8Char(cur, &l);
if (val < 0) {
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
fprintf(stderr, "xmlEncodeEntitiesInternal: "
"invalid UTF-8\n");
abort();
#endif
val = 0xFFFD;
cur++;
} else {

View File

@ -698,8 +698,7 @@ xmlVRaiseError(xmlStructuredErrorFunc schannel,
if (code == XML_ERR_OK)
return(0);
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
if ((code == XML_ERR_INTERNAL_ERROR) ||
(code == XML_ERR_ARGUMENT)) {
if (code == XML_ERR_INTERNAL_ERROR) {
fprintf(stderr, "Unexpected error: %d\n", code);
abort();
}

1
fuzz/.gitignore vendored
View File

@ -1,3 +1,4 @@
api
corpus/
genSeed
html

View File

@ -1,5 +1,5 @@
AUTOMAKE_OPTIONS = -Wno-syntax
EXTRA_PROGRAMS = genSeed html regexp schema uri valid xinclude xml xpath
EXTRA_PROGRAMS = api genSeed html regexp schema uri valid xinclude xml xpath
check_PROGRAMS = testFuzzer
EXTRA_DIST = html.dict regexp.dict schema.dict xml.dict xpath.dict \
static_seed/uri static_seed/regexp fuzz.h
@ -123,6 +123,20 @@ fuzz-html: html$(EXEEXT) seed/html.stamp
-use_value_profile=1 \
corpus/html seed/html
# API fuzzer
api_SOURCES = api.c fuzz.c
api_LDFLAGS = -fsanitize=fuzzer
fuzz-api: api$(EXEEXT)
@mkdir -p corpus/api
./api$(EXEEXT) \
-max_len=100 \
-timeout=20 \
-use_value_profile=1 \
-jobs=4 -workers=4 \
corpus/api
# Regexp fuzzer
seed/regexp.stamp:

3416
fuzz/api.c Normal file

File diff suppressed because it is too large Load Diff

View File

@ -119,12 +119,13 @@ xmlFuzzResetMallocFailed(void) {
}
void
xmlFuzzCheckMallocFailure(const char *func, int expect) {
if (fuzzAllocFailed != expect) {
xmlFuzzCheckMallocFailure(const char *func, int error) {
if (error >= 0 && fuzzAllocFailed != error) {
fprintf(stderr, "%s: malloc failure %s reported\n",
func, fuzzAllocFailed ? "not" : "erroneously");
abort();
}
fuzzAllocFailed = 0;
}
/**
@ -202,6 +203,16 @@ xmlFuzzReadInt(int size) {
return ret;
}
/**
* xmlFuzzBytesRemaining:
*
* Return number of remaining bytes in fuzz data.
*/
size_t
xmlFuzzBytesRemaining(void) {
return(fuzzData.remaining);
}
/**
* xmlFuzzReadRemaining:
* @size: size of string in bytes

View File

@ -77,6 +77,9 @@ xmlFuzzWriteInt(FILE *out, size_t v, int size);
size_t
xmlFuzzReadInt(int size);
size_t
xmlFuzzBytesRemaining(void);
const char *
xmlFuzzReadRemaining(size_t *size);

View File

@ -62,16 +62,14 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
* own buffer to avoid encoding the output. The HTML encoding is
* excruciatingly slow (see htmlEntityValueLookup).
*/
xmlFuzzResetMallocFailed();
out = xmlAllocOutputBuffer(NULL);
htmlDocContentDumpOutput(out, doc, NULL);
content = xmlOutputBufferGetContent(out);
xmlOutputBufferClose(out);
xmlFuzzCheckMallocFailure("htmlDocContentDumpOutput",
content == NULL);
xmlOutputBufferClose(out);
#endif
xmlFuzzResetMallocFailed();
copy = xmlCopyDoc(doc, 1);
xmlFuzzCheckMallocFailure("xmlCopyNode", copy == NULL);
xmlFreeDoc(copy);

View File

@ -58,7 +58,6 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
xmlFuzzCheckMallocFailure("xmlCtxtReadMemory",
ctxt->errNo == XML_ERR_NO_MEMORY);
xmlFuzzResetMallocFailed();
xinc = xmlXIncludeNewContext(doc);
xmlXIncludeSetFlags(xinc, opts);
xmlXIncludeProcessNode(xinc, (xmlNodePtr) doc);

View File

@ -247,10 +247,6 @@ xmlEscapeEntities(unsigned char* out, int *outlen,
val = xmlGetUTF8Char(in, &len);
if (val < 0) {
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
fprintf(stderr, "xmlEscapeEntities: invalid UTF-8\n");
abort();
#endif
val = 0xFFFD;
in++;
} else {
@ -2358,10 +2354,6 @@ xmlBufAttrSerializeTxtContent(xmlOutputBufferPtr buf, xmlDocPtr doc,
val = xmlGetUTF8Char(cur, &l);
if (val < 0) {
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
fprintf(stderr, "xmlEscapeEntities: invalid UTF-8\n");
abort();
#endif
val = 0xFFFD;
cur++;
} else {