1
0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2024-12-24 21:33:51 +03:00
libxml2/fuzz
Nick Wellnhofer 0c56eb8215 tree: Restore return value of xmlNodeListGetString with NULL list
When passing a NULL list to xmlNodeListGetString or
xmlNodeListGetRawString, return NULL instead of "" to match the old
behavior.

Fixes #783.
2024-08-12 21:38:50 +02:00
..
static_seed fuzz: Add maxAlloc item to static seed corpus 2023-03-08 14:07:15 +01:00
.gitignore fuzz: Add xmllint fuzzer 2024-05-13 12:50:08 +02:00
api.c tree: Restore return value of xmlNodeListGetString with NULL list 2024-08-12 21:38:50 +02:00
fuzz.c parser: Rename new input API functions 2024-07-11 01:33:29 +02:00
fuzz.h libxml: define ATTRIBUTE_UNUSED for clang 2024-06-20 15:24:15 -07:00
genSeed.c io: Deprecate a few functions 2024-07-16 17:42:10 +02:00
html.c fuzz: Move to per-context error handler 2024-06-12 16:36:12 +02:00
html.dict Add charset names to fuzzing dictionaries 2021-02-22 13:21:38 +01:00
lint.c xmllint: Switch to resource loader 2024-06-12 16:36:12 +02:00
Makefile.am fuzz: Add xmllint fuzzer 2024-05-13 12:50:08 +02:00
oss-fuzz-build.sh fuzz: Fix aarch64 build on OSS-Fuzz 2024-05-28 22:52:30 +02:00
reader.c fuzz: Adjust reader fuzzer 2024-07-10 22:26:11 +02:00
reader.options fuzz: Enable reader fuzzer on OSS-Fuzz 2024-04-23 18:36:15 +02:00
README.md fuzz: Move fuzzer options to environment variable 2024-03-16 15:20:08 +01:00
regexp.c fuzz: Move to per-context error handler 2024-06-12 16:36:12 +02:00
regexp.dict Update fuzzing code 2020-07-31 11:55:13 +02:00
schema.c fuzz: Move to per-context error handler 2024-06-12 16:36:12 +02:00
schema.dict Fuzz target for XML Schemas 2020-06-23 16:20:27 +02:00
testFuzzer.c fuzz: Move to per-context resource loader 2024-06-12 16:36:12 +02:00
uri.c fuzz: Move to per-context error handler 2024-06-12 16:36:12 +02:00
valid.c fuzz: Move to per-context error handler 2024-06-12 16:36:12 +02:00
valid.options fuzz: Remove OSS-Fuzz timeout option 2024-05-14 16:08:37 +02:00
xinclude.c fuzz: Move to per-context resource loader 2024-06-12 16:36:12 +02:00
xinclude.options fuzz: Remove OSS-Fuzz timeout option 2024-05-14 16:08:37 +02:00
xml.c fuzz: Move to per-context error handler 2024-06-12 16:36:12 +02:00
xml.dict fuzz: Improve xml.dict 2024-05-06 00:32:08 +02:00
xpath.c fuzz: Add missing include 2024-01-07 15:42:46 +01:00
xpath.dict Add XPath and XPointer fuzzer 2020-08-06 14:12:32 +02:00

libFuzzer instructions for libxml2

Set compiler and options. Make sure to enable at least basic optimizations to avoid excessive stack usage. Also enable some debug output to get meaningful stack traces.

export CC=clang
export CFLAGS=" \
    -O1 -gline-tables-only \
    -fsanitize=fuzzer-no-link,address,undefined \
    -fno-sanitize-recover=all \
    -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION"

Other options that can improve stack traces:

-fno-omit-frame-pointer
-fno-inline
-fno-optimize-sibling-calls (disables tail call optimization)

Build libxml2 with instrumentation:

./configure --without-python
make

Run fuzzers:

make -C fuzz fuzz-xml

The environment variable XML_FUZZ_OPTIONS can be used to pass additional flags to the fuzzer.

Malloc failure injection

Most fuzzers inject malloc failures to cover code paths handling these errors. This can lead to surprises when debugging crashes. You can set the macro XML_FUZZ_MALLOC_ABORT in fuzz/fuzz.c to make the fuzz target abort at the malloc invocation which would fail. This tells you if and where a malloc failure was injected.

Some fuzzers also test whether malloc failures are reported. To debug failures which aren't reported, it's helpful to enable XML_FUZZ_MALLOC_ABORT to see which allocation failed. Debugging failures which are erroneously reported can be harder. If the report goes through xmlRaiseMemoryError, you can abort() there to get a stack trace.