1
0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2024-12-24 21:33:51 +03:00
libxml2/fuzz
Nick Wellnhofer 208f27f964 include: Don't define ATTRIBUTE_UNUSED in public header
Stop polluting namespace with unprefixed names.
2024-06-15 19:13:08 +02:00
..
static_seed fuzz: Add maxAlloc item to static seed corpus 2023-03-08 14:07:15 +01:00
.gitignore fuzz: Add xmllint fuzzer 2024-05-13 12:50:08 +02:00
api.c fuzz: Move to per-context resource loader 2024-06-12 16:36:12 +02:00
fuzz.c fuzz: Avoid accessing internal struct members 2024-06-13 18:01:23 +02:00
fuzz.h include: Don't define ATTRIBUTE_UNUSED in public header 2024-06-15 19:13:08 +02:00
genSeed.c parser: Pass resource type to resource loader 2024-06-12 16:36:12 +02:00
html.c fuzz: Move to per-context error handler 2024-06-12 16:36:12 +02:00
html.dict Add charset names to fuzzing dictionaries 2021-02-22 13:21:38 +01:00
lint.c xmllint: Switch to resource loader 2024-06-12 16:36:12 +02:00
Makefile.am fuzz: Add xmllint fuzzer 2024-05-13 12:50:08 +02:00
oss-fuzz-build.sh fuzz: Fix aarch64 build on OSS-Fuzz 2024-05-28 22:52:30 +02:00
reader.c fuzz: Move to per-context error handler 2024-06-12 16:36:12 +02:00
reader.options fuzz: Enable reader fuzzer on OSS-Fuzz 2024-04-23 18:36:15 +02:00
README.md fuzz: Move fuzzer options to environment variable 2024-03-16 15:20:08 +01:00
regexp.c fuzz: Move to per-context error handler 2024-06-12 16:36:12 +02:00
regexp.dict Update fuzzing code 2020-07-31 11:55:13 +02:00
schema.c fuzz: Move to per-context error handler 2024-06-12 16:36:12 +02:00
schema.dict Fuzz target for XML Schemas 2020-06-23 16:20:27 +02:00
testFuzzer.c fuzz: Move to per-context resource loader 2024-06-12 16:36:12 +02:00
uri.c fuzz: Move to per-context error handler 2024-06-12 16:36:12 +02:00
valid.c fuzz: Move to per-context error handler 2024-06-12 16:36:12 +02:00
valid.options fuzz: Remove OSS-Fuzz timeout option 2024-05-14 16:08:37 +02:00
xinclude.c fuzz: Move to per-context resource loader 2024-06-12 16:36:12 +02:00
xinclude.options fuzz: Remove OSS-Fuzz timeout option 2024-05-14 16:08:37 +02:00
xml.c fuzz: Move to per-context error handler 2024-06-12 16:36:12 +02:00
xml.dict fuzz: Improve xml.dict 2024-05-06 00:32:08 +02:00
xpath.c fuzz: Add missing include 2024-01-07 15:42:46 +01:00
xpath.dict Add XPath and XPointer fuzzer 2020-08-06 14:12:32 +02:00

libFuzzer instructions for libxml2

Set compiler and options. Make sure to enable at least basic optimizations to avoid excessive stack usage. Also enable some debug output to get meaningful stack traces.

export CC=clang
export CFLAGS=" \
    -O1 -gline-tables-only \
    -fsanitize=fuzzer-no-link,address,undefined \
    -fno-sanitize-recover=all \
    -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION"

Other options that can improve stack traces:

-fno-omit-frame-pointer
-fno-inline
-fno-optimize-sibling-calls (disables tail call optimization)

Build libxml2 with instrumentation:

./configure --without-python
make

Run fuzzers:

make -C fuzz fuzz-xml

The environment variable XML_FUZZ_OPTIONS can be used to pass additional flags to the fuzzer.

Malloc failure injection

Most fuzzers inject malloc failures to cover code paths handling these errors. This can lead to surprises when debugging crashes. You can set the macro XML_FUZZ_MALLOC_ABORT in fuzz/fuzz.c to make the fuzz target abort at the malloc invocation which would fail. This tells you if and where a malloc failure was injected.

Some fuzzers also test whether malloc failures are reported. To debug failures which aren't reported, it's helpful to enable XML_FUZZ_MALLOC_ABORT to see which allocation failed. Debugging failures which are erroneously reported can be harder. If the report goes through xmlRaiseMemoryError, you can abort() there to get a stack trace.