1
0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2024-12-24 21:33:51 +03:00
libxml2/fuzz
Nick Wellnhofer 51b5d1e378 fuzz: Don't enable zlib and liblzma with MSan
We'd need our own instrumented builds of these libraries.
2024-05-15 16:21:11 +02:00
..
static_seed fuzz: Add maxAlloc item to static seed corpus 2023-03-08 14:07:15 +01:00
.gitignore fuzz: Add xmllint fuzzer 2024-05-13 12:50:08 +02:00
api.c fuzz: Add xmllint fuzzer 2024-05-13 12:50:08 +02:00
fuzz.c fuzz: Add xmllint fuzzer 2024-05-13 12:50:08 +02:00
fuzz.h fuzz: Add xmllint fuzzer 2024-05-13 12:50:08 +02:00
genSeed.c fuzz: Add xmllint fuzzer 2024-05-13 12:50:08 +02:00
html.c fuzz: New tree API fuzzer 2024-03-15 19:54:27 +01:00
html.dict Add charset names to fuzzing dictionaries 2021-02-22 13:21:38 +01:00
lint.c fuzz: Add xmllint fuzzer 2024-05-13 12:50:08 +02:00
Makefile.am fuzz: Add xmllint fuzzer 2024-05-13 12:50:08 +02:00
oss-fuzz-build.sh fuzz: Don't enable zlib and liblzma with MSan 2024-05-15 16:21:11 +02:00
reader.c fuzz: Add xmllint fuzzer 2024-05-13 12:50:08 +02:00
reader.options fuzz: Enable reader fuzzer on OSS-Fuzz 2024-04-23 18:36:15 +02:00
README.md fuzz: Move fuzzer options to environment variable 2024-03-16 15:20:08 +01:00
regexp.c regexp: Report malloc failures 2023-12-11 22:13:05 +01:00
regexp.dict Update fuzzing code 2020-07-31 11:55:13 +02:00
schema.c fuzz: Add xmllint fuzzer 2024-05-13 12:50:08 +02:00
schema.dict Fuzz target for XML Schemas 2020-06-23 16:20:27 +02:00
testFuzzer.c fuzz: Add xmllint fuzzer 2024-05-13 12:50:08 +02:00
uri.c uri: Report malloc failures 2023-12-11 22:05:47 +01:00
valid.c fuzz: Add xmllint fuzzer 2024-05-13 12:50:08 +02:00
valid.options fuzz: Remove OSS-Fuzz timeout option 2024-05-14 16:08:37 +02:00
xinclude.c fuzz: Add xmllint fuzzer 2024-05-13 12:50:08 +02:00
xinclude.options fuzz: Remove OSS-Fuzz timeout option 2024-05-14 16:08:37 +02:00
xml.c fuzz: Add xmllint fuzzer 2024-05-13 12:50:08 +02:00
xml.dict fuzz: Improve xml.dict 2024-05-06 00:32:08 +02:00
xpath.c fuzz: Add missing include 2024-01-07 15:42:46 +01:00
xpath.dict Add XPath and XPointer fuzzer 2020-08-06 14:12:32 +02:00

libFuzzer instructions for libxml2

Set compiler and options. Make sure to enable at least basic optimizations to avoid excessive stack usage. Also enable some debug output to get meaningful stack traces.

export CC=clang
export CFLAGS=" \
    -O1 -gline-tables-only \
    -fsanitize=fuzzer-no-link,address,undefined \
    -fno-sanitize-recover=all \
    -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION"

Other options that can improve stack traces:

-fno-omit-frame-pointer
-fno-inline
-fno-optimize-sibling-calls (disables tail call optimization)

Build libxml2 with instrumentation:

./configure --without-python
make

Run fuzzers:

make -C fuzz fuzz-xml

The environment variable XML_FUZZ_OPTIONS can be used to pass additional flags to the fuzzer.

Malloc failure injection

Most fuzzers inject malloc failures to cover code paths handling these errors. This can lead to surprises when debugging crashes. You can set the macro XML_FUZZ_MALLOC_ABORT in fuzz/fuzz.c to make the fuzz target abort at the malloc invocation which would fail. This tells you if and where a malloc failure was injected.

Some fuzzers also test whether malloc failures are reported. To debug failures which aren't reported, it's helpful to enable XML_FUZZ_MALLOC_ABORT to see which allocation failed. Debugging failures which are erroneously reported can be harder. If the report goes through xmlRaiseMemoryError, you can abort() there to get a stack trace.