File: xinclude.c

package info (click to toggle)
libxml2 2.15.1%2Bdfsg-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 9,964 kB
  • sloc: ansic: 138,103; python: 6,692; sh: 4,736; xml: 1,476; makefile: 715
file content (105 lines) | stat: -rw-r--r-- 2,972 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
 
/*
 * xinclude.c: a libFuzzer target to test the XInclude engine.
 *
 * See Copyright for the status of this software.
 */

#include <libxml/catalog.h>
#include <libxml/parser.h>
#include <libxml/tree.h>
#include <libxml/xmlerror.h>
#include <libxml/xinclude.h>
#include "fuzz.h"

int
LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
                     char ***argv ATTRIBUTE_UNUSED) {
    xmlFuzzMemSetup();
    xmlInitParser();
#ifdef LIBXML_CATALOG_ENABLED
    xmlInitializeCatalog();
    xmlCatalogSetDefaults(XML_CATA_ALLOW_NONE);
#endif
    xmlSetGenericErrorFunc(NULL, xmlFuzzErrorFunc);

    return 0;
}

int
LLVMFuzzerTestOneInput(const char *data, size_t size) {
    xmlParserCtxtPtr ctxt;
    xmlDocPtr doc;
    const char *docBuffer, *docUrl;
    size_t failurePos, docSize;
    int opts;

    xmlFuzzDataInit(data, size);
    opts = (int) xmlFuzzReadInt(4);
    opts &= ~XML_PARSE_DTDVALID &
            ~XML_PARSE_SAX1;
    failurePos = xmlFuzzReadInt(4) % (size + 100);

    xmlFuzzReadEntities();
    docBuffer = xmlFuzzMainEntity(&docSize);
    docUrl = xmlFuzzMainUrl();
    if (docBuffer == NULL)
        goto exit;

    /* Pull parser */

    xmlFuzzInjectFailure(failurePos);
    ctxt = xmlNewParserCtxt();
    if (ctxt != NULL) {
        xmlXIncludeCtxtPtr xinc;
        xmlDocPtr copy;

        xmlCtxtSetResourceLoader(ctxt, xmlFuzzResourceLoader, NULL);

        doc = xmlCtxtReadMemory(ctxt, docBuffer, docSize, docUrl, NULL, opts);
        xmlFuzzCheckFailureReport("xmlCtxtReadMemory",
                doc == NULL && ctxt->errNo == XML_ERR_NO_MEMORY,
                doc == NULL && ctxt->errNo == XML_IO_EIO);

        xinc = xmlXIncludeNewContext(doc);
        xmlXIncludeSetResourceLoader(xinc, xmlFuzzResourceLoader, NULL);
        xmlXIncludeSetFlags(xinc, opts);
        xmlXIncludeProcessNode(xinc, (xmlNodePtr) doc);
        if (doc != NULL) {
            xmlFuzzCheckFailureReport("xmlXIncludeProcessNode",
                    xinc == NULL ||
                    xmlXIncludeGetLastError(xinc) == XML_ERR_NO_MEMORY,
                    xinc != NULL &&
                    xmlXIncludeGetLastError(xinc) == XML_IO_EIO);
        }
        xmlXIncludeFreeContext(xinc);

        xmlFuzzResetFailure();
        copy = xmlCopyDoc(doc, 1);
        if (doc != NULL)
            xmlFuzzCheckFailureReport("xmlCopyNode", copy == NULL, 0);
        xmlFreeDoc(copy);

        xmlFreeDoc(doc);
        xmlFreeParserCtxt(ctxt);
    }

exit:
    xmlFuzzInjectFailure(0);
    xmlFuzzDataCleanup();
    xmlResetLastError();
    return(0);
}

size_t
LLVMFuzzerCustomMutator(char *data, size_t size, size_t maxSize,
                        unsigned seed) {
    static const xmlFuzzChunkDesc chunks[] = {
        { 4, XML_FUZZ_PROB_ONE / 10 }, /* opts */
        { 4, XML_FUZZ_PROB_ONE / 10 }, /* failurePos */
        { 0, 0 }
    };

    return xmlFuzzMutateChunks(chunks, data, size, maxSize, seed,
                               LLVMFuzzerMutate);
}