| | |
| | |
| | |
| | |
| | |
| |
|
| | #include <libxml/catalog.h> |
| | #include <libxml/parser.h> |
| | #include <libxml/tree.h> |
| | #include <libxml/xmlerror.h> |
| | #include <libxml/xmlreader.h> |
| | #include <libxml/xmlsave.h> |
| | #include "fuzz.h" |
| |
|
| | #include <string.h> |
| |
|
| | #if 0 |
| | #define DEBUG |
| | #endif |
| |
|
| | typedef enum { |
| | OP_READ = 1, |
| | OP_READ_INNER_XML, |
| | OP_READ_OUTER_XML, |
| | OP_READ_STRING, |
| | OP_READ_ATTRIBUTE_VALUE, |
| | OP_ATTRIBUTE_COUNT, |
| | OP_DEPTH, |
| | OP_HAS_ATTRIBUTES, |
| | OP_HAS_VALUE, |
| | OP_IS_DEFAULT, |
| | OP_IS_EMPTY_ELEMENT, |
| | OP_NODE_TYPE, |
| | OP_QUOTE_CHAR, |
| | OP_READ_STATE, |
| | OP_IS_NAMESPACE_DECL, |
| | OP_CONST_BASE_URI, |
| | OP_CONST_LOCAL_NAME, |
| | OP_CONST_NAME, |
| | OP_CONST_NAMESPACE_URI, |
| | OP_CONST_PREFIX, |
| | OP_CONST_XML_LANG, |
| | OP_CONST_VALUE, |
| | OP_BASE_URI, |
| | OP_LOCAL_NAME, |
| | OP_NAME, |
| | OP_NAMESPACE_URI, |
| | OP_PREFIX, |
| | OP_XML_LANG, |
| | OP_VALUE, |
| | OP_CLOSE, |
| | OP_GET_ATTRIBUTE_NO, |
| | OP_GET_ATTRIBUTE, |
| | OP_GET_ATTRIBUTE_NS, |
| | OP_GET_REMAINDER, |
| | OP_LOOKUP_NAMESPACE, |
| | OP_MOVE_TO_ATTRIBUTE_NO, |
| | OP_MOVE_TO_ATTRIBUTE, |
| | OP_MOVE_TO_ATTRIBUTE_NS, |
| | OP_MOVE_TO_FIRST_ATTRIBUTE, |
| | OP_MOVE_TO_NEXT_ATTRIBUTE, |
| | OP_MOVE_TO_ELEMENT, |
| | OP_NORMALIZATION, |
| | OP_CONST_ENCODING, |
| | OP_GET_PARSER_PROP, |
| | OP_CURRENT_NODE, |
| | OP_GET_PARSER_LINE_NUMBER, |
| | OP_GET_PARSER_COLUMN_NUMBER, |
| | OP_PRESERVE, |
| | OP_CURRENT_DOC, |
| | OP_EXPAND, |
| | OP_NEXT, |
| | OP_NEXT_SIBLING, |
| | OP_IS_VALID, |
| | OP_CONST_XML_VERSION, |
| | OP_STANDALONE, |
| | OP_BYTE_CONSUMED, |
| |
|
| | OP_MAX |
| | } opType; |
| |
|
| | static void |
| | startOp(const char *name) { |
| | (void) name; |
| | #ifdef DEBUG |
| | fprintf(stderr, "%s\n", name); |
| | #endif |
| | } |
| |
|
| | int |
| | LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED, |
| | char ***argv ATTRIBUTE_UNUSED) { |
| | xmlFuzzMemSetup(); |
| | xmlInitParser(); |
| | #ifdef LIBXML_CATALOG_ENABLED |
| | xmlInitializeCatalog(); |
| | xmlCatalogSetDefaults(XML_CATA_ALLOW_NONE); |
| | #endif |
| |
|
| | return 0; |
| | } |
| |
|
| | int |
| | LLVMFuzzerTestOneInput(const char *data, size_t size) { |
| | xmlTextReaderPtr reader; |
| | xmlDocPtr doc = NULL; |
| | const xmlError *error; |
| | const char *docBuffer; |
| | const unsigned char *program; |
| | size_t failurePos, docSize, programSize, i; |
| | size_t totalStringSize = 0; |
| | int opts; |
| | int oomReport = 0; |
| |
|
| | xmlFuzzDataInit(data, size); |
| | opts = (int) xmlFuzzReadInt(4); |
| | failurePos = xmlFuzzReadInt(4) % (size + 100); |
| |
|
| | program = (const unsigned char *) xmlFuzzReadString(&programSize); |
| | if (programSize > 1000) |
| | programSize = 1000; |
| |
|
| | xmlFuzzReadEntities(); |
| | docBuffer = xmlFuzzMainEntity(&docSize); |
| | if (docBuffer == NULL) |
| | goto exit; |
| |
|
| | #ifdef DEBUG |
| | fprintf(stderr, "Input document (%d bytes):\n", (int) docSize); |
| | for (i = 0; (size_t) i < docSize; i++) { |
| | int c = (unsigned char) docBuffer[i]; |
| |
|
| | if ((c == '\n' || (c >= 0x20 && c <= 0x7E))) |
| | putc(c, stderr); |
| | else |
| | fprintf(stderr, "\\x%02X", c); |
| | } |
| | fprintf(stderr, "\nEOF\n"); |
| | #endif |
| |
|
| | xmlFuzzInjectFailure(failurePos); |
| | reader = xmlReaderForMemory(docBuffer, docSize, NULL, NULL, opts); |
| | if (reader == NULL) |
| | goto exit; |
| |
|
| | xmlTextReaderSetStructuredErrorHandler(reader, xmlFuzzSErrorFunc, NULL); |
| | xmlTextReaderSetResourceLoader(reader, xmlFuzzResourceLoader, NULL); |
| |
|
| | i = 0; |
| | while (i < programSize) { |
| | int op = program[i++]; |
| |
|
| | #define READ_BYTE() (i < programSize ? program[i++] : 0) |
| | #define FREE_STRING(str) \ |
| | do { \ |
| | if (str != NULL) { \ |
| | totalStringSize += strlen((char *) str); \ |
| | xmlFree(str); \ |
| | } \ |
| | } while (0) |
| |
|
| | switch (op & 0x3F) { |
| | case OP_READ: |
| | default: |
| | startOp("Read"); |
| | xmlTextReaderRead(reader); |
| | break; |
| |
|
| | case OP_READ_INNER_XML: { |
| | xmlChar *result; |
| |
|
| | startOp("ReadInnerXml"); |
| | result = xmlTextReaderReadInnerXml(reader); |
| | FREE_STRING(result); |
| | break; |
| | } |
| |
|
| | case OP_READ_OUTER_XML: { |
| | xmlChar *result; |
| |
|
| | startOp("ReadOuterXml"); |
| | result = xmlTextReaderReadOuterXml(reader); |
| | FREE_STRING(result); |
| | break; |
| | } |
| |
|
| | case OP_READ_STRING: { |
| | xmlChar *result; |
| |
|
| | startOp("ReadString"); |
| | result = xmlTextReaderReadString(reader); |
| | FREE_STRING(result); |
| | break; |
| | } |
| |
|
| | case OP_READ_ATTRIBUTE_VALUE: |
| | startOp("ReadAttributeValue"); |
| | xmlTextReaderReadAttributeValue(reader); |
| | break; |
| |
|
| | case OP_ATTRIBUTE_COUNT: |
| | startOp("AttributeCount"); |
| | xmlTextReaderAttributeCount(reader); |
| | break; |
| |
|
| | case OP_DEPTH: |
| | startOp("Depth"); |
| | xmlTextReaderDepth(reader); |
| | break; |
| |
|
| | case OP_HAS_ATTRIBUTES: |
| | startOp("HasAttributes"); |
| | xmlTextReaderHasAttributes(reader); |
| | break; |
| |
|
| | case OP_HAS_VALUE: |
| | startOp("HasValue"); |
| | xmlTextReaderHasValue(reader); |
| | break; |
| |
|
| | case OP_IS_DEFAULT: |
| | startOp("IsDefault"); |
| | xmlTextReaderIsDefault(reader); |
| | break; |
| |
|
| | case OP_IS_EMPTY_ELEMENT: |
| | startOp("IsEmptyElement"); |
| | xmlTextReaderIsEmptyElement(reader); |
| | break; |
| |
|
| | case OP_NODE_TYPE: |
| | startOp("NodeType"); |
| | xmlTextReaderNodeType(reader); |
| | break; |
| |
|
| | case OP_QUOTE_CHAR: |
| | startOp("QuoteChar"); |
| | xmlTextReaderQuoteChar(reader); |
| | break; |
| |
|
| | case OP_READ_STATE: |
| | startOp("ReadState"); |
| | xmlTextReaderReadState(reader); |
| | break; |
| |
|
| | case OP_IS_NAMESPACE_DECL: |
| | startOp("IsNamespaceDecl"); |
| | xmlTextReaderIsNamespaceDecl(reader); |
| | break; |
| |
|
| | case OP_CONST_BASE_URI: |
| | startOp("ConstBaseUri"); |
| | xmlTextReaderConstBaseUri(reader); |
| | break; |
| |
|
| | case OP_CONST_LOCAL_NAME: |
| | startOp("ConstLocalName"); |
| | xmlTextReaderConstLocalName(reader); |
| | break; |
| |
|
| | case OP_CONST_NAME: |
| | startOp("ConstName"); |
| | xmlTextReaderConstName(reader); |
| | break; |
| |
|
| | case OP_CONST_NAMESPACE_URI: |
| | startOp("ConstNamespaceUri"); |
| | xmlTextReaderConstNamespaceUri(reader); |
| | break; |
| |
|
| | case OP_CONST_PREFIX: |
| | startOp("ConstPrefix"); |
| | xmlTextReaderConstPrefix(reader); |
| | break; |
| |
|
| | case OP_CONST_XML_LANG: |
| | startOp("ConstXmlLang"); |
| | xmlTextReaderConstXmlLang(reader); |
| | oomReport = -1; |
| | break; |
| |
|
| | case OP_CONST_VALUE: |
| | startOp("ConstValue"); |
| | xmlTextReaderConstValue(reader); |
| | break; |
| |
|
| | case OP_BASE_URI: { |
| | xmlChar *result; |
| |
|
| | startOp("BaseUri"); |
| | result = xmlTextReaderBaseUri(reader); |
| | FREE_STRING(result); |
| | break; |
| | } |
| |
|
| | case OP_LOCAL_NAME: { |
| | xmlChar *result; |
| |
|
| | startOp("LocalName"); |
| | result = xmlTextReaderLocalName(reader); |
| | FREE_STRING(result); |
| | break; |
| | } |
| |
|
| | case OP_NAME: { |
| | xmlChar *result; |
| |
|
| | startOp("Name"); |
| | result = xmlTextReaderName(reader); |
| | FREE_STRING(result); |
| | break; |
| | } |
| |
|
| | case OP_NAMESPACE_URI: { |
| | xmlChar *result; |
| |
|
| | startOp("NamespaceUri"); |
| | result = xmlTextReaderNamespaceUri(reader); |
| | FREE_STRING(result); |
| | break; |
| | } |
| |
|
| | case OP_PREFIX: { |
| | xmlChar *result; |
| |
|
| | startOp("Prefix"); |
| | result = xmlTextReaderPrefix(reader); |
| | FREE_STRING(result); |
| | break; |
| | } |
| |
|
| | case OP_XML_LANG: { |
| | xmlChar *result; |
| |
|
| | startOp("XmlLang"); |
| | result = xmlTextReaderXmlLang(reader); |
| | oomReport = -1; |
| | FREE_STRING(result); |
| | break; |
| | } |
| |
|
| | case OP_VALUE: { |
| | xmlChar *result; |
| |
|
| | startOp("Value"); |
| | result = xmlTextReaderValue(reader); |
| | FREE_STRING(result); |
| | break; |
| | } |
| |
|
| | case OP_CLOSE: |
| | startOp("Close"); |
| | if (doc == NULL) |
| | doc = xmlTextReaderCurrentDoc(reader); |
| | xmlTextReaderClose(reader); |
| | break; |
| |
|
| | case OP_GET_ATTRIBUTE_NO: { |
| | xmlChar *result; |
| | int no = READ_BYTE(); |
| |
|
| | startOp("GetAttributeNo"); |
| | result = xmlTextReaderGetAttributeNo(reader, no); |
| | FREE_STRING(result); |
| | break; |
| | } |
| |
|
| | case OP_GET_ATTRIBUTE: { |
| | const xmlChar *name = xmlTextReaderConstName(reader); |
| | xmlChar *result; |
| |
|
| | startOp("GetAttribute"); |
| | result = xmlTextReaderGetAttribute(reader, name); |
| | FREE_STRING(result); |
| | break; |
| | } |
| |
|
| | case OP_GET_ATTRIBUTE_NS: { |
| | const xmlChar *localName, *namespaceUri; |
| | xmlChar *result; |
| |
|
| | startOp("GetAttributeNs"); |
| | localName = xmlTextReaderConstLocalName(reader); |
| | namespaceUri = xmlTextReaderConstNamespaceUri(reader); |
| | result = xmlTextReaderGetAttributeNs(reader, localName, |
| | namespaceUri); |
| | FREE_STRING(result); |
| | break; |
| | } |
| |
|
| | case OP_GET_REMAINDER: |
| | startOp("GetRemainder"); |
| | if (doc == NULL) |
| | doc = xmlTextReaderCurrentDoc(reader); |
| | xmlFreeParserInputBuffer(xmlTextReaderGetRemainder(reader)); |
| | break; |
| |
|
| | case OP_LOOKUP_NAMESPACE: { |
| | const xmlChar *prefix = xmlTextReaderConstPrefix(reader); |
| | xmlChar *result; |
| |
|
| | startOp("LookupNamespace"); |
| | result = xmlTextReaderLookupNamespace(reader, prefix); |
| | FREE_STRING(result); |
| | break; |
| | } |
| |
|
| | case OP_MOVE_TO_ATTRIBUTE_NO: { |
| | int no = READ_BYTE(); |
| |
|
| | startOp("MoveToAttributeNo"); |
| | xmlTextReaderMoveToAttributeNo(reader, no); |
| | break; |
| | } |
| |
|
| | case OP_MOVE_TO_ATTRIBUTE: { |
| | const xmlChar *name = xmlTextReaderConstName(reader); |
| |
|
| | startOp("MoveToAttribute"); |
| | xmlTextReaderMoveToAttribute(reader, name); |
| | break; |
| | } |
| |
|
| | case OP_MOVE_TO_ATTRIBUTE_NS: { |
| | const xmlChar *localName, *namespaceUri; |
| |
|
| | startOp("MoveToAttributeNs"); |
| | localName = xmlTextReaderConstLocalName(reader); |
| | namespaceUri = xmlTextReaderConstNamespaceUri(reader); |
| | xmlTextReaderMoveToAttributeNs(reader, localName, |
| | namespaceUri); |
| | break; |
| | } |
| |
|
| | case OP_MOVE_TO_FIRST_ATTRIBUTE: |
| | startOp("MoveToFirstAttribute"); |
| | xmlTextReaderMoveToFirstAttribute(reader); |
| | break; |
| |
|
| | case OP_MOVE_TO_NEXT_ATTRIBUTE: |
| | startOp("MoveToNextAttribute"); |
| | xmlTextReaderMoveToNextAttribute(reader); |
| | break; |
| |
|
| | case OP_MOVE_TO_ELEMENT: |
| | startOp("MoveToElement"); |
| | xmlTextReaderMoveToElement(reader); |
| | break; |
| |
|
| | case OP_NORMALIZATION: |
| | startOp("Normalization"); |
| | xmlTextReaderNormalization(reader); |
| | break; |
| |
|
| | case OP_CONST_ENCODING: |
| | startOp("ConstEncoding"); |
| | xmlTextReaderConstEncoding(reader); |
| | break; |
| |
|
| | case OP_GET_PARSER_PROP: { |
| | int prop = READ_BYTE(); |
| |
|
| | startOp("GetParserProp"); |
| | xmlTextReaderGetParserProp(reader, prop); |
| | break; |
| | } |
| |
|
| | case OP_CURRENT_NODE: |
| | startOp("CurrentNode"); |
| | xmlTextReaderCurrentNode(reader); |
| | break; |
| |
|
| | case OP_GET_PARSER_LINE_NUMBER: |
| | startOp("GetParserLineNumber"); |
| | xmlTextReaderGetParserLineNumber(reader); |
| | break; |
| |
|
| | case OP_GET_PARSER_COLUMN_NUMBER: |
| | startOp("GetParserColumnNumber"); |
| | xmlTextReaderGetParserColumnNumber(reader); |
| | break; |
| |
|
| | case OP_PRESERVE: |
| | startOp("Preserve"); |
| | xmlTextReaderPreserve(reader); |
| | break; |
| |
|
| | case OP_CURRENT_DOC: { |
| | xmlDocPtr result; |
| |
|
| | startOp("CurrentDoc"); |
| | result = xmlTextReaderCurrentDoc(reader); |
| | if (doc == NULL) |
| | doc = result; |
| | break; |
| | } |
| |
|
| | case OP_EXPAND: |
| | startOp("Expand"); |
| | xmlTextReaderExpand(reader); |
| | break; |
| |
|
| | case OP_NEXT: |
| | startOp("Next"); |
| | xmlTextReaderNext(reader); |
| | break; |
| |
|
| | case OP_NEXT_SIBLING: |
| | startOp("NextSibling"); |
| | xmlTextReaderNextSibling(reader); |
| | break; |
| |
|
| | case OP_IS_VALID: |
| | startOp("IsValid"); |
| | xmlTextReaderIsValid(reader); |
| | break; |
| |
|
| | case OP_CONST_XML_VERSION: |
| | startOp("ConstXmlVersion"); |
| | xmlTextReaderConstXmlVersion(reader); |
| | break; |
| |
|
| | case OP_STANDALONE: |
| | startOp("Standalone"); |
| | xmlTextReaderStandalone(reader); |
| | break; |
| |
|
| | case OP_BYTE_CONSUMED: |
| | startOp("ByteConsumed"); |
| | xmlTextReaderByteConsumed(reader); |
| | oomReport = -1; |
| | break; |
| | } |
| |
|
| | if (totalStringSize > docSize * 2) |
| | break; |
| | } |
| |
|
| | error = xmlTextReaderGetLastError(reader); |
| | if (error->code == XML_ERR_NO_MEMORY) |
| | oomReport = 1; |
| | xmlFuzzCheckFailureReport("reader", oomReport, error->code == XML_IO_EIO); |
| |
|
| | xmlFreeTextReader(reader); |
| |
|
| | if (doc != NULL) |
| | xmlFreeDoc(doc); |
| |
|
| | exit: |
| | xmlFuzzInjectFailure(0); |
| | xmlFuzzDataCleanup(); |
| | xmlResetLastError(); |
| | return(0); |
| | } |
| |
|
| | size_t |
| | LLVMFuzzerCustomMutator(char *data, size_t size, size_t maxSize, |
| | unsigned seed) { |
| | static const xmlFuzzChunkDesc chunks[] = { |
| | { 4, XML_FUZZ_PROB_ONE / 10 }, |
| | { 4, XML_FUZZ_PROB_ONE / 10 }, |
| | { 0, 0 } |
| | }; |
| |
|
| | return xmlFuzzMutateChunks(chunks, data, size, maxSize, seed, |
| | LLVMFuzzerMutate); |
| | } |
| |
|
| |
|
