diff --git a/fuzz/fuzz.c b/fuzz/fuzz.c index 0873c364..2e9b480f 100644 --- a/fuzz/fuzz.c +++ b/fuzz/fuzz.c @@ -83,21 +83,46 @@ xmlFuzzDataCleanup(void) { xmlHashFree(fuzzData.entities, xmlHashDefaultDeallocator); } +/** + * xmlFuzzWriteInt: + * @out: output file + * @v: integer to write + * @size: size of integer in bytes + * + * Write an integer to the fuzz data. + */ +void +xmlFuzzWriteInt(FILE *out, size_t v, int size) { + int shift; + + while (size > (int) sizeof(size_t)) { + putc(0, out); + size--; + } + + shift = size * 8; + while (shift > 0) { + shift -= 8; + putc((v >> shift) & 255, out); + } +} + /** * xmlFuzzReadInt: - * @size: size of string in bytes + * @size: size of integer in bytes * * Read an integer from the fuzz data. */ -int -xmlFuzzReadInt(void) { - int ret; +size_t +xmlFuzzReadInt(int size) { + size_t ret = 0; - if (fuzzData.remaining < sizeof(int)) - return(0); - memcpy(&ret, fuzzData.ptr, sizeof(int)); - fuzzData.ptr += sizeof(int); - fuzzData.remaining -= sizeof(int); + while ((size > 0) && (fuzzData.remaining > 0)) { + unsigned char c = (unsigned char) *fuzzData.ptr++; + fuzzData.remaining--; + ret = (ret << 8) | c; + size--; + } return ret; } diff --git a/fuzz/fuzz.h b/fuzz/fuzz.h index e51dc7a9..50fd5bef 100644 --- a/fuzz/fuzz.h +++ b/fuzz/fuzz.h @@ -55,8 +55,11 @@ xmlFuzzDataInit(const char *data, size_t size); void xmlFuzzDataCleanup(void); -int -xmlFuzzReadInt(void); +void +xmlFuzzWriteInt(FILE *out, size_t v, int size); + +size_t +xmlFuzzReadInt(int size); const char * xmlFuzzReadRemaining(size_t *size); diff --git a/fuzz/genSeed.c b/fuzz/genSeed.c index c1d26007..14f9b819 100644 --- a/fuzz/genSeed.c +++ b/fuzz/genSeed.c @@ -112,7 +112,8 @@ processXml(const char *docFile, FILE *out) { int opts = XML_PARSE_NOENT | XML_PARSE_DTDLOAD; xmlDocPtr doc; - fwrite(&opts, sizeof(opts), 1, out); + /* Parser options. */ + xmlFuzzWriteInt(out, opts, 4); fuzzRecorderInit(out); @@ -132,9 +133,9 @@ processHtml(const char *docFile, FILE *out) { char buf[SEED_BUF_SIZE]; FILE *file; size_t size; - int opts = 0; - fwrite(&opts, sizeof(opts), 1, out); + /* Parser options. */ + xmlFuzzWriteInt(out, 0, 4); /* Copy file */ file = fopen(docFile, "rb"); diff --git a/fuzz/html.c b/fuzz/html.c index ecc6f7a6..2d64e694 100644 --- a/fuzz/html.c +++ b/fuzz/html.c @@ -32,7 +32,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) { int opts; xmlFuzzDataInit(data, size); - opts = xmlFuzzReadInt(); + opts = (int) xmlFuzzReadInt(4); docBuffer = xmlFuzzReadRemaining(&docSize); if (docBuffer == NULL) { diff --git a/fuzz/xinclude.c b/fuzz/xinclude.c index b86e21b2..b0864666 100644 --- a/fuzz/xinclude.c +++ b/fuzz/xinclude.c @@ -34,7 +34,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) { int opts; xmlFuzzDataInit(data, size); - opts = xmlFuzzReadInt(); + opts = (int) xmlFuzzReadInt(4); opts |= XML_PARSE_XINCLUDE; xmlFuzzReadEntities(); diff --git a/fuzz/xml.c b/fuzz/xml.c index 7ff9bb80..408b9b02 100644 --- a/fuzz/xml.c +++ b/fuzz/xml.c @@ -36,7 +36,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) { int opts, outSize; xmlFuzzDataInit(data, size); - opts = xmlFuzzReadInt(); + opts = (int) xmlFuzzReadInt(4); opts &= ~XML_PARSE_XINCLUDE; xmlFuzzReadEntities();