mirror of
				https://gitlab.gnome.org/GNOME/libxml2.git
				synced 2025-10-24 13:33:01 +03:00 
			
		
		
		
	Enforce maximum length of fuzz input
Remove the libfuzzer max_len option which doesn't apply to other fuzzing engines. Enforce the maximum length directly in the fuzz targets. For the xml target, lower the maximum when expanding entities to avoid timeout and OOM errors.
This commit is contained in:
		| @@ -1,3 +1,2 @@ | |||||||
| [libfuzzer] | [libfuzzer] | ||||||
| max_len = 1000000 |  | ||||||
| timeout = 20 | timeout = 20 | ||||||
|   | |||||||
| @@ -21,6 +21,9 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) { | |||||||
|     char *str[2] = { NULL, NULL }; |     char *str[2] = { NULL, NULL }; | ||||||
|     size_t numStrings; |     size_t numStrings; | ||||||
|  |  | ||||||
|  |     if (size > 200) | ||||||
|  |         return(0); | ||||||
|  |  | ||||||
|     numStrings = xmlFuzzExtractStrings(data, size, str, 2); |     numStrings = xmlFuzzExtractStrings(data, size, str, 2); | ||||||
|  |  | ||||||
|     /* CUR_SCHAR doesn't handle invalid UTF-8 and may cause infinite loops. */ |     /* CUR_SCHAR doesn't handle invalid UTF-8 and may cause infinite loops. */ | ||||||
|   | |||||||
| @@ -1,3 +1,2 @@ | |||||||
| [libfuzzer] | [libfuzzer] | ||||||
| max_len = 200 |  | ||||||
| timeout = 5 | timeout = 5 | ||||||
|   | |||||||
| @@ -21,6 +21,9 @@ int | |||||||
| LLVMFuzzerTestOneInput(const char *data, size_t size) { | LLVMFuzzerTestOneInput(const char *data, size_t size) { | ||||||
|     xmlSchemaParserCtxtPtr pctxt; |     xmlSchemaParserCtxtPtr pctxt; | ||||||
|  |  | ||||||
|  |     if (size > 50000) | ||||||
|  |         return(0); | ||||||
|  |  | ||||||
|     xmlFuzzDataInit(data, size); |     xmlFuzzDataInit(data, size); | ||||||
|     xmlFuzzReadEntities(); |     xmlFuzzReadEntities(); | ||||||
|  |  | ||||||
|   | |||||||
| @@ -1,3 +1,2 @@ | |||||||
| [libfuzzer] | [libfuzzer] | ||||||
| max_len = 80000 |  | ||||||
| timeout = 20 | timeout = 20 | ||||||
|   | |||||||
| @@ -13,6 +13,9 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) { | |||||||
|     char *str[2] = { NULL, NULL }; |     char *str[2] = { NULL, NULL }; | ||||||
|     size_t numStrings; |     size_t numStrings; | ||||||
|  |  | ||||||
|  |     if (size > 10000) | ||||||
|  |         return(0); | ||||||
|  |  | ||||||
|     numStrings = xmlFuzzExtractStrings(data, size, str, 2); |     numStrings = xmlFuzzExtractStrings(data, size, str, 2); | ||||||
|  |  | ||||||
|     uri = xmlParseURI(str[0]); |     uri = xmlParseURI(str[0]); | ||||||
|   | |||||||
| @@ -1,3 +1,2 @@ | |||||||
| [libfuzzer] | [libfuzzer] | ||||||
| max_len = 10000 |  | ||||||
| timeout = 5 | timeout = 5 | ||||||
|   | |||||||
							
								
								
									
										11
									
								
								fuzz/xml.c
									
									
									
									
									
								
							
							
						
						
									
										11
									
								
								fuzz/xml.c
									
									
									
									
									
								
							| @@ -29,13 +29,18 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) { | |||||||
|     xmlTextReaderPtr reader; |     xmlTextReaderPtr reader; | ||||||
|     xmlChar *out; |     xmlChar *out; | ||||||
|     const char *docBuffer, *docUrl; |     const char *docBuffer, *docUrl; | ||||||
|     size_t docSize, consumed, chunkSize; |     size_t maxSize, docSize, consumed, chunkSize; | ||||||
|     int opts, outSize; |     int opts, outSize; | ||||||
|  |  | ||||||
|     xmlFuzzDataInit(data, size); |     xmlFuzzDataInit(data, size); | ||||||
|     opts = xmlFuzzReadInt(); |     opts = xmlFuzzReadInt(); | ||||||
|     /* XML_PARSE_HUGE still causes timeouts. */ |  | ||||||
|     opts &= ~XML_PARSE_HUGE; |     /* Lower maximum size when processing entities for now. */ | ||||||
|  |     maxSize = opts & XML_PARSE_NOENT ? 50000 : 500000; | ||||||
|  |     if (size > maxSize) { | ||||||
|  |         xmlFuzzDataCleanup(); | ||||||
|  |         return(0); | ||||||
|  |     } | ||||||
|  |  | ||||||
|     xmlFuzzReadEntities(); |     xmlFuzzReadEntities(); | ||||||
|     docBuffer = xmlFuzzMainEntity(&docSize); |     docBuffer = xmlFuzzMainEntity(&docSize); | ||||||
|   | |||||||
| @@ -1,3 +1,2 @@ | |||||||
| [libfuzzer] | [libfuzzer] | ||||||
| max_len = 80000 |  | ||||||
| timeout = 20 | timeout = 20 | ||||||
|   | |||||||
| @@ -23,6 +23,9 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) { | |||||||
|     const char *expr, *xml; |     const char *expr, *xml; | ||||||
|     size_t exprSize, xmlSize; |     size_t exprSize, xmlSize; | ||||||
|  |  | ||||||
|  |     if (size > 10000) | ||||||
|  |         return(0); | ||||||
|  |  | ||||||
|     xmlFuzzDataInit(data, size); |     xmlFuzzDataInit(data, size); | ||||||
|  |  | ||||||
|     expr = xmlFuzzReadString(&exprSize); |     expr = xmlFuzzReadString(&exprSize); | ||||||
|   | |||||||
| @@ -1,3 +1,2 @@ | |||||||
| [libfuzzer] | [libfuzzer] | ||||||
| max_len = 10000 |  | ||||||
| timeout = 20 | timeout = 20 | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user