lib/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-11-02 09:33:23 +03:00
Code Activity

fuzz: Inject IO failures

Browse Source 
We use the same counter for injecting malloc and IO failures. This
mostly renames several functions and variables.
This commit is contained in:
Nick Wellnhofer
2024-11-25 19:41:33 +01:00
parent 754843abda
commit 9f652e57c1
12 changed files with 191 additions and 150 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
fuzz/api.c
View File

@@ -970,7 +970,7 @@ LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
int int
LLVMFuzzerTestOneInput(const char *data, size_t size) { LLVMFuzzerTestOneInput(const char *data, size_t size) {
size_t maxAlloc; size_t failurePos;
int i; int i;
if (size > 1000) if (size > 1000)
@@ -980,8 +980,8 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
xmlFuzzDataInit(data, size); xmlFuzzDataInit(data, size);
maxAlloc = xmlFuzzReadInt(4) % (size * 50 + 10); failurePos = xmlFuzzReadInt(4) % (size * 50 + 10);
xmlFuzzMemSetLimit(maxAlloc); xmlFuzzInjectFailure(failurePos);
/* /*
* Interpreter loop * Interpreter loop
@@ -1804,7 +1804,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
node, node,
BAD_CAST "lang", BAD_CAST "lang",
XML_XML_NAMESPACE); XML_XML_NAMESPACE);
xmlFuzzResetMallocFailed(); xmlFuzzResetFailure();
removeChildren((xmlNodePtr) attr, 0); removeChildren((xmlNodePtr) attr, 0);
res = xmlNodeSetLang( res = xmlNodeSetLang(
node, node,
@@ -1838,7 +1838,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
node, node,
BAD_CAST "space", BAD_CAST "space",
XML_XML_NAMESPACE); XML_XML_NAMESPACE);
xmlFuzzResetMallocFailed(); xmlFuzzResetFailure();
removeChildren((xmlNodePtr) attr, 0); removeChildren((xmlNodePtr) attr, 0);
res = xmlNodeSetSpacePreserve( res = xmlNodeSetSpacePreserve(
node, node,
@@ -1890,7 +1890,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
node, node,
BAD_CAST "base", BAD_CAST "base",
XML_XML_NAMESPACE); XML_XML_NAMESPACE);
xmlFuzzResetMallocFailed(); xmlFuzzResetFailure();
removeChildren((xmlNodePtr) attr, 0); removeChildren((xmlNodePtr) attr, 0);
res = xmlNodeSetBase( res = xmlNodeSetBase(
node, node,
@@ -2029,7 +2029,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
oldAttr = xmlHasNsProp(node, name, NULL); oldAttr = xmlHasNsProp(node, name, NULL);
else else
oldAttr = xmlHasNsProp(node, localName, ns->href); oldAttr = xmlHasNsProp(node, localName, ns->href);
xmlFuzzResetMallocFailed(); xmlFuzzResetFailure();
if (oldAttr != NULL) if (oldAttr != NULL)
removeChildren((xmlNodePtr) oldAttr, 0); removeChildren((xmlNodePtr) oldAttr, 0);
@@ -2056,7 +2056,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
name = getStr(0); name = getStr(0);
value = getStr(1); value = getStr(1);
oldAttr = xmlHasNsProp(node, name, ns ? ns->href : NULL); oldAttr = xmlHasNsProp(node, name, ns ? ns->href : NULL);
xmlFuzzResetMallocFailed(); xmlFuzzResetFailure();
if (oldAttr != NULL) if (oldAttr != NULL)
removeChildren((xmlNodePtr) oldAttr, 0); removeChildren((xmlNodePtr) oldAttr, 0);
attr = xmlSetNsProp(node, ns, name, value); attr = xmlSetNsProp(node, ns, name, value);
@@ -2105,7 +2105,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
node = getNode(0); node = getNode(0);
name = getStr(0); name = getStr(0);
attr = xmlHasNsProp(node, name, NULL); attr = xmlHasNsProp(node, name, NULL);
xmlFuzzResetMallocFailed(); xmlFuzzResetFailure();
if (attr != NULL) if (attr != NULL)
removeChildren((xmlNodePtr) attr, 1); removeChildren((xmlNodePtr) attr, 1);
setInt(0, xmlUnsetProp(node, name)); setInt(0, xmlUnsetProp(node, name));
@@ -2127,7 +2127,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
ns = nodeGetNs(getNode(1), getInt(1)); ns = nodeGetNs(getNode(1), getInt(1));
name = getStr(0); name = getStr(0);
attr = xmlHasNsProp(node, name, ns ? ns->href : NULL); attr = xmlHasNsProp(node, name, ns ? ns->href : NULL);
xmlFuzzResetMallocFailed(); xmlFuzzResetFailure();
if (attr != NULL) if (attr != NULL)
removeChildren((xmlNodePtr) attr, 1); removeChildren((xmlNodePtr) attr, 1);
setInt(0, xmlUnsetNsProp(node, ns, name)); setInt(0, xmlUnsetNsProp(node, ns, name));
@@ -2389,7 +2389,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
xmlAttrPtr attr = xmlHasNsProp(parent, node->name, xmlAttrPtr attr = xmlHasNsProp(parent, node->name,
node->ns ? node->ns->href : NULL); node->ns ? node->ns->href : NULL);
xmlFuzzResetMallocFailed(); xmlFuzzResetFailure();
/* Attribute might be replaced */ /* Attribute might be replaced */
if (attr != NULL && attr != (xmlAttrPtr) node) if (attr != NULL && attr != (xmlAttrPtr) node)
removeChildren((xmlNodePtr) attr, 1); removeChildren((xmlNodePtr) attr, 1);
@@ -3016,7 +3016,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
node = getNode(0); node = getNode(0);
type = node ? node->type : 0; type = node ? node->type : 0;
xmlValidCtxtPtr vctxt = xmlNewValidCtxt(); xmlValidCtxtPtr vctxt = xmlNewValidCtxt();
xmlFuzzResetMallocFailed(); xmlFuzzResetFailure();
switch (type) { switch (type) {
case XML_DOCUMENT_NODE: case XML_DOCUMENT_NODE:
@@ -3178,7 +3178,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
incStrIdx(); incStrIdx();
buffer = xmlBufferCreate(); buffer = xmlBufferCreate();
xmlFuzzResetMallocFailed(); xmlFuzzResetFailure();
node = getNode(0); node = getNode(0);
doc = node ? node->doc : NULL; doc = node ? node->doc : NULL;
level = getInt(0); level = getInt(0);
@@ -3302,7 +3302,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
incStrIdx(); incStrIdx();
output = xmlAllocOutputBuffer(NULL); output = xmlAllocOutputBuffer(NULL);
xmlFuzzResetMallocFailed(); xmlFuzzResetFailure();
node = getNode(0); node = getNode(0);
doc = node ? node->doc : NULL; doc = node ? node->doc : NULL;
encoding = (const char *) getStr(1); encoding = (const char *) getStr(1);
@@ -3570,7 +3570,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
break; break;
} }
xmlFuzzCheckMallocFailure(vars->opName, oomReport); xmlFuzzCheckFailureReport(vars->opName, oomReport, 0);
} }
for (i = 0; i < REG_MAX; i++) for (i = 0; i < REG_MAX; i++)
@@ -3583,7 +3583,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
dropNode(node); dropNode(node);
} }
xmlFuzzMemSetLimit(0); xmlFuzzInjectFailure(0);
xmlFuzzDataCleanup(); xmlFuzzDataCleanup();
xmlResetLastError(); xmlResetLastError();
return(0); return(0);

99
fuzz/fuzz.c
View File

@@ -42,9 +42,10 @@ static struct {
xmlFuzzEntityInfo *mainEntity; xmlFuzzEntityInfo *mainEntity;
} fuzzData; } fuzzData;
size_t fuzzNumAllocs; size_t fuzzNumAttempts;
size_t fuzzMaxAllocs; size_t fuzzFailurePos;
int fuzzAllocFailed; int fuzzAllocFailed;
int fuzzIoFailed;
/** /**
* xmlFuzzErrorFunc: * xmlFuzzErrorFunc:
@@ -67,29 +68,61 @@ xmlFuzzSErrorFunc(void *ctx ATTRIBUTE_UNUSED,
} }
/* /*
* Malloc failure injection. * Failure injection.
* *
* To debug issues involving malloc failures, it's often helpful to set * To debug issues involving injected failures, it's often helpful to set
* MALLOC_ABORT to 1. This should provide a backtrace of the failed * FAILURE_ABORT to 1. This should provide a backtrace of the failed
* allocation. * operation.
*/ */
#define XML_FUZZ_MALLOC_ABORT 0 #define XML_FUZZ_FAILURE_ABORT 0
void
xmlFuzzInjectFailure(size_t failurePos) {
fuzzNumAttempts = 0;
fuzzFailurePos = failurePos;
fuzzAllocFailed = 0;
fuzzIoFailed = 0;
}
static int
xmlFuzzTryMalloc(void) {
if (fuzzFailurePos > 0) {
fuzzNumAttempts += 1;
if (fuzzNumAttempts == fuzzFailurePos) {
#if XML_FUZZ_FAILURE_ABORT
abort();
#endif
fuzzAllocFailed = 1;
return -1;
}
}
return 0;
}
static int
xmlFuzzTryIo(void) {
if (fuzzFailurePos > 0) {
fuzzNumAttempts += 1;
if (fuzzNumAttempts == fuzzFailurePos) {
#if XML_FUZZ_FAILURE_ABORT
abort();
#endif
fuzzIoFailed = 1;
return -1;
}
}
return 0;
}
static void * static void *
xmlFuzzMalloc(size_t size) { xmlFuzzMalloc(size_t size) {
void *ret; void *ret;
if (fuzzMaxAllocs > 0) { if (xmlFuzzTryMalloc() < 0)
fuzzNumAllocs += 1;
if (fuzzNumAllocs == fuzzMaxAllocs) {
#if XML_FUZZ_MALLOC_ABORT
abort();
#endif
fuzzAllocFailed = 1;
return NULL; return NULL;
}
}
ret = malloc(size); ret = malloc(size);
if (ret == NULL) if (ret == NULL)
@@ -102,16 +135,8 @@ static void *
xmlFuzzRealloc(void *ptr, size_t size) { xmlFuzzRealloc(void *ptr, size_t size) {
void *ret; void *ret;
if (fuzzMaxAllocs > 0) { if (xmlFuzzTryMalloc() < 0)
fuzzNumAllocs += 1;
if (fuzzNumAllocs == fuzzMaxAllocs) {
#if XML_FUZZ_MALLOC_ABORT
abort();
#endif
fuzzAllocFailed = 1;
return NULL; return NULL;
}
}
ret = realloc(ptr, size); ret = realloc(ptr, size);
if (ret == NULL) if (ret == NULL)
@@ -125,31 +150,31 @@ xmlFuzzMemSetup(void) {
xmlMemSetup(free, xmlFuzzMalloc, xmlFuzzRealloc, xmlMemStrdup); xmlMemSetup(free, xmlFuzzMalloc, xmlFuzzRealloc, xmlMemStrdup);
} }
void
xmlFuzzMemSetLimit(size_t limit) {
fuzzNumAllocs = 0;
fuzzMaxAllocs = limit;
fuzzAllocFailed = 0;
}
int int
xmlFuzzMallocFailed(void) { xmlFuzzMallocFailed(void) {
return fuzzAllocFailed; return fuzzAllocFailed;
} }
void void
xmlFuzzResetMallocFailed(void) { xmlFuzzResetFailure(void) {
fuzzAllocFailed = 0; fuzzAllocFailed = 0;
fuzzIoFailed = 0;
} }
void void
xmlFuzzCheckMallocFailure(const char *func, int error) { xmlFuzzCheckFailureReport(const char *func, int oomReport, int ioReport) {
if (error >= 0 && fuzzAllocFailed != error) { if (oomReport >= 0 && fuzzAllocFailed != oomReport) {
fprintf(stderr, "%s: malloc failure %s reported\n", fprintf(stderr, "%s: malloc failure %s reported\n",
func, fuzzAllocFailed ? "not" : "erroneously"); func, fuzzAllocFailed ? "not" : "erroneously");
abort(); abort();
} }
if (ioReport >= 0 && fuzzIoFailed != ioReport) {
fprintf(stderr, "%s: IO failure %s reported\n",
func, fuzzIoFailed ? "not" : "erroneously");
abort();
}
fuzzAllocFailed = 0; fuzzAllocFailed = 0;
fuzzIoFailed = 0;
} }
/** /**
@@ -413,6 +438,10 @@ xmlFuzzResourceLoader(void *data ATTRIBUTE_UNUSED, const char *URL,
if (entity == NULL) if (entity == NULL)
return(XML_IO_ENOENT); return(XML_IO_ENOENT);
/* IO failure injection */
if (xmlFuzzTryIo() < 0)
return(XML_IO_EIO);
input = xmlNewInputFromMemory(URL, entity->data, entity->size, input = xmlNewInputFromMemory(URL, entity->data, entity->size,
XML_INPUT_BUF_STATIC | XML_INPUT_BUF_STATIC |
XML_INPUT_BUF_ZERO_TERMINATED); XML_INPUT_BUF_ZERO_TERMINATED);

6
fuzz/fuzz.h
View File

@@ -68,16 +68,16 @@ void
xmlFuzzMemSetup(void); xmlFuzzMemSetup(void);
void void
xmlFuzzMemSetLimit(size_t limit); xmlFuzzInjectFailure(size_t failurePos);
int int
xmlFuzzMallocFailed(void); xmlFuzzMallocFailed(void);
void void
xmlFuzzResetMallocFailed(void); xmlFuzzResetFailure(void);
void void
xmlFuzzCheckMallocFailure(const char *func, int expect); xmlFuzzCheckFailureReport(const char *func, int oomReport, int ioReport);
void void
xmlFuzzDataInit(const char *data, size_t size); xmlFuzzDataInit(const char *data, size_t size);

26
fuzz/html.c
View File

@@ -27,12 +27,12 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
xmlParserCtxtPtr ctxt; xmlParserCtxtPtr ctxt;
htmlDocPtr doc; htmlDocPtr doc;
const char *docBuffer; const char *docBuffer;
size_t maxAlloc, docSize; size_t failurePos, docSize;
int opts; int opts;
xmlFuzzDataInit(data, size); xmlFuzzDataInit(data, size);
opts = (int) xmlFuzzReadInt(4); opts = (int) xmlFuzzReadInt(4);
maxAlloc = xmlFuzzReadInt(4) % (size + 100); failurePos = xmlFuzzReadInt(4) % (size + 100);
docBuffer = xmlFuzzReadRemaining(&docSize); docBuffer = xmlFuzzReadRemaining(&docSize);
if (docBuffer == NULL) { if (docBuffer == NULL) {
@@ -42,13 +42,14 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
/* Pull parser */ /* Pull parser */
xmlFuzzMemSetLimit(maxAlloc); xmlFuzzInjectFailure(failurePos);
ctxt = htmlNewParserCtxt(); ctxt = htmlNewParserCtxt();
if (ctxt != NULL) { if (ctxt != NULL) {
xmlCtxtSetErrorHandler(ctxt, xmlFuzzSErrorFunc, NULL); xmlCtxtSetErrorHandler(ctxt, xmlFuzzSErrorFunc, NULL);
doc = htmlCtxtReadMemory(ctxt, docBuffer, docSize, NULL, NULL, opts); doc = htmlCtxtReadMemory(ctxt, docBuffer, docSize, NULL, NULL, opts);
xmlFuzzCheckMallocFailure("htmlCtxtReadMemory", xmlFuzzCheckFailureReport("htmlCtxtReadMemory",
ctxt->errNo == XML_ERR_NO_MEMORY); ctxt->errNo == XML_ERR_NO_MEMORY,
ctxt->errNo == XML_IO_EIO);
if (doc != NULL) { if (doc != NULL) {
xmlDocPtr copy; xmlDocPtr copy;
@@ -66,12 +67,12 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
htmlDocContentDumpOutput(out, doc, NULL); htmlDocContentDumpOutput(out, doc, NULL);
content = xmlOutputBufferGetContent(out); content = xmlOutputBufferGetContent(out);
xmlOutputBufferClose(out); xmlOutputBufferClose(out);
xmlFuzzCheckMallocFailure("htmlDocContentDumpOutput", xmlFuzzCheckFailureReport("htmlDocContentDumpOutput",
content == NULL); content == NULL, 0);
#endif #endif
copy = xmlCopyDoc(doc, 1); copy = xmlCopyDoc(doc, 1);
xmlFuzzCheckMallocFailure("xmlCopyNode", copy == NULL); xmlFuzzCheckFailureReport("xmlCopyNode", copy == NULL, 0);
xmlFreeDoc(copy); xmlFreeDoc(copy);
xmlFreeDoc(doc); xmlFreeDoc(doc);
@@ -88,7 +89,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
static const size_t maxChunkSize = 128; static const size_t maxChunkSize = 128;
size_t consumed, chunkSize; size_t consumed, chunkSize;
xmlFuzzMemSetLimit(maxAlloc); xmlFuzzInjectFailure(failurePos);
ctxt = htmlCreatePushParserCtxt(NULL, NULL, NULL, 0, NULL, ctxt = htmlCreatePushParserCtxt(NULL, NULL, NULL, 0, NULL,
XML_CHAR_ENCODING_NONE); XML_CHAR_ENCODING_NONE);
@@ -104,8 +105,9 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
} }
htmlParseChunk(ctxt, NULL, 0, 1); htmlParseChunk(ctxt, NULL, 0, 1);
xmlFuzzCheckMallocFailure("htmlParseChunk", xmlFuzzCheckFailureReport("htmlParseChunk",
ctxt->errNo == XML_ERR_NO_MEMORY); ctxt->errNo == XML_ERR_NO_MEMORY,
ctxt->errNo == XML_IO_EIO);
xmlFreeDoc(ctxt->myDoc); xmlFreeDoc(ctxt->myDoc);
htmlFreeParserCtxt(ctxt); htmlFreeParserCtxt(ctxt);
} }
@@ -114,7 +116,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
/* Cleanup */ /* Cleanup */
xmlFuzzMemSetLimit(0); xmlFuzzInjectFailure(0);
xmlFuzzDataCleanup(); xmlFuzzDataCleanup();
xmlResetLastError(); xmlResetLastError();

10
fuzz/reader.c
View File

@@ -107,14 +107,14 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
const xmlError *error; const xmlError *error;
const char *docBuffer; const char *docBuffer;
const unsigned char *program; const unsigned char *program;
size_t maxAlloc, docSize, programSize, i; size_t failurePos, docSize, programSize, i;
size_t totalStringSize = 0; size_t totalStringSize = 0;
int opts; int opts;
int oomReport = 0; int oomReport = 0;
xmlFuzzDataInit(data, size); xmlFuzzDataInit(data, size);
opts = (int) xmlFuzzReadInt(4); opts = (int) xmlFuzzReadInt(4);
maxAlloc = xmlFuzzReadInt(4) % (size + 100); failurePos = xmlFuzzReadInt(4) % (size + 100);
program = (const unsigned char *) xmlFuzzReadString(&programSize); program = (const unsigned char *) xmlFuzzReadString(&programSize);
if (programSize > 1000) if (programSize > 1000)
@@ -138,7 +138,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
fprintf(stderr, "\nEOF\n"); fprintf(stderr, "\nEOF\n");
#endif #endif
xmlFuzzMemSetLimit(maxAlloc); xmlFuzzInjectFailure(failurePos);
reader = xmlReaderForMemory(docBuffer, docSize, NULL, NULL, opts); reader = xmlReaderForMemory(docBuffer, docSize, NULL, NULL, opts);
if (reader == NULL) if (reader == NULL)
goto exit; goto exit;
@@ -539,7 +539,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
error = xmlTextReaderGetLastError(reader); error = xmlTextReaderGetLastError(reader);
if (error->code == XML_ERR_NO_MEMORY) if (error->code == XML_ERR_NO_MEMORY)
oomReport = 1; oomReport = 1;
xmlFuzzCheckMallocFailure("reader", oomReport); xmlFuzzCheckFailureReport("reader", oomReport, 0);
xmlFreeTextReader(reader); xmlFreeTextReader(reader);
@@ -547,7 +547,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
xmlFreeDoc(doc); xmlFreeDoc(doc);
exit: exit:
xmlFuzzMemSetLimit(0); xmlFuzzInjectFailure(0);
xmlFuzzDataCleanup(); xmlFuzzDataCleanup();
xmlResetLastError(); xmlResetLastError();
return(0); return(0);

8
fuzz/regexp.c
View File

@@ -20,17 +20,17 @@ LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
int int
LLVMFuzzerTestOneInput(const char *data, size_t size) { LLVMFuzzerTestOneInput(const char *data, size_t size) {
xmlRegexpPtr regexp; xmlRegexpPtr regexp;
size_t maxAlloc; size_t failurePos;
const char *str1; const char *str1;
if (size > 200) if (size > 200)
return(0); return(0);
xmlFuzzDataInit(data, size); xmlFuzzDataInit(data, size);
maxAlloc = xmlFuzzReadInt(4) % (size * 8 + 100); failurePos = xmlFuzzReadInt(4) % (size * 8 + 100);
str1 = xmlFuzzReadString(NULL); str1 = xmlFuzzReadString(NULL);
xmlFuzzMemSetLimit(maxAlloc); xmlFuzzInjectFailure(failurePos);
regexp = xmlRegexpCompile(BAD_CAST str1); regexp = xmlRegexpCompile(BAD_CAST str1);
if (xmlFuzzMallocFailed() && regexp != NULL) { if (xmlFuzzMallocFailed() && regexp != NULL) {
fprintf(stderr, "malloc failure not reported\n"); fprintf(stderr, "malloc failure not reported\n");
@@ -42,7 +42,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
#endif #endif
xmlRegFreeRegexp(regexp); xmlRegFreeRegexp(regexp);
xmlFuzzMemSetLimit(0); xmlFuzzInjectFailure(0);
xmlFuzzDataCleanup(); xmlFuzzDataCleanup();
xmlResetLastError(); xmlResetLastError();

8
fuzz/schema.c
View File

@@ -24,24 +24,24 @@ LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
int int
LLVMFuzzerTestOneInput(const char *data, size_t size) { LLVMFuzzerTestOneInput(const char *data, size_t size) {
xmlSchemaParserCtxtPtr pctxt; xmlSchemaParserCtxtPtr pctxt;
size_t maxAlloc; size_t failurePos;
if (size > 50000) if (size > 50000)
return(0); return(0);
maxAlloc = xmlFuzzReadInt(4) % (size + 100); failurePos = xmlFuzzReadInt(4) % (size + 100);
xmlFuzzDataInit(data, size); xmlFuzzDataInit(data, size);
xmlFuzzReadEntities(); xmlFuzzReadEntities();
xmlFuzzMemSetLimit(maxAlloc); xmlFuzzInjectFailure(failurePos);
pctxt = xmlSchemaNewParserCtxt(xmlFuzzMainUrl()); pctxt = xmlSchemaNewParserCtxt(xmlFuzzMainUrl());
xmlSchemaSetParserStructuredErrors(pctxt, xmlFuzzSErrorFunc, NULL); xmlSchemaSetParserStructuredErrors(pctxt, xmlFuzzSErrorFunc, NULL);
xmlSchemaSetResourceLoader(pctxt, xmlFuzzResourceLoader, NULL); xmlSchemaSetResourceLoader(pctxt, xmlFuzzResourceLoader, NULL);
xmlSchemaFree(xmlSchemaParse(pctxt)); xmlSchemaFree(xmlSchemaParse(pctxt));
xmlSchemaFreeParserCtxt(pctxt); xmlSchemaFreeParserCtxt(pctxt);
xmlFuzzMemSetLimit(0); xmlFuzzInjectFailure(0);
xmlFuzzDataCleanup(); xmlFuzzDataCleanup();
xmlResetLastError(); xmlResetLastError();

47
fuzz/uri.c
View File

@@ -18,7 +18,7 @@ LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
int int
LLVMFuzzerTestOneInput(const char *data, size_t size) { LLVMFuzzerTestOneInput(const char *data, size_t size) {
xmlURIPtr uri; xmlURIPtr uri;
size_t maxAlloc; size_t failurePos;
const char *str1, *str2; const char *str1, *str2;
char *copy; char *copy;
xmlChar *strRes; xmlChar *strRes;
@@ -28,20 +28,20 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
return(0); return(0);
xmlFuzzDataInit(data, size); xmlFuzzDataInit(data, size);
maxAlloc = xmlFuzzReadInt(4) % (size * 8 + 100); failurePos = xmlFuzzReadInt(4) % (size * 8 + 100);
str1 = xmlFuzzReadString(NULL); str1 = xmlFuzzReadString(NULL);
str2 = xmlFuzzReadString(NULL); str2 = xmlFuzzReadString(NULL);
xmlFuzzMemSetLimit(maxAlloc); xmlFuzzInjectFailure(failurePos);
xmlFuzzResetMallocFailed(); xmlFuzzResetFailure();
intRes = xmlParseURISafe(str1, &uri); intRes = xmlParseURISafe(str1, &uri);
xmlFuzzCheckMallocFailure("xmlParseURISafe", intRes == -1); xmlFuzzCheckFailureReport("xmlParseURISafe", intRes == -1, 0);
if (uri != NULL) { if (uri != NULL) {
xmlFuzzResetMallocFailed(); xmlFuzzResetFailure();
strRes = xmlSaveUri(uri); strRes = xmlSaveUri(uri);
xmlFuzzCheckMallocFailure("xmlSaveURI", strRes == NULL); xmlFuzzCheckFailureReport("xmlSaveURI", strRes == NULL, 0);
xmlFree(strRes); xmlFree(strRes);
xmlFreeURI(uri); xmlFreeURI(uri);
} }
@@ -52,50 +52,51 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
xmlFree(xmlSaveUri(uri)); xmlFree(xmlSaveUri(uri));
xmlFreeURI(uri); xmlFreeURI(uri);
xmlFuzzResetMallocFailed(); xmlFuzzResetFailure();
strRes = BAD_CAST xmlURIUnescapeString(str1, -1, NULL); strRes = BAD_CAST xmlURIUnescapeString(str1, -1, NULL);
xmlFuzzCheckMallocFailure("xmlURIUnescapeString", xmlFuzzCheckFailureReport("xmlURIUnescapeString",
str1 != NULL && strRes == NULL); str1 != NULL && strRes == NULL, 0);
xmlFree(strRes); xmlFree(strRes);
xmlFree(xmlURIEscape(BAD_CAST str1)); xmlFree(xmlURIEscape(BAD_CAST str1));
xmlFuzzResetMallocFailed(); xmlFuzzResetFailure();
strRes = xmlCanonicPath(BAD_CAST str1); strRes = xmlCanonicPath(BAD_CAST str1);
xmlFuzzCheckMallocFailure("xmlCanonicPath", xmlFuzzCheckFailureReport("xmlCanonicPath",
str1 != NULL && strRes == NULL); str1 != NULL && strRes == NULL, 0);
xmlFree(strRes); xmlFree(strRes);
xmlFuzzResetMallocFailed(); xmlFuzzResetFailure();
strRes = xmlPathToURI(BAD_CAST str1); strRes = xmlPathToURI(BAD_CAST str1);
xmlFuzzCheckMallocFailure("xmlPathToURI", str1 != NULL && strRes == NULL); xmlFuzzCheckFailureReport("xmlPathToURI",
str1 != NULL && strRes == NULL, 0);
xmlFree(strRes); xmlFree(strRes);
xmlFuzzResetMallocFailed(); xmlFuzzResetFailure();
intRes = xmlBuildURISafe(BAD_CAST str2, BAD_CAST str1, &strRes); intRes = xmlBuildURISafe(BAD_CAST str2, BAD_CAST str1, &strRes);
xmlFuzzCheckMallocFailure("xmlBuildURISafe", intRes == -1); xmlFuzzCheckFailureReport("xmlBuildURISafe", intRes == -1, 0);
xmlFree(strRes); xmlFree(strRes);
xmlFree(xmlBuildURI(BAD_CAST str2, BAD_CAST str1)); xmlFree(xmlBuildURI(BAD_CAST str2, BAD_CAST str1));
xmlFuzzResetMallocFailed(); xmlFuzzResetFailure();
intRes = xmlBuildRelativeURISafe(BAD_CAST str2, BAD_CAST str1, &strRes); intRes = xmlBuildRelativeURISafe(BAD_CAST str2, BAD_CAST str1, &strRes);
xmlFuzzCheckMallocFailure("xmlBuildRelativeURISafe", intRes == -1); xmlFuzzCheckFailureReport("xmlBuildRelativeURISafe", intRes == -1, 0);
xmlFree(strRes); xmlFree(strRes);
xmlFree(xmlBuildRelativeURI(BAD_CAST str2, BAD_CAST str1)); xmlFree(xmlBuildRelativeURI(BAD_CAST str2, BAD_CAST str1));
xmlFuzzResetMallocFailed(); xmlFuzzResetFailure();
strRes = xmlURIEscapeStr(BAD_CAST str1, BAD_CAST str2); strRes = xmlURIEscapeStr(BAD_CAST str1, BAD_CAST str2);
xmlFuzzCheckMallocFailure("xmlURIEscapeStr", xmlFuzzCheckFailureReport("xmlURIEscapeStr",
str1 != NULL && strRes == NULL); str1 != NULL && strRes == NULL, 0);
xmlFree(strRes); xmlFree(strRes);
copy = (char *) xmlCharStrdup(str1); copy = (char *) xmlCharStrdup(str1);
xmlNormalizeURIPath(copy); xmlNormalizeURIPath(copy);
xmlFree(copy); xmlFree(copy);
xmlFuzzMemSetLimit(0); xmlFuzzInjectFailure(0);
xmlFuzzDataCleanup(); xmlFuzzDataCleanup();
return 0; return 0;

35
fuzz/valid.c
View File

@@ -28,14 +28,14 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
xmlParserCtxtPtr ctxt; xmlParserCtxtPtr ctxt;
xmlDocPtr doc; xmlDocPtr doc;
const char *docBuffer, *docUrl; const char *docBuffer, *docUrl;
size_t maxAlloc, docSize; size_t failurePos, docSize;
int opts; int opts;
xmlFuzzDataInit(data, size); xmlFuzzDataInit(data, size);
opts = (int) xmlFuzzReadInt(4); opts = (int) xmlFuzzReadInt(4);
opts &= ~XML_PARSE_XINCLUDE; opts &= ~XML_PARSE_XINCLUDE;
opts |= XML_PARSE_DTDVALID; opts |= XML_PARSE_DTDVALID;
maxAlloc = xmlFuzzReadInt(4) % (size + 100); failurePos = xmlFuzzReadInt(4) % (size + 100);
xmlFuzzReadEntities(); xmlFuzzReadEntities();
docBuffer = xmlFuzzMainEntity(&docSize); docBuffer = xmlFuzzMainEntity(&docSize);
@@ -45,33 +45,37 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
/* Pull parser */ /* Pull parser */
xmlFuzzMemSetLimit(maxAlloc); xmlFuzzInjectFailure(failurePos);
ctxt = xmlNewParserCtxt(); ctxt = xmlNewParserCtxt();
if (ctxt != NULL) { if (ctxt != NULL) {
xmlCtxtSetErrorHandler(ctxt, xmlFuzzSErrorFunc, NULL); xmlCtxtSetErrorHandler(ctxt, xmlFuzzSErrorFunc, NULL);
xmlCtxtSetResourceLoader(ctxt, xmlFuzzResourceLoader, NULL); xmlCtxtSetResourceLoader(ctxt, xmlFuzzResourceLoader, NULL);
doc = xmlCtxtReadMemory(ctxt, docBuffer, docSize, docUrl, NULL, opts); doc = xmlCtxtReadMemory(ctxt, docBuffer, docSize, docUrl, NULL, opts);
xmlFuzzCheckMallocFailure("xmlCtxtReadMemory", xmlFuzzCheckFailureReport("xmlCtxtReadMemory",
ctxt->errNo == XML_ERR_NO_MEMORY); ctxt->errNo == XML_ERR_NO_MEMORY,
ctxt->errNo == XML_IO_EIO);
xmlFreeDoc(doc); xmlFreeDoc(doc);
xmlFreeParserCtxt(ctxt); xmlFreeParserCtxt(ctxt);
} }
/* Post validation */ /* Post validation */
xmlFuzzMemSetLimit(maxAlloc); xmlFuzzInjectFailure(failurePos);
ctxt = xmlNewParserCtxt(); ctxt = xmlNewParserCtxt();
if (ctxt != NULL) { if (ctxt != NULL) {
xmlCtxtSetErrorHandler(ctxt, xmlFuzzSErrorFunc, NULL); xmlCtxtSetErrorHandler(ctxt, xmlFuzzSErrorFunc, NULL);
xmlCtxtSetResourceLoader(ctxt, xmlFuzzResourceLoader, NULL); xmlCtxtSetResourceLoader(ctxt, xmlFuzzResourceLoader, NULL);
doc = xmlCtxtReadMemory(ctxt, docBuffer, docSize, docUrl, NULL, doc = xmlCtxtReadMemory(ctxt, docBuffer, docSize, docUrl, NULL,
opts & ~XML_PARSE_DTDVALID); opts & ~XML_PARSE_DTDVALID);
xmlFuzzCheckMallocFailure("xmlCtxtReadMemory", xmlFuzzCheckFailureReport("xmlCtxtReadMemory",
ctxt->errNo == XML_ERR_NO_MEMORY); doc == NULL && ctxt->errNo == XML_ERR_NO_MEMORY,
doc == NULL && ctxt->errNo == XML_IO_EIO);
if (doc != NULL) { if (doc != NULL) {
xmlCtxtValidateDocument(ctxt, doc); int valid = xmlCtxtValidateDocument(ctxt, doc);
xmlFuzzCheckMallocFailure("xmlCtxtValidateDocument",
ctxt->errNo == XML_ERR_NO_MEMORY); xmlFuzzCheckFailureReport("xmlCtxtValidateDocument",
!valid && ctxt->errNo == XML_ERR_NO_MEMORY,
!valid && ctxt->errNo == XML_IO_EIO);
} }
xmlFreeDoc(doc); xmlFreeDoc(doc);
xmlFreeParserCtxt(ctxt); xmlFreeParserCtxt(ctxt);
@@ -84,7 +88,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
static const size_t maxChunkSize = 128; static const size_t maxChunkSize = 128;
size_t consumed, chunkSize; size_t consumed, chunkSize;
xmlFuzzMemSetLimit(maxAlloc); xmlFuzzInjectFailure(failurePos);
/* /*
* FIXME: xmlCreatePushParserCtxt can still report OOM errors * FIXME: xmlCreatePushParserCtxt can still report OOM errors
* to stderr. * to stderr.
@@ -105,8 +109,9 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
} }
xmlParseChunk(ctxt, NULL, 0, 1); xmlParseChunk(ctxt, NULL, 0, 1);
xmlFuzzCheckMallocFailure("xmlParseChunk", xmlFuzzCheckFailureReport("xmlParseChunk",
ctxt->errNo == XML_ERR_NO_MEMORY); ctxt->errNo == XML_ERR_NO_MEMORY,
ctxt->errNo == XML_IO_EIO);
xmlFreeDoc(ctxt->myDoc); xmlFreeDoc(ctxt->myDoc);
xmlFreeParserCtxt(ctxt); xmlFreeParserCtxt(ctxt);
} }
@@ -114,7 +119,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
#endif #endif
exit: exit:
xmlFuzzMemSetLimit(0); xmlFuzzInjectFailure(0);
xmlFuzzDataCleanup(); xmlFuzzDataCleanup();
xmlResetLastError(); xmlResetLastError();
return(0); return(0);

23
fuzz/xinclude.c
View File

@@ -30,13 +30,13 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
xmlParserCtxtPtr ctxt; xmlParserCtxtPtr ctxt;
xmlDocPtr doc; xmlDocPtr doc;
const char *docBuffer, *docUrl; const char *docBuffer, *docUrl;
size_t maxAlloc, docSize; size_t failurePos, docSize;
int opts; int opts;
xmlFuzzDataInit(data, size); xmlFuzzDataInit(data, size);
opts = (int) xmlFuzzReadInt(4); opts = (int) xmlFuzzReadInt(4);
opts |= XML_PARSE_XINCLUDE; opts |= XML_PARSE_XINCLUDE;
maxAlloc = xmlFuzzReadInt(4) % (size + 100); failurePos = xmlFuzzReadInt(4) % (size + 100);
xmlFuzzReadEntities(); xmlFuzzReadEntities();
docBuffer = xmlFuzzMainEntity(&docSize); docBuffer = xmlFuzzMainEntity(&docSize);
@@ -46,7 +46,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
/* Pull parser */ /* Pull parser */
xmlFuzzMemSetLimit(maxAlloc); xmlFuzzInjectFailure(failurePos);
ctxt = xmlNewParserCtxt(); ctxt = xmlNewParserCtxt();
if (ctxt != NULL) { if (ctxt != NULL) {
xmlXIncludeCtxtPtr xinc; xmlXIncludeCtxtPtr xinc;
@@ -55,24 +55,27 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
xmlCtxtSetResourceLoader(ctxt, xmlFuzzResourceLoader, NULL); xmlCtxtSetResourceLoader(ctxt, xmlFuzzResourceLoader, NULL);
doc = xmlCtxtReadMemory(ctxt, docBuffer, docSize, docUrl, NULL, opts); doc = xmlCtxtReadMemory(ctxt, docBuffer, docSize, docUrl, NULL, opts);
xmlFuzzCheckMallocFailure("xmlCtxtReadMemory", xmlFuzzCheckFailureReport("xmlCtxtReadMemory",
ctxt->errNo == XML_ERR_NO_MEMORY); doc == NULL && ctxt->errNo == XML_ERR_NO_MEMORY,
doc == NULL && ctxt->errNo == XML_IO_EIO);
xinc = xmlXIncludeNewContext(doc); xinc = xmlXIncludeNewContext(doc);
xmlXIncludeSetResourceLoader(xinc, xmlFuzzResourceLoader, NULL); xmlXIncludeSetResourceLoader(xinc, xmlFuzzResourceLoader, NULL);
xmlXIncludeSetFlags(xinc, opts); xmlXIncludeSetFlags(xinc, opts);
xmlXIncludeProcessNode(xinc, (xmlNodePtr) doc); xmlXIncludeProcessNode(xinc, (xmlNodePtr) doc);
if (doc != NULL) { if (doc != NULL) {
xmlFuzzCheckMallocFailure("xmlXIncludeProcessNode", xmlFuzzCheckFailureReport("xmlXIncludeProcessNode",
xinc == NULL || xinc == NULL ||
xmlXIncludeGetLastError(xinc) == XML_ERR_NO_MEMORY); xmlXIncludeGetLastError(xinc) == XML_ERR_NO_MEMORY,
xinc != NULL &&
xmlXIncludeGetLastError(xinc) == XML_IO_EIO);
} }
xmlXIncludeFreeContext(xinc); xmlXIncludeFreeContext(xinc);
xmlFuzzResetMallocFailed(); xmlFuzzResetFailure();
copy = xmlCopyDoc(doc, 1); copy = xmlCopyDoc(doc, 1);
if (doc != NULL) if (doc != NULL)
xmlFuzzCheckMallocFailure("xmlCopyNode", copy == NULL); xmlFuzzCheckFailureReport("xmlCopyNode", copy == NULL, 0);
xmlFreeDoc(copy); xmlFreeDoc(copy);
xmlFreeDoc(doc); xmlFreeDoc(doc);
@@ -80,7 +83,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
} }
exit: exit:
xmlFuzzMemSetLimit(0); xmlFuzzInjectFailure(0);
xmlFuzzDataCleanup(); xmlFuzzDataCleanup();
xmlResetLastError(); xmlResetLastError();
return(0); return(0);

26
fuzz/xml.c
View File

@@ -29,7 +29,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
xmlParserCtxtPtr ctxt; xmlParserCtxtPtr ctxt;
xmlDocPtr doc; xmlDocPtr doc;
const char *docBuffer, *docUrl; const char *docBuffer, *docUrl;
size_t maxAlloc, docSize; size_t failurePos, docSize;
int opts; int opts;
xmlFuzzDataInit(data, size); xmlFuzzDataInit(data, size);
@@ -40,7 +40,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
opts &= ~XML_PARSE_XINCLUDE & opts &= ~XML_PARSE_XINCLUDE &
~XML_PARSE_DTDVALID & ~XML_PARSE_DTDVALID &
~XML_PARSE_SAX1; ~XML_PARSE_SAX1;
maxAlloc = xmlFuzzReadInt(4) % (size + 100); failurePos = xmlFuzzReadInt(4) % (size + 100);
xmlFuzzReadEntities(); xmlFuzzReadEntities();
docBuffer = xmlFuzzMainEntity(&docSize); docBuffer = xmlFuzzMainEntity(&docSize);
@@ -50,15 +50,15 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
/* Pull parser */ /* Pull parser */
xmlFuzzMemSetLimit(maxAlloc); xmlFuzzInjectFailure(failurePos);
ctxt = xmlNewParserCtxt(); ctxt = xmlNewParserCtxt();
if (ctxt != NULL) { if (ctxt != NULL) {
xmlCtxtSetErrorHandler(ctxt, xmlFuzzSErrorFunc, NULL); xmlCtxtSetErrorHandler(ctxt, xmlFuzzSErrorFunc, NULL);
xmlCtxtSetResourceLoader(ctxt, xmlFuzzResourceLoader, NULL); xmlCtxtSetResourceLoader(ctxt, xmlFuzzResourceLoader, NULL);
doc = xmlCtxtReadMemory(ctxt, docBuffer, docSize, docUrl, NULL, opts); doc = xmlCtxtReadMemory(ctxt, docBuffer, docSize, docUrl, NULL, opts);
xmlFuzzCheckMallocFailure("xmlCtxtReadMemory", xmlFuzzCheckFailureReport("xmlCtxtReadMemory",
doc == NULL && doc == NULL && ctxt->errNo == XML_ERR_NO_MEMORY,
ctxt->errNo == XML_ERR_NO_MEMORY); doc == NULL && ctxt->errNo == XML_IO_EIO);
if (doc != NULL) { if (doc != NULL) {
#ifdef LIBXML_OUTPUT_ENABLED #ifdef LIBXML_OUTPUT_ENABLED
@@ -73,8 +73,9 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
xmlSaveDoc(save, doc); xmlSaveDoc(save, doc);
errNo = xmlSaveFinish(save); errNo = xmlSaveFinish(save);
xmlFuzzCheckMallocFailure("xmlSaveDoc", xmlFuzzCheckFailureReport("xmlSaveDoc",
errNo == XML_ERR_NO_MEMORY); errNo == XML_ERR_NO_MEMORY,
errNo == XML_IO_EIO);
} }
xmlBufferFree(buffer); xmlBufferFree(buffer);
#endif #endif
@@ -91,7 +92,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
static const size_t maxChunkSize = 128; static const size_t maxChunkSize = 128;
size_t consumed, chunkSize; size_t consumed, chunkSize;
xmlFuzzMemSetLimit(maxAlloc); xmlFuzzInjectFailure(failurePos);
ctxt = xmlCreatePushParserCtxt(NULL, NULL, NULL, 0, docUrl); ctxt = xmlCreatePushParserCtxt(NULL, NULL, NULL, 0, docUrl);
if (ctxt != NULL) { if (ctxt != NULL) {
xmlCtxtSetErrorHandler(ctxt, xmlFuzzSErrorFunc, NULL); xmlCtxtSetErrorHandler(ctxt, xmlFuzzSErrorFunc, NULL);
@@ -106,8 +107,9 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
} }
xmlParseChunk(ctxt, NULL, 0, 1); xmlParseChunk(ctxt, NULL, 0, 1);
xmlFuzzCheckMallocFailure("xmlParseChunk", xmlFuzzCheckFailureReport("xmlParseChunk",
ctxt->errNo == XML_ERR_NO_MEMORY); ctxt->errNo == XML_ERR_NO_MEMORY,
ctxt->errNo == XML_IO_EIO);
xmlFreeDoc(ctxt->myDoc); xmlFreeDoc(ctxt->myDoc);
xmlFreeParserCtxt(ctxt); xmlFreeParserCtxt(ctxt);
} }
@@ -115,7 +117,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
#endif #endif
exit: exit:
xmlFuzzMemSetLimit(0); xmlFuzzInjectFailure(0);
xmlFuzzDataCleanup(); xmlFuzzDataCleanup();
xmlResetLastError(); xmlResetLastError();
return(0); return(0);

17
fuzz/xpath.c
View File

@@ -27,14 +27,14 @@ int
LLVMFuzzerTestOneInput(const char *data, size_t size) { LLVMFuzzerTestOneInput(const char *data, size_t size) {
xmlDocPtr doc; xmlDocPtr doc;
const char *expr, *xml; const char *expr, *xml;
size_t maxAlloc, exprSize, xmlSize; size_t failurePos, exprSize, xmlSize;
if (size > 10000) if (size > 10000)
return(0); return(0);
xmlFuzzDataInit(data, size); xmlFuzzDataInit(data, size);
maxAlloc = xmlFuzzReadInt(4) % (size + 100); failurePos = xmlFuzzReadInt(4) % (size + 100);
expr = xmlFuzzReadString(&exprSize); expr = xmlFuzzReadString(&exprSize);
xml = xmlFuzzReadString(&xmlSize); xml = xmlFuzzReadString(&xmlSize);
@@ -43,7 +43,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
if (doc != NULL) { if (doc != NULL) {
xmlXPathContextPtr xpctxt; xmlXPathContextPtr xpctxt;
xmlFuzzMemSetLimit(maxAlloc); xmlFuzzInjectFailure(failurePos);
xpctxt = xmlXPathNewContext(doc); xpctxt = xmlXPathNewContext(doc);
if (xpctxt != NULL) { if (xpctxt != NULL) {
@@ -53,17 +53,16 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
xpctxt->opLimit = 500000; xpctxt->opLimit = 500000;
res = xmlXPathContextSetCache(xpctxt, 1, 4, 0); res = xmlXPathContextSetCache(xpctxt, 1, 4, 0);
xmlFuzzCheckMallocFailure("xmlXPathContextSetCache", res == -1); xmlFuzzCheckFailureReport("xmlXPathContextSetCache", res == -1, 0);
xmlFuzzResetMallocFailed(); xmlFuzzResetFailure();
xmlXPathFreeObject(xmlXPtrEval(BAD_CAST expr, xpctxt)); xmlXPathFreeObject(xmlXPtrEval(BAD_CAST expr, xpctxt));
xmlFuzzCheckMallocFailure("xmlXPtrEval", xmlFuzzCheckFailureReport("xmlXPtrEval",
xpctxt->lastError.code == xpctxt->lastError.code == XML_ERR_NO_MEMORY, 0);
XML_ERR_NO_MEMORY);
xmlXPathFreeContext(xpctxt); xmlXPathFreeContext(xpctxt);
} }
xmlFuzzMemSetLimit(0); xmlFuzzInjectFailure(0);
xmlFreeDoc(doc); xmlFreeDoc(doc);
} }