lib/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-10-24 13:33:01 +03:00
Code Activity

malloc-fail: Report malloc failure in xmlRegEpxFromParse

Browse Source 
Also check whether malloc failures are reported when fuzzing.
This commit is contained in:
Nick Wellnhofer
2023-09-22 17:03:56 +02:00
parent d94f0b0ba2
commit b7d56ef7f1
4 changed files with 29 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
fuzz/fuzz.c
View File

@@ -44,6 +44,7 @@ static struct {
size_t fuzzNumAllocs; size_t fuzzNumAllocs;
size_t fuzzMaxAllocs; size_t fuzzMaxAllocs;
int fuzzAllocFailed;
/** /**
* xmlFuzzErrorFunc: * xmlFuzzErrorFunc:
@@ -71,12 +72,13 @@ xmlFuzzErrorFunc(void *ctx ATTRIBUTE_UNUSED, const char *msg ATTRIBUTE_UNUSED,
static void * static void *
xmlFuzzMalloc(size_t size) { xmlFuzzMalloc(size_t size) {
if (fuzzMaxAllocs > 0) { if (fuzzMaxAllocs > 0) {
if (fuzzNumAllocs >= fuzzMaxAllocs - 1) if (fuzzNumAllocs >= fuzzMaxAllocs - 1) {
#if XML_FUZZ_MALLOC_ABORT #if XML_FUZZ_MALLOC_ABORT
abort(); abort();
#else
return(NULL);
#endif #endif
fuzzAllocFailed = 1;
return(NULL);
}
fuzzNumAllocs += 1; fuzzNumAllocs += 1;
} }
return malloc(size); return malloc(size);
@@ -85,12 +87,13 @@ xmlFuzzMalloc(size_t size) {
static void * static void *
xmlFuzzRealloc(void *ptr, size_t size) { xmlFuzzRealloc(void *ptr, size_t size) {
if (fuzzMaxAllocs > 0) { if (fuzzMaxAllocs > 0) {
if (fuzzNumAllocs >= fuzzMaxAllocs - 1) if (fuzzNumAllocs >= fuzzMaxAllocs - 1) {
#if XML_FUZZ_MALLOC_ABORT #if XML_FUZZ_MALLOC_ABORT
abort(); abort();
#else
return(NULL);
#endif #endif
fuzzAllocFailed = 1;
return(NULL);
}
fuzzNumAllocs += 1; fuzzNumAllocs += 1;
} }
return realloc(ptr, size); return realloc(ptr, size);
@@ -105,6 +108,12 @@ void
xmlFuzzMemSetLimit(size_t limit) { xmlFuzzMemSetLimit(size_t limit) {
fuzzNumAllocs = 0; fuzzNumAllocs = 0;
fuzzMaxAllocs = limit ? limit + XML_FUZZ_MALLOC_OFFSET : 0; fuzzMaxAllocs = limit ? limit + XML_FUZZ_MALLOC_OFFSET : 0;
fuzzAllocFailed = 0;
}
int
xmlFuzzMallocFailed(void) {
return fuzzAllocFailed;
} }
/** /**

3
fuzz/fuzz.h
View File

@@ -56,6 +56,9 @@ xmlFuzzMemSetup(void);
void void
xmlFuzzMemSetLimit(size_t limit); xmlFuzzMemSetLimit(size_t limit);
int
xmlFuzzMallocFailed(void);
void void
xmlFuzzDataInit(const char *data, size_t size); xmlFuzzDataInit(const char *data, size_t size);

6
fuzz/regexp.c
View File

@@ -4,6 +4,8 @@
* See Copyright for the status of this software. * See Copyright for the status of this software.
*/ */
#include <stdio.h>
#include <stdlib.h>
#include <libxml/xmlregexp.h> #include <libxml/xmlregexp.h>
#include "fuzz.h" #include "fuzz.h"
@@ -31,6 +33,10 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
xmlFuzzMemSetLimit(maxAlloc); xmlFuzzMemSetLimit(maxAlloc);
regexp = xmlRegexpCompile(BAD_CAST str1); regexp = xmlRegexpCompile(BAD_CAST str1);
if (xmlFuzzMallocFailed() && regexp != NULL) {
fprintf(stderr, "malloc failure not reported\n");
abort();
}
/* xmlRegexpExec has pathological performance in too many cases. */ /* xmlRegexpExec has pathological performance in too many cases. */
#if 0 #if 0
xmlRegexpExec(regexp, BAD_CAST str2); xmlRegexpExec(regexp, BAD_CAST str2);

6
xmlregexp.c
View File

@@ -476,7 +476,11 @@ xmlRegEpxFromParse(xmlRegParserCtxtPtr ctxt) {
ret->determinist = ctxt->determinist; ret->determinist = ctxt->determinist;
ret->flags = ctxt->flags; ret->flags = ctxt->flags;
if (ret->determinist == -1) { if (ret->determinist == -1) {
xmlRegexpIsDeterminist(ret); if (xmlRegexpIsDeterminist(ret) < 0) {
xmlRegexpErrMemory(ctxt, "checking determinism");
xmlFree(ret);
return(NULL);
}
} }
if ((ret->determinist != 0) && if ((ret->determinist != 0) &&