lib/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-10-24 13:33:01 +03:00
Code Activity

fuzz: Fix xmlSetProp in API fuzzer

Browse Source 
Finding the old attribute node is a bit more involved.
This commit is contained in:
Nick Wellnhofer
2024-03-28 11:30:05 +01:00
parent 9bce9dbb19
commit bfb02fbca9
1 changed files with 27 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
fuzz/api.c
View File

@@ -441,13 +441,13 @@ moveStr(int offset, xmlChar *str) {
* injection. * injection.
*/ */
static xmlChar * static xmlChar *
uncheckedStrdup(const xmlChar *str) { uncheckedStrndup(const xmlChar *str, int size) {
xmlChar *copy; xmlChar *copy;
if (str == NULL) if (str == NULL)
return NULL; return NULL;
copy = BAD_CAST strndup((const char *) str, MAX_CONTENT); copy = BAD_CAST strndup((const char *) str, size);
if (copy == NULL) { if (copy == NULL) {
fprintf(stderr, "out of memory\n"); fprintf(stderr, "out of memory\n");
abort(); abort();
@@ -456,6 +456,11 @@ uncheckedStrdup(const xmlChar *str) {
return copy; return copy;
} }
static xmlChar *
uncheckedStrdup(const xmlChar *str) {
return uncheckedStrndup(str, MAX_CONTENT);
}
static void static void
copyStr(int offset, const xmlChar *str) { copyStr(int offset, const xmlChar *str) {
setStr(offset, uncheckedStrdup(str)); setStr(offset, uncheckedStrdup(str));
@@ -1958,18 +1963,36 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
case OP_XML_SET_PROP: { case OP_XML_SET_PROP: {
xmlNodePtr node; xmlNodePtr node;
xmlAttrPtr oldAttr, attr; xmlAttrPtr oldAttr, attr;
const xmlChar *name, *value; xmlNsPtr ns = NULL;
const xmlChar *name, *value, *localName;
xmlChar *prefix;
int prefixLen;
startOp("xmlSetProp"); startOp("xmlSetProp");
incNodeIdx(); incNodeIdx();
node = getNode(1); node = getNode(1);
name = getStr(0); name = getStr(0);
value = getStr(1); value = getStr(1);
oldAttr = xmlHasProp(node, name);
/*
* Find the old attribute node which will be deleted.
*/
localName = xmlSplitQName3(name, &prefixLen);
if (localName != NULL) {
prefix = uncheckedStrndup(name, prefixLen);
ns = xmlSearchNs(NULL, node, prefix);
xmlFree(prefix);
}
if (ns == NULL)
oldAttr = xmlHasNsProp(node, name, NULL);
else
oldAttr = xmlHasNsProp(node, localName, ns->href);
xmlFuzzResetMallocFailed(); xmlFuzzResetMallocFailed();
if (oldAttr != NULL) if (oldAttr != NULL)
removeChildren((xmlNodePtr) oldAttr, 0); removeChildren((xmlNodePtr) oldAttr, 0);
attr = xmlSetProp(node, name, value); attr = xmlSetProp(node, name, value);
oomReport = oomReport =
(node != NULL && node->type == XML_ELEMENT_NODE && (node != NULL && node->type == XML_ELEMENT_NODE &&
name != NULL && name != NULL &&