lib/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-10-24 13:33:01 +03:00
Code Activity

Handle malloc failures in fuzzing code

Browse Source 
Avoid misdiagnosis in OOM situations.
This commit is contained in:
Nick Wellnhofer
2020-12-18 00:50:34 +01:00
parent a67b63d183
commit e2b975c317
2 changed files with 15 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
fuzz/fuzz.c
View File

@@ -211,6 +211,8 @@ xmlFuzzReadEntities(void) {
if (xmlHashLookup(fuzzData.entities, (xmlChar *)url) == NULL) { if (xmlHashLookup(fuzzData.entities, (xmlChar *)url) == NULL) {
entityInfo = xmlMalloc(sizeof(xmlFuzzEntityInfo)); entityInfo = xmlMalloc(sizeof(xmlFuzzEntityInfo));
if (entityInfo == NULL)
break;
entityInfo->data = entity; entityInfo->data = entity;
entityInfo->size = entitySize; entityInfo->size = entitySize;
@@ -271,6 +273,10 @@ xmlFuzzEntityLoader(const char *URL, const char *ID ATTRIBUTE_UNUSED,
input->filename = NULL; input->filename = NULL;
input->buf = xmlParserInputBufferCreateMem(entity->data, entity->size, input->buf = xmlParserInputBufferCreateMem(entity->data, entity->size,
XML_CHAR_ENCODING_NONE); XML_CHAR_ENCODING_NONE);
if (input->buf == NULL) {
xmlFreeInputStream(input);
return(NULL);
}
input->base = input->cur = xmlBufContent(input->buf->buffer); input->base = input->cur = xmlBufContent(input->buf->buffer);
input->end = input->base + entity->size; input->end = input->base + entity->size;

20
fuzz/xml.c
View File

@@ -37,18 +37,14 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
/* Lower maximum size when processing entities for now. */ /* Lower maximum size when processing entities for now. */
maxSize = opts & XML_PARSE_NOENT ? 50000 : 500000; maxSize = opts & XML_PARSE_NOENT ? 50000 : 500000;
if (size > maxSize) { if (size > maxSize)
xmlFuzzDataCleanup(); goto exit;
return(0);
}
xmlFuzzReadEntities(); xmlFuzzReadEntities();
docBuffer = xmlFuzzMainEntity(&docSize); docBuffer = xmlFuzzMainEntity(&docSize);
docUrl = xmlFuzzMainUrl(); docUrl = xmlFuzzMainUrl();
if (docBuffer == NULL) { if (docBuffer == NULL)
xmlFuzzDataCleanup(); goto exit;
return(0);
}
/* Pull parser */ /* Pull parser */
@@ -63,6 +59,8 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
/* Push parser */ /* Push parser */
ctxt = xmlCreatePushParserCtxt(NULL, NULL, NULL, 0, docUrl); ctxt = xmlCreatePushParserCtxt(NULL, NULL, NULL, 0, docUrl);
if (ctxt == NULL)
goto exit;
xmlCtxtUseOptions(ctxt, opts); xmlCtxtUseOptions(ctxt, opts);
for (consumed = 0; consumed < docSize; consumed += chunkSize) { for (consumed = 0; consumed < docSize; consumed += chunkSize) {
@@ -81,6 +79,8 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
/* Reader */ /* Reader */
reader = xmlReaderForMemory(docBuffer, docSize, NULL, NULL, opts); reader = xmlReaderForMemory(docBuffer, docSize, NULL, NULL, opts);
if (reader == NULL)
goto exit;
while (xmlTextReaderRead(reader) == 1) { while (xmlTextReaderRead(reader) == 1) {
if (xmlTextReaderNodeType(reader) == XML_ELEMENT_NODE) { if (xmlTextReaderNodeType(reader) == XML_ELEMENT_NODE) {
int i, n = xmlTextReaderAttributeCount(reader); int i, n = xmlTextReaderAttributeCount(reader);
@@ -92,10 +92,8 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
} }
xmlFreeTextReader(reader); xmlFreeTextReader(reader);
/* Cleanup */ exit:
xmlFuzzDataCleanup(); xmlFuzzDataCleanup();
return(0); return(0);
} }