lib/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-10-26 00:37:43 +03:00
Code Activity

fuzz: Add some comments in api.c

Browse Source
This commit is contained in:
Nick Wellnhofer
2024-03-15 21:04:04 +01:00
parent ee0c1f87c0
commit f14f089fe3
1 changed files with 44 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
fuzz/api.c
View File

@@ -17,7 +17,6 @@
* *
* TODO: * TODO:
* - Create documents with a dictionary. * - Create documents with a dictionary.
* - Create nodes with null name (xmlSetTreeDoc).
*/ */
#include <stdlib.h> #include <stdlib.h>
@@ -439,6 +438,10 @@ moveStr(int offset, xmlChar *str) {
} }
} }
/*
* This doesn't use xmlMalloc and can't fail because of malloc failure
* injection.
*/
static xmlChar * static xmlChar *
uncheckedStrdup(const xmlChar *str) { uncheckedStrdup(const xmlChar *str) {
xmlChar *copy; xmlChar *copy;
@@ -599,7 +602,7 @@ isDtdChild(xmlNodePtr child) {
} }
static xmlNodePtr static xmlNodePtr
nodeGetSubtree(xmlNodePtr node) { nodeGetTree(xmlNodePtr node) {
xmlNodePtr cur = node; xmlNodePtr cur = node;
while (cur->parent) while (cur->parent)
@@ -607,23 +610,30 @@ nodeGetSubtree(xmlNodePtr node) {
return cur; return cur;
} }
/*
* This function is called whenever a reference to a node is removed.
* It checks whether the node is still reachable and frees unreferenced
* nodes.
*
* A node is reachable if its tree, identified by the root node,
* is reachable. If a non-document tree is unreachable, it can be
* freed.
*
* Multiple trees can share the same document, so a document tree
* can only be freed if no other trees reference the document.
*/
static void static void
dropNode(xmlNodePtr node) { dropNode(xmlNodePtr node) {
xmlNodePtr *nodes = vars->nodes; xmlNodePtr *nodes = vars->nodes;
xmlNodePtr subtree; xmlNodePtr tree;
xmlDocPtr doc; xmlDocPtr doc;
int docReferenced = 0; int docReferenced = 0;
int i; int i;
/*
* We have to handle separate subtrees and the document pointer
* which makes memory management a bit tricky.
*/
if (node == NULL) if (node == NULL)
return; return;
subtree = nodeGetSubtree(node); tree = nodeGetTree(node);
doc = node->doc; doc = node->doc;
for (i = 0; i < REG_MAX; i++) { for (i = 0; i < REG_MAX; i++) {
@@ -634,19 +644,19 @@ dropNode(xmlNodePtr node) {
continue; continue;
/* /*
* Return if subtree is referenced from another node * Return if tree is referenced from another node
*/ */
if (nodeGetSubtree(other) == subtree) if (nodeGetTree(other) == tree)
return; return;
if (doc != NULL && other->doc == doc) if (doc != NULL && other->doc == doc)
docReferenced = 1; docReferenced = 1;
} }
if (subtree != (xmlNodePtr) doc && !isDtdChild(subtree)) { if (tree != (xmlNodePtr) doc && !isDtdChild(tree)) {
if (doc == NULL || subtree->type != XML_DTD_NODE || if (doc == NULL || tree->type != XML_DTD_NODE ||
((xmlDtdPtr) subtree != doc->intSubset && ((xmlDtdPtr) tree != doc->intSubset &&
(xmlDtdPtr) subtree != doc->extSubset)) (xmlDtdPtr) tree != doc->extSubset))
xmlFreeNode(subtree); xmlFreeNode(tree);
} }
/* /*
@@ -656,6 +666,13 @@ dropNode(xmlNodePtr node) {
xmlFreeDoc(doc); xmlFreeDoc(doc);
} }
/*
* removeNode and removeChildren remove all references to a node
* or its children from the registers. These functions should be
* called in an API function destroys nodes, for example by merging
* text nodes.
*/
static void static void
removeNode(xmlNodePtr node) { removeNode(xmlNodePtr node) {
int i; int i;
@@ -723,6 +740,17 @@ nodeGetNs(xmlNodePtr node, int k) {
return ns; return ns;
} }
/*
* It's easy for programs to exhibit exponential growth patterns.
* For example, a tree being copied and added to the original source
* node doubles memory usage with two operations. Repeating these
* operations leads to 2^n nodes. Similar issues can arise when
* concatenating strings.
*
* We simply ignore tree copies or truncate text if they grow too
* large.
*/
static void static void
checkContent(xmlNodePtr node) { checkContent(xmlNodePtr node) {
if (node != NULL && if (node != NULL &&