/* * xml.c: a libFuzzer target to test several XML parser interfaces. * * See Copyright for the status of this software. */ #include #include #include #include #include #include "fuzz.h" int LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED, char ***argv ATTRIBUTE_UNUSED) { xmlFuzzMemSetup(); xmlInitParser(); #ifdef LIBXML_CATALOG_ENABLED xmlInitializeCatalog(); #endif xmlSetGenericErrorFunc(NULL, xmlFuzzErrorFunc); xmlSetExternalEntityLoader(xmlFuzzEntityLoader); return 0; } int LLVMFuzzerTestOneInput(const char *data, size_t size) { static const size_t maxChunkSize = 128; xmlDocPtr doc; xmlParserCtxtPtr ctxt; xmlTextReaderPtr reader; xmlChar *out; const char *docBuffer, *docUrl; size_t maxAlloc, docSize, consumed, chunkSize; int opts, outSize; xmlFuzzDataInit(data, size); opts = (int) xmlFuzzReadInt(4); opts &= ~XML_PARSE_XINCLUDE; maxAlloc = xmlFuzzReadInt(4) % (size + 1); xmlFuzzReadEntities(); docBuffer = xmlFuzzMainEntity(&docSize); docUrl = xmlFuzzMainUrl(); if (docBuffer == NULL) goto exit; /* Pull parser */ xmlFuzzMemSetLimit(maxAlloc); doc = xmlReadMemory(docBuffer, docSize, docUrl, NULL, opts); /* Also test the serializer. */ xmlDocDumpMemory(doc, &out, &outSize); xmlFree(out); xmlFreeDoc(doc); /* Push parser */ xmlFuzzMemSetLimit(maxAlloc); ctxt = xmlCreatePushParserCtxt(NULL, NULL, NULL, 0, docUrl); if (ctxt == NULL) goto exit; xmlCtxtUseOptions(ctxt, opts); for (consumed = 0; consumed < docSize; consumed += chunkSize) { chunkSize = docSize - consumed; if (chunkSize > maxChunkSize) chunkSize = maxChunkSize; xmlParseChunk(ctxt, docBuffer + consumed, chunkSize, 0); } xmlParseChunk(ctxt, NULL, 0, 1); xmlFreeDoc(ctxt->myDoc); xmlFreeParserCtxt(ctxt); /* Reader */ xmlFuzzMemSetLimit(maxAlloc); reader = xmlReaderForMemory(docBuffer, docSize, NULL, NULL, opts); if (reader == NULL) goto exit; while (xmlTextReaderRead(reader) == 1) { if (xmlTextReaderNodeType(reader) == XML_ELEMENT_NODE) { int i, n = xmlTextReaderAttributeCount(reader); for (i=0; i