mirror of
https://gitlab.gnome.org/GNOME/libxml2.git
synced 2025-10-30 10:45:36 +03:00
e632d9f02e
Fix many places where malloc failures aren't reported. Rework XPath object cache to store free objects in a linked list to avoid allocating an additional array. Remove some unneeded object pools.
71 lines
1.8 KiB
C
71 lines
1.8 KiB
C
/*
|
|
* xpath.c: a libFuzzer target to test XPath and XPointer expressions.
|
|
*
|
|
* See Copyright for the status of this software.
|
|
*/
|
|
|
|
#include <libxml/parser.h>
|
|
#include <libxml/xpointer.h>
|
|
#include "fuzz.h"
|
|
|
|
int
|
|
LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
|
|
char ***argv ATTRIBUTE_UNUSED) {
|
|
xmlFuzzMemSetup();
|
|
xmlInitParser();
|
|
xmlSetGenericErrorFunc(NULL, xmlFuzzErrorFunc);
|
|
|
|
return 0;
|
|
}
|
|
|
|
int
|
|
LLVMFuzzerTestOneInput(const char *data, size_t size) {
|
|
xmlDocPtr doc;
|
|
const char *expr, *xml;
|
|
size_t maxAlloc, exprSize, xmlSize;
|
|
|
|
if (size > 10000)
|
|
return(0);
|
|
|
|
xmlFuzzDataInit(data, size);
|
|
|
|
maxAlloc = xmlFuzzReadInt(4) % (size + 100);
|
|
expr = xmlFuzzReadString(&exprSize);
|
|
xml = xmlFuzzReadString(&xmlSize);
|
|
|
|
/* Recovery mode allows more input to be fuzzed. */
|
|
doc = xmlReadMemory(xml, xmlSize, NULL, NULL, XML_PARSE_RECOVER);
|
|
if (doc != NULL) {
|
|
xmlXPathContextPtr xpctxt;
|
|
|
|
xmlFuzzMemSetLimit(maxAlloc);
|
|
|
|
xpctxt = xmlXPathNewContext(doc);
|
|
if (xpctxt != NULL) {
|
|
int res;
|
|
|
|
/* Operation limit to avoid timeout */
|
|
xpctxt->opLimit = 500000;
|
|
|
|
res = xmlXPathContextSetCache(xpctxt, 1, 4, 0);
|
|
xmlFuzzCheckMallocFailure("xmlXPathContextSetCache", res == -1);
|
|
|
|
xmlFuzzResetMallocFailed();
|
|
xmlXPathFreeObject(xmlXPtrEval(BAD_CAST expr, xpctxt));
|
|
xmlFuzzCheckMallocFailure("xmlXPtrEval",
|
|
xpctxt->lastError.code ==
|
|
XML_ERR_NO_MEMORY);
|
|
xmlXPathFreeContext(xpctxt);
|
|
}
|
|
|
|
xmlFuzzMemSetLimit(0);
|
|
xmlFreeDoc(doc);
|
|
}
|
|
|
|
xmlFuzzDataCleanup();
|
|
xmlResetLastError();
|
|
|
|
return(0);
|
|
}
|
|
|