/src/libxml2/fuzz/xml.c

Source (jump to first uncovered line)
/*
 * xml.c: a libFuzzer target to test several XML parser interfaces.
 *
 * See Copyright for the status of this software.
 */

#include <libxml/catalog.h>
#include <libxml/parser.h>
#include <libxml/tree.h>
#include <libxml/xmlerror.h>
#include <libxml/xmlreader.h>
#include "fuzz.h"

int
LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
                     char ***argv ATTRIBUTE_UNUSED) {
    xmlInitParser();
#ifdef LIBXML_CATALOG_ENABLED
    xmlInitializeCatalog();
#endif
    xmlSetGenericErrorFunc(NULL, xmlFuzzErrorFunc);
    xmlSetExternalEntityLoader(xmlFuzzEntityLoader);

    return 0;
}

int
LLVMFuzzerTestOneInput(const char *data, size_t size) {
    static const size_t maxChunkSize = 128;
    xmlDocPtr doc;
    xmlParserCtxtPtr ctxt;
    xmlTextReaderPtr reader;
    xmlChar *out;
    const char *docBuffer, *docUrl;
    size_t docSize, consumed, chunkSize;
    int opts, outSize;

    xmlFuzzDataInit(data, size);
    opts = xmlFuzzReadInt();
    opts &= ~XML_PARSE_XINCLUDE;

    xmlFuzzReadEntities();
    docBuffer = xmlFuzzMainEntity(&docSize);
    docUrl = xmlFuzzMainUrl();
    if (docBuffer == NULL)
        goto exit;

    /* Pull parser */

    doc = xmlReadMemory(docBuffer, docSize, docUrl, NULL, opts);
    /* Also test the serializer. */
    xmlDocDumpMemory(doc, &out, &outSize);
    xmlFree(out);
    xmlFreeDoc(doc);

    /* Push parser */

    ctxt = xmlCreatePushParserCtxt(NULL, NULL, NULL, 0, docUrl);
    if (ctxt == NULL)
        goto exit;
    xmlCtxtUseOptions(ctxt, opts);

    for (consumed = 0; consumed < docSize; consumed += chunkSize) {
        chunkSize = docSize - consumed;
        if (chunkSize > maxChunkSize)
            chunkSize = maxChunkSize;
        xmlParseChunk(ctxt, docBuffer + consumed, chunkSize, 0);
    }

    xmlParseChunk(ctxt, NULL, 0, 1);
    xmlFreeDoc(ctxt->myDoc);
    xmlFreeParserCtxt(ctxt);

    /* Reader */

    reader = xmlReaderForMemory(docBuffer, docSize, NULL, NULL, opts);
    if (reader == NULL)
        goto exit;
    while (xmlTextReaderRead(reader) == 1) {
        if (xmlTextReaderNodeType(reader) == XML_ELEMENT_NODE) {
            int i, n = xmlTextReaderAttributeCount(reader);
            for (i=0; i<n; i++) {
                xmlTextReaderMoveToAttributeNo(reader, i);
                while (xmlTextReaderReadAttributeValue(reader) == 1);
            }
        }
    }
    xmlFreeTextReader(reader);

exit:
    xmlFuzzDataCleanup();
    xmlResetLastError();
    return(0);
}


Line	Count	Source (jump to first uncovered line)
1		/*
2		* xml.c: a libFuzzer target to test several XML parser interfaces.
3		*
4		* See Copyright for the status of this software.
5		*/
6
7		#include <libxml/catalog.h>
8		#include <libxml/parser.h>
9		#include <libxml/tree.h>
10		#include <libxml/xmlerror.h>
11		#include <libxml/xmlreader.h>
12		#include "fuzz.h"
13
14		int
15		LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
16	29	char ***argv ATTRIBUTE_UNUSED) {
17	29	xmlInitParser();
18	29	#ifdef LIBXML_CATALOG_ENABLED
19	29	xmlInitializeCatalog();
20	29	#endif
21	29	xmlSetGenericErrorFunc(NULL, xmlFuzzErrorFunc);
22	29	xmlSetExternalEntityLoader(xmlFuzzEntityLoader);
23
24	29	return 0;
25	29	}
26
27		int
28	35.1k	LLVMFuzzerTestOneInput(const char *data, size_t size) {
29	35.1k	static const size_t maxChunkSize = 128;
30	35.1k	xmlDocPtr doc;
31	35.1k	xmlParserCtxtPtr ctxt;
32	35.1k	xmlTextReaderPtr reader;
33	35.1k	xmlChar *out;
34	35.1k	const char docBuffer, docUrl;
35	35.1k	size_t docSize, consumed, chunkSize;
36	35.1k	int opts, outSize;
37
38	35.1k	xmlFuzzDataInit(data, size);
39	35.1k	opts = xmlFuzzReadInt();
40	35.1k	opts &= ~XML_PARSE_XINCLUDE;
41
42	35.1k	xmlFuzzReadEntities();
43	35.1k	docBuffer = xmlFuzzMainEntity(&docSize);
44	35.1k	docUrl = xmlFuzzMainUrl();
45	35.1k	if (docBuffer == NULL)
46	106	goto exit;
47
48		/* Pull parser */
49
50	35.0k	doc = xmlReadMemory(docBuffer, docSize, docUrl, NULL, opts);
51		/* Also test the serializer. */
52	35.0k	xmlDocDumpMemory(doc, &out, &outSize);
53	35.0k	xmlFree(out);
54	35.0k	xmlFreeDoc(doc);
55
56		/* Push parser */
57
58	35.0k	ctxt = xmlCreatePushParserCtxt(NULL, NULL, NULL, 0, docUrl);
59	35.0k	if (ctxt == NULL)
60	0	goto exit;
61	35.0k	xmlCtxtUseOptions(ctxt, opts);
62
63	2.46M	for (consumed = 0; consumed < docSize; consumed += chunkSize) {
64	2.43M	chunkSize = docSize - consumed;
65	2.43M	if (chunkSize > maxChunkSize)
66	2.39M	chunkSize = maxChunkSize;
67	2.43M	xmlParseChunk(ctxt, docBuffer + consumed, chunkSize, 0);
68	2.43M	}
69
70	35.0k	xmlParseChunk(ctxt, NULL, 0, 1);
71	35.0k	xmlFreeDoc(ctxt->myDoc);
72	35.0k	xmlFreeParserCtxt(ctxt);
73
74		/* Reader */
75
76	35.0k	reader = xmlReaderForMemory(docBuffer, docSize, NULL, NULL, opts);
77	35.0k	if (reader == NULL)
78	0	goto exit;
79	1.28M	while (xmlTextReaderRead(reader) == 1) {
80	1.25M	if (xmlTextReaderNodeType(reader) == XML_ELEMENT_NODE) {
81	345k	int i, n = xmlTextReaderAttributeCount(reader);
82	529k	for (i=0; i<n; i++) {
83	184k	xmlTextReaderMoveToAttributeNo(reader, i);
84	369k	while (xmlTextReaderReadAttributeValue(reader) == 1);
85	184k	}
86	345k	}
87	1.25M	}
88	35.0k	xmlFreeTextReader(reader);
89
90	35.1k	exit:
91	35.1k	xmlFuzzDataCleanup();
92	35.1k	xmlResetLastError();
93	35.1k	return(0);
94	35.0k	}
95

Coverage Report

Created: 2023-05-05 14:18