Coverage Report

Created: 2024-05-20 06:20

/src/expat/expat/fuzz/xml_parse_fuzzer.c
Line
Count
Source
1
/*
2
 * Copyright (C) 2016 The Android Open Source Project
3
 *
4
 * Licensed under the Apache License, Version 2.0 (the "License");
5
 * you may not use this file except in compliance with the License.
6
 * You may obtain a copy of the License at
7
 *
8
 *      http://www.apache.org/licenses/LICENSE-2.0
9
 *
10
 * Unless required by applicable law or agreed to in writing, software
11
 * distributed under the License is distributed on an "AS IS" BASIS,
12
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
 * See the License for the specific language governing permissions and
14
 * limitations under the License.
15
 */
16
17
#include <assert.h>
18
#include <stdint.h>
19
20
#include "expat.h"
21
#include "siphash.h"
22
23
// Macros to convert preprocessor macros to string literals. See
24
// https://gcc.gnu.org/onlinedocs/gcc-3.4.3/cpp/Stringification.html
25
23.6k
#define xstr(s) str(s)
26
23.6k
#define str(s) #s
27
28
// The encoder type that we wish to fuzz should come from the compile-time
29
// definition `ENCODING_FOR_FUZZING`. This allows us to have a separate fuzzer
30
// binary for
31
#ifndef ENCODING_FOR_FUZZING
32
#  error "ENCODING_FOR_FUZZING was not provided to this fuzz target."
33
#endif
34
35
// 16-byte deterministic hash key.
36
static unsigned char hash_key[16] = "FUZZING IS FUN!";
37
38
static void XMLCALL
39
3.57M
start(void *userData, const XML_Char *name, const XML_Char **atts) {
40
3.57M
  (void)userData;
41
3.57M
  (void)name;
42
3.57M
  (void)atts;
43
3.57M
}
44
static void XMLCALL
45
1.26M
end(void *userData, const XML_Char *name) {
46
1.26M
  (void)userData;
47
1.26M
  (void)name;
48
1.26M
}
49
50
static void XMLCALL
51
20.4M
may_stop_character_handler(void *userData, const XML_Char *s, int len) {
52
20.4M
  XML_Parser parser = (XML_Parser)userData;
53
20.4M
  if (len > 1 && s[0] == 's') {
54
898
    XML_StopParser(parser, s[1] == 'r' ? XML_FALSE : XML_TRUE);
55
898
  }
56
20.4M
}
57
58
static void
59
94.5k
ParseOneInput(XML_Parser p, const uint8_t *data, size_t size) {
60
  // Set the hash salt using siphash to generate a deterministic hash.
61
94.5k
  struct sipkey *key = sip_keyof(hash_key);
62
94.5k
  XML_SetHashSalt(p, (unsigned long)siphash24(data, size, key));
63
94.5k
  (void)sip24_valid;
64
65
94.5k
  XML_SetUserData(p, p);
66
94.5k
  XML_SetElementHandler(p, start, end);
67
94.5k
  XML_SetCharacterDataHandler(p, may_stop_character_handler);
68
94.5k
  XML_Parse(p, (const XML_Char *)data, size, 0);
69
94.5k
  if (XML_Parse(p, (const XML_Char *)data, size, 1) == XML_STATUS_ERROR) {
70
91.7k
    XML_ErrorString(XML_GetErrorCode(p));
71
91.7k
  }
72
94.5k
  XML_GetCurrentLineNumber(p);
73
94.5k
  if (size % 2) {
74
38.0k
    XML_ParserReset(p, NULL);
75
38.0k
  }
76
94.5k
}
77
78
int
79
23.6k
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
80
23.6k
  XML_Parser parentParser = XML_ParserCreate(xstr(ENCODING_FOR_FUZZING));
81
23.6k
  assert(parentParser);
82
23.6k
  ParseOneInput(parentParser, data, size);
83
  // not freed yet, but used later and freed then
84
85
23.6k
  XML_Parser namespaceParser = XML_ParserCreateNS(NULL, '!');
86
23.6k
  assert(namespaceParser);
87
23.6k
  ParseOneInput(namespaceParser, data, size);
88
23.6k
  XML_ParserFree(namespaceParser);
89
90
23.6k
  XML_Parser externalEntityParser
91
23.6k
      = XML_ExternalEntityParserCreate(parentParser, "e1", NULL);
92
23.6k
  assert(externalEntityParser);
93
23.6k
  ParseOneInput(externalEntityParser, data, size);
94
23.6k
  XML_ParserFree(externalEntityParser);
95
96
23.6k
  XML_Parser externalDtdParser
97
23.6k
      = XML_ExternalEntityParserCreate(parentParser, NULL, NULL);
98
23.6k
  assert(externalDtdParser);
99
23.6k
  ParseOneInput(externalDtdParser, data, size);
100
23.6k
  XML_ParserFree(externalDtdParser);
101
102
  // finally frees this parser which served as parent
103
23.6k
  XML_ParserFree(parentParser);
104
23.6k
  return 0;
105
23.6k
}