/src/expat/expat/fuzz/xml_parsebuffer_fuzzer.c

Source (jump to first uncovered line)
/*
 * Copyright (C) 2016 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include <assert.h>
#include <stdint.h>
#include <string.h>

#include "expat.h"
#include "siphash.h"

// Macros to convert preprocessor macros to string literals. See
// https://gcc.gnu.org/onlinedocs/gcc-3.4.3/cpp/Stringification.html
#define xstr(s) str(s)
#define str(s) #s

// The encoder type that we wish to fuzz should come from the compile-time
// definition `ENCODING_FOR_FUZZING`. This allows us to have a separate fuzzer
// binary for
#ifndef ENCODING_FOR_FUZZING
#  error "ENCODING_FOR_FUZZING was not provided to this fuzz target."
#endif

// 16-byte deterministic hash key.
static unsigned char hash_key[16] = "FUZZING IS FUN!";

static void XMLCALL
start(void *userData, const XML_Char *name, const XML_Char **atts) {
  (void)userData;
  (void)name;
  (void)atts;
}
static void XMLCALL
end(void *userData, const XML_Char *name) {
  (void)userData;
  (void)name;
}

static void XMLCALL
may_stop_character_handler(void *userData, const XML_Char *s, int len) {
  XML_Parser parser = (XML_Parser)userData;
  if (len > 1 && s[0] == 's') {
    XML_StopParser(parser, s[1] == 'r' ? XML_FALSE : XML_TRUE);
  }
}

static void
ParseOneInput(XML_Parser p, const uint8_t *data, size_t size) {
  // Set the hash salt using siphash to generate a deterministic hash.
  struct sipkey *key = sip_keyof(hash_key);
  XML_SetHashSalt(p, (unsigned long)siphash24(data, size, key));
  (void)sip24_valid;

  XML_SetUserData(p, p);
  XML_SetElementHandler(p, start, end);
  XML_SetCharacterDataHandler(p, may_stop_character_handler);
  void *buf = XML_GetBuffer(p, size);
  assert(buf);
  memcpy(buf, data, size);
  XML_ParseBuffer(p, size, 0);
  buf = XML_GetBuffer(p, size);
  if (buf == NULL) {
    return;
  }
  memcpy(buf, data, size);
  if (XML_ParseBuffer(p, size, 1) == XML_STATUS_ERROR) {
    XML_ErrorString(XML_GetErrorCode(p));
  }
  XML_GetCurrentLineNumber(p);
  if (size % 2) {
    XML_ParserReset(p, NULL);
  }
}

int
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  if (size == 0)
    return 0;

  XML_Parser parentParser = XML_ParserCreate(xstr(ENCODING_FOR_FUZZING));
  assert(parentParser);
  ParseOneInput(parentParser, data, size);
  // not freed yet, but used later and freed then

  XML_Parser namespaceParser = XML_ParserCreateNS(NULL, '!');
  assert(namespaceParser);
  ParseOneInput(namespaceParser, data, size);
  XML_ParserFree(namespaceParser);

  XML_Parser externalEntityParser
      = XML_ExternalEntityParserCreate(parentParser, "e1", NULL);
  assert(externalEntityParser);
  ParseOneInput(externalEntityParser, data, size);
  XML_ParserFree(externalEntityParser);

  XML_Parser externalDtdParser
      = XML_ExternalEntityParserCreate(parentParser, NULL, NULL);
  assert(externalDtdParser);
  ParseOneInput(externalDtdParser, data, size);
  XML_ParserFree(externalDtdParser);

  // finally frees this parser which served as parent
  XML_ParserFree(parentParser);
  return 0;
}

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright (C) 2016 The Android Open Source Project
3		*
4		* Licensed under the Apache License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.apache.org/licenses/LICENSE-2.0
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*/
16
17		#include <assert.h>
18		#include <stdint.h>
19		#include <string.h>
20
21		#include "expat.h"
22		#include "siphash.h"
23
24		// Macros to convert preprocessor macros to string literals. See
25		// https://gcc.gnu.org/onlinedocs/gcc-3.4.3/cpp/Stringification.html
26	20.2k	#define xstr(s) str(s)
27	20.2k	#define str(s) #s
28
29		// The encoder type that we wish to fuzz should come from the compile-time
30		// definition `ENCODING_FOR_FUZZING`. This allows us to have a separate fuzzer
31		// binary for
32		#ifndef ENCODING_FOR_FUZZING
33		# error "ENCODING_FOR_FUZZING was not provided to this fuzz target."
34		#endif
35
36		// 16-byte deterministic hash key.
37		static unsigned char hash_key[16] = "FUZZING IS FUN!";
38
39		static void XMLCALL
40	3.55M	start(void userData, const XML_Char name, const XML_Char **atts) {
41	3.55M	(void)userData;
42	3.55M	(void)name;
43	3.55M	(void)atts;
44	3.55M	}
45		static void XMLCALL
46	911k	end(void userData, const XML_Char name) {
47	911k	(void)userData;
48	911k	(void)name;
49	911k	}
50
51		static void XMLCALL
52	23.9M	may_stop_character_handler(void userData, const XML_Char s, int len) {
53	23.9M	XML_Parser parser = (XML_Parser)userData;
54	23.9M	if (len > 1 && s[0] == 's') {
55	778	XML_StopParser(parser, s[1] == 'r' ? XML_FALSE : XML_TRUE);
56	778	}
57	23.9M	}
58
59		static void
60	80.8k	ParseOneInput(XML_Parser p, const uint8_t *data, size_t size) {
61		// Set the hash salt using siphash to generate a deterministic hash.
62	80.8k	struct sipkey *key = sip_keyof(hash_key);
63	80.8k	XML_SetHashSalt(p, (unsigned long)siphash24(data, size, key));
64	80.8k	(void)sip24_valid;
65
66	80.8k	XML_SetUserData(p, p);
67	80.8k	XML_SetElementHandler(p, start, end);
68	80.8k	XML_SetCharacterDataHandler(p, may_stop_character_handler);
69	80.8k	void *buf = XML_GetBuffer(p, size);
70	80.8k	assert(buf);
71	80.8k	memcpy(buf, data, size);
72	80.8k	XML_ParseBuffer(p, size, 0);
73	80.8k	buf = XML_GetBuffer(p, size);
74	80.8k	if (buf == NULL) {
75	112	return;
76	112	}
77	80.7k	memcpy(buf, data, size);
78	80.7k	if (XML_ParseBuffer(p, size, 1) == XML_STATUS_ERROR) {
79	78.6k	XML_ErrorString(XML_GetErrorCode(p));
80	78.6k	}
81	80.7k	XML_GetCurrentLineNumber(p);
82	80.7k	if (size % 2) {
83	34.5k	XML_ParserReset(p, NULL);
84	34.5k	}
85	80.7k	}
86
87		int
88	20.2k	LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
89	20.2k	if (size == 0)
90	0	return 0;
91
92	20.2k	XML_Parser parentParser = XML_ParserCreate(xstr(ENCODING_FOR_FUZZING));
93	20.2k	assert(parentParser);
94	20.2k	ParseOneInput(parentParser, data, size);
95		// not freed yet, but used later and freed then
96
97	20.2k	XML_Parser namespaceParser = XML_ParserCreateNS(NULL, '!');
98	20.2k	assert(namespaceParser);
99	20.2k	ParseOneInput(namespaceParser, data, size);
100	20.2k	XML_ParserFree(namespaceParser);
101
102	20.2k	XML_Parser externalEntityParser
103	20.2k	= XML_ExternalEntityParserCreate(parentParser, "e1", NULL);
104	20.2k	assert(externalEntityParser);
105	20.2k	ParseOneInput(externalEntityParser, data, size);
106	20.2k	XML_ParserFree(externalEntityParser);
107
108	20.2k	XML_Parser externalDtdParser
109	20.2k	= XML_ExternalEntityParserCreate(parentParser, NULL, NULL);
110	20.2k	assert(externalDtdParser);
111	20.2k	ParseOneInput(externalDtdParser, data, size);
112	20.2k	XML_ParserFree(externalDtdParser);
113
114		// finally frees this parser which served as parent
115	20.2k	XML_ParserFree(parentParser);
116	20.2k	return 0;
117	20.2k	}

Coverage Report

Created: 2024-05-20 06:20