Coverage Report

Created: 2024-05-20 06:20

/src/expat/expat/fuzz/xml_parsebuffer_fuzzer.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright (C) 2016 The Android Open Source Project
3
 *
4
 * Licensed under the Apache License, Version 2.0 (the "License");
5
 * you may not use this file except in compliance with the License.
6
 * You may obtain a copy of the License at
7
 *
8
 *      http://www.apache.org/licenses/LICENSE-2.0
9
 *
10
 * Unless required by applicable law or agreed to in writing, software
11
 * distributed under the License is distributed on an "AS IS" BASIS,
12
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
 * See the License for the specific language governing permissions and
14
 * limitations under the License.
15
 */
16
17
#include <assert.h>
18
#include <stdint.h>
19
#include <string.h>
20
21
#include "expat.h"
22
#include "siphash.h"
23
24
// Macros to convert preprocessor macros to string literals. See
25
// https://gcc.gnu.org/onlinedocs/gcc-3.4.3/cpp/Stringification.html
26
20.2k
#define xstr(s) str(s)
27
20.2k
#define str(s) #s
28
29
// The encoder type that we wish to fuzz should come from the compile-time
30
// definition `ENCODING_FOR_FUZZING`. This allows us to have a separate fuzzer
31
// binary for
32
#ifndef ENCODING_FOR_FUZZING
33
#  error "ENCODING_FOR_FUZZING was not provided to this fuzz target."
34
#endif
35
36
// 16-byte deterministic hash key.
37
static unsigned char hash_key[16] = "FUZZING IS FUN!";
38
39
static void XMLCALL
40
3.55M
start(void *userData, const XML_Char *name, const XML_Char **atts) {
41
3.55M
  (void)userData;
42
3.55M
  (void)name;
43
3.55M
  (void)atts;
44
3.55M
}
45
static void XMLCALL
46
911k
end(void *userData, const XML_Char *name) {
47
911k
  (void)userData;
48
911k
  (void)name;
49
911k
}
50
51
static void XMLCALL
52
23.9M
may_stop_character_handler(void *userData, const XML_Char *s, int len) {
53
23.9M
  XML_Parser parser = (XML_Parser)userData;
54
23.9M
  if (len > 1 && s[0] == 's') {
55
778
    XML_StopParser(parser, s[1] == 'r' ? XML_FALSE : XML_TRUE);
56
778
  }
57
23.9M
}
58
59
static void
60
80.8k
ParseOneInput(XML_Parser p, const uint8_t *data, size_t size) {
61
  // Set the hash salt using siphash to generate a deterministic hash.
62
80.8k
  struct sipkey *key = sip_keyof(hash_key);
63
80.8k
  XML_SetHashSalt(p, (unsigned long)siphash24(data, size, key));
64
80.8k
  (void)sip24_valid;
65
66
80.8k
  XML_SetUserData(p, p);
67
80.8k
  XML_SetElementHandler(p, start, end);
68
80.8k
  XML_SetCharacterDataHandler(p, may_stop_character_handler);
69
80.8k
  void *buf = XML_GetBuffer(p, size);
70
80.8k
  assert(buf);
71
80.8k
  memcpy(buf, data, size);
72
80.8k
  XML_ParseBuffer(p, size, 0);
73
80.8k
  buf = XML_GetBuffer(p, size);
74
80.8k
  if (buf == NULL) {
75
112
    return;
76
112
  }
77
80.7k
  memcpy(buf, data, size);
78
80.7k
  if (XML_ParseBuffer(p, size, 1) == XML_STATUS_ERROR) {
79
78.6k
    XML_ErrorString(XML_GetErrorCode(p));
80
78.6k
  }
81
80.7k
  XML_GetCurrentLineNumber(p);
82
80.7k
  if (size % 2) {
83
34.5k
    XML_ParserReset(p, NULL);
84
34.5k
  }
85
80.7k
}
86
87
int
88
20.2k
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
89
20.2k
  if (size == 0)
90
0
    return 0;
91
92
20.2k
  XML_Parser parentParser = XML_ParserCreate(xstr(ENCODING_FOR_FUZZING));
93
20.2k
  assert(parentParser);
94
20.2k
  ParseOneInput(parentParser, data, size);
95
  // not freed yet, but used later and freed then
96
97
20.2k
  XML_Parser namespaceParser = XML_ParserCreateNS(NULL, '!');
98
20.2k
  assert(namespaceParser);
99
20.2k
  ParseOneInput(namespaceParser, data, size);
100
20.2k
  XML_ParserFree(namespaceParser);
101
102
20.2k
  XML_Parser externalEntityParser
103
20.2k
      = XML_ExternalEntityParserCreate(parentParser, "e1", NULL);
104
20.2k
  assert(externalEntityParser);
105
20.2k
  ParseOneInput(externalEntityParser, data, size);
106
20.2k
  XML_ParserFree(externalEntityParser);
107
108
20.2k
  XML_Parser externalDtdParser
109
20.2k
      = XML_ExternalEntityParserCreate(parentParser, NULL, NULL);
110
20.2k
  assert(externalDtdParser);
111
20.2k
  ParseOneInput(externalDtdParser, data, size);
112
20.2k
  XML_ParserFree(externalDtdParser);
113
114
  // finally frees this parser which served as parent
115
20.2k
  XML_ParserFree(parentParser);
116
20.2k
  return 0;
117
20.2k
}