/src/expat/expat/fuzz/xml_parsebuffer_fuzzer.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C) 2016 The Android Open Source Project |
3 | | * |
4 | | * Licensed under the Apache License, Version 2.0 (the "License"); |
5 | | * you may not use this file except in compliance with the License. |
6 | | * You may obtain a copy of the License at |
7 | | * |
8 | | * http://www.apache.org/licenses/LICENSE-2.0 |
9 | | * |
10 | | * Unless required by applicable law or agreed to in writing, software |
11 | | * distributed under the License is distributed on an "AS IS" BASIS, |
12 | | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
13 | | * See the License for the specific language governing permissions and |
14 | | * limitations under the License. |
15 | | */ |
16 | | |
17 | | #include <assert.h> |
18 | | #include <stdint.h> |
19 | | #include <string.h> |
20 | | |
21 | | #include "expat.h" |
22 | | #include "siphash.h" |
23 | | |
24 | | // Macros to convert preprocessor macros to string literals. See |
25 | | // https://gcc.gnu.org/onlinedocs/gcc-3.4.3/cpp/Stringification.html |
26 | 20.2k | #define xstr(s) str(s) |
27 | 20.2k | #define str(s) #s |
28 | | |
29 | | // The encoder type that we wish to fuzz should come from the compile-time |
30 | | // definition `ENCODING_FOR_FUZZING`. This allows us to have a separate fuzzer |
31 | | // binary for |
32 | | #ifndef ENCODING_FOR_FUZZING |
33 | | # error "ENCODING_FOR_FUZZING was not provided to this fuzz target." |
34 | | #endif |
35 | | |
36 | | // 16-byte deterministic hash key. |
37 | | static unsigned char hash_key[16] = "FUZZING IS FUN!"; |
38 | | |
39 | | static void XMLCALL |
40 | 3.55M | start(void *userData, const XML_Char *name, const XML_Char **atts) { |
41 | 3.55M | (void)userData; |
42 | 3.55M | (void)name; |
43 | 3.55M | (void)atts; |
44 | 3.55M | } |
45 | | static void XMLCALL |
46 | 911k | end(void *userData, const XML_Char *name) { |
47 | 911k | (void)userData; |
48 | 911k | (void)name; |
49 | 911k | } |
50 | | |
51 | | static void XMLCALL |
52 | 23.9M | may_stop_character_handler(void *userData, const XML_Char *s, int len) { |
53 | 23.9M | XML_Parser parser = (XML_Parser)userData; |
54 | 23.9M | if (len > 1 && s[0] == 's') { |
55 | 778 | XML_StopParser(parser, s[1] == 'r' ? XML_FALSE : XML_TRUE); |
56 | 778 | } |
57 | 23.9M | } |
58 | | |
59 | | static void |
60 | 80.8k | ParseOneInput(XML_Parser p, const uint8_t *data, size_t size) { |
61 | | // Set the hash salt using siphash to generate a deterministic hash. |
62 | 80.8k | struct sipkey *key = sip_keyof(hash_key); |
63 | 80.8k | XML_SetHashSalt(p, (unsigned long)siphash24(data, size, key)); |
64 | 80.8k | (void)sip24_valid; |
65 | | |
66 | 80.8k | XML_SetUserData(p, p); |
67 | 80.8k | XML_SetElementHandler(p, start, end); |
68 | 80.8k | XML_SetCharacterDataHandler(p, may_stop_character_handler); |
69 | 80.8k | void *buf = XML_GetBuffer(p, size); |
70 | 80.8k | assert(buf); |
71 | 80.8k | memcpy(buf, data, size); |
72 | 80.8k | XML_ParseBuffer(p, size, 0); |
73 | 80.8k | buf = XML_GetBuffer(p, size); |
74 | 80.8k | if (buf == NULL) { |
75 | 112 | return; |
76 | 112 | } |
77 | 80.7k | memcpy(buf, data, size); |
78 | 80.7k | if (XML_ParseBuffer(p, size, 1) == XML_STATUS_ERROR) { |
79 | 78.6k | XML_ErrorString(XML_GetErrorCode(p)); |
80 | 78.6k | } |
81 | 80.7k | XML_GetCurrentLineNumber(p); |
82 | 80.7k | if (size % 2) { |
83 | 34.5k | XML_ParserReset(p, NULL); |
84 | 34.5k | } |
85 | 80.7k | } |
86 | | |
87 | | int |
88 | 20.2k | LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { |
89 | 20.2k | if (size == 0) |
90 | 0 | return 0; |
91 | | |
92 | 20.2k | XML_Parser parentParser = XML_ParserCreate(xstr(ENCODING_FOR_FUZZING)); |
93 | 20.2k | assert(parentParser); |
94 | 20.2k | ParseOneInput(parentParser, data, size); |
95 | | // not freed yet, but used later and freed then |
96 | | |
97 | 20.2k | XML_Parser namespaceParser = XML_ParserCreateNS(NULL, '!'); |
98 | 20.2k | assert(namespaceParser); |
99 | 20.2k | ParseOneInput(namespaceParser, data, size); |
100 | 20.2k | XML_ParserFree(namespaceParser); |
101 | | |
102 | 20.2k | XML_Parser externalEntityParser |
103 | 20.2k | = XML_ExternalEntityParserCreate(parentParser, "e1", NULL); |
104 | 20.2k | assert(externalEntityParser); |
105 | 20.2k | ParseOneInput(externalEntityParser, data, size); |
106 | 20.2k | XML_ParserFree(externalEntityParser); |
107 | | |
108 | 20.2k | XML_Parser externalDtdParser |
109 | 20.2k | = XML_ExternalEntityParserCreate(parentParser, NULL, NULL); |
110 | 20.2k | assert(externalDtdParser); |
111 | 20.2k | ParseOneInput(externalDtdParser, data, size); |
112 | 20.2k | XML_ParserFree(externalDtdParser); |
113 | | |
114 | | // finally frees this parser which served as parent |
115 | 20.2k | XML_ParserFree(parentParser); |
116 | 20.2k | return 0; |
117 | 20.2k | } |