Coverage Report

Created: 2025-07-04 06:34

/src/expat/expat/fuzz/xml_parse_fuzzer.c
Line
Count
Source
1
/*
2
 * Copyright (C) 2016 The Android Open Source Project
3
 *
4
 * Licensed under the Apache License, Version 2.0 (the "License");
5
 * you may not use this file except in compliance with the License.
6
 * You may obtain a copy of the License at
7
 *
8
 *      https://www.apache.org/licenses/LICENSE-2.0
9
 *
10
 * Unless required by applicable law or agreed to in writing, software
11
 * distributed under the License is distributed on an "AS IS" BASIS,
12
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
 * See the License for the specific language governing permissions and
14
 * limitations under the License.
15
 */
16
17
#include <assert.h>
18
#include <limits.h> // for INT_MAX
19
#include <stdint.h>
20
21
#include "expat.h"
22
#include "siphash.h"
23
24
// Macros to convert preprocessor macros to string literals. See
25
// https://gcc.gnu.org/onlinedocs/gcc-3.4.3/cpp/Stringification.html
26
127k
#define xstr(s) str(s)
27
127k
#define str(s) #s
28
29
// The encoder type that we wish to fuzz should come from the compile-time
30
// definition `ENCODING_FOR_FUZZING`. This allows us to have a separate fuzzer
31
// binary for
32
#ifndef ENCODING_FOR_FUZZING
33
#  error "ENCODING_FOR_FUZZING was not provided to this fuzz target."
34
#endif
35
36
// 16-byte deterministic hash key.
37
static unsigned char hash_key[16] = "FUZZING IS FUN!";
38
39
static void XMLCALL
40
57.0M
start(void *userData, const XML_Char *name, const XML_Char **atts) {
41
57.0M
  (void)userData;
42
57.0M
  (void)name;
43
57.0M
  (void)atts;
44
57.0M
}
45
static void XMLCALL
46
10.4M
end(void *userData, const XML_Char *name) {
47
10.4M
  (void)userData;
48
10.4M
  (void)name;
49
10.4M
}
50
51
static void XMLCALL
52
63.3M
may_stop_character_handler(void *userData, const XML_Char *s, int len) {
53
63.3M
  XML_Parser parser = (XML_Parser)userData;
54
63.3M
  if (len > 1 && s[0] == 's') {
55
3.67k
    XML_StopParser(parser, s[1] == 'r' ? XML_FALSE : XML_TRUE);
56
3.67k
  }
57
63.3M
}
58
59
static void
60
508k
ParseOneInput(XML_Parser p, const uint8_t *data, size_t size) {
61
  // Set the hash salt using siphash to generate a deterministic hash.
62
508k
  struct sipkey *key = sip_keyof(hash_key);
63
508k
  XML_SetHashSalt(p, (unsigned long)siphash24(data, size, key));
64
508k
  (void)sip24_valid;
65
66
508k
  XML_SetUserData(p, p);
67
508k
  XML_SetElementHandler(p, start, end);
68
508k
  XML_SetCharacterDataHandler(p, may_stop_character_handler);
69
508k
  assert(size <= INT_MAX);
70
508k
  XML_Parse(p, (const XML_Char *)data, (int)size, 0);
71
508k
  if (XML_Parse(p, (const XML_Char *)data, (int)size, 1) == XML_STATUS_ERROR) {
72
492k
    XML_ErrorString(XML_GetErrorCode(p));
73
492k
  }
74
508k
  XML_GetCurrentLineNumber(p);
75
508k
  if (size % 2) {
76
210k
    XML_ParserReset(p, NULL);
77
210k
  }
78
508k
}
79
80
int
81
127k
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
82
127k
  XML_Parser parentParser = XML_ParserCreate(xstr(ENCODING_FOR_FUZZING));
83
127k
  assert(parentParser);
84
127k
  ParseOneInput(parentParser, data, size);
85
  // not freed yet, but used later and freed then
86
87
127k
  XML_Parser namespaceParser = XML_ParserCreateNS(NULL, '!');
88
127k
  assert(namespaceParser);
89
127k
  ParseOneInput(namespaceParser, data, size);
90
127k
  XML_ParserFree(namespaceParser);
91
92
127k
  XML_Parser externalEntityParser
93
127k
      = XML_ExternalEntityParserCreate(parentParser, "e1", NULL);
94
127k
  assert(externalEntityParser);
95
127k
  ParseOneInput(externalEntityParser, data, size);
96
127k
  XML_ParserFree(externalEntityParser);
97
98
127k
  XML_Parser externalDtdParser
99
127k
      = XML_ExternalEntityParserCreate(parentParser, NULL, NULL);
100
127k
  assert(externalDtdParser);
101
127k
  ParseOneInput(externalDtdParser, data, size);
102
127k
  XML_ParserFree(externalDtdParser);
103
104
  // finally frees this parser which served as parent
105
127k
  XML_ParserFree(parentParser);
106
127k
  return 0;
107
127k
}