/src/expat/expat/fuzz/xml_parsebuffer_fuzzer.c

Source
/*
 * Copyright (C) 2016 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include <assert.h>
#include <limits.h> // for INT_MAX
#include <stdint.h>
#include <string.h>

#include "expat.h"
#include "siphash.h"

// Macros to convert preprocessor macros to string literals. See
// https://gcc.gnu.org/onlinedocs/gcc-3.4.3/cpp/Stringification.html
#define xstr(s) str(s)
#define str(s) #s

// The encoder type that we wish to fuzz should come from the compile-time
// definition `ENCODING_FOR_FUZZING`. This allows us to have a separate fuzzer
// binary for
#ifndef ENCODING_FOR_FUZZING
#  error "ENCODING_FOR_FUZZING was not provided to this fuzz target."
#endif

// 16-byte deterministic hash key.
static unsigned char hash_key[16] = "FUZZING IS FUN!";

static void XMLCALL
start(void *userData, const XML_Char *name, const XML_Char **atts) {
  (void)userData;
  (void)name;
  (void)atts;
}
static void XMLCALL
end(void *userData, const XML_Char *name) {
  (void)userData;
  (void)name;
}

static void XMLCALL
may_stop_character_handler(void *userData, const XML_Char *s, int len) {
  XML_Parser parser = (XML_Parser)userData;
  if (len > 1 && s[0] == 's') {
    XML_StopParser(parser, s[1] == 'r' ? XML_FALSE : XML_TRUE);
  }
}

static void
ParseOneInput(XML_Parser p, const uint8_t *data, size_t size) {
  // Set the hash salt using siphash to generate a deterministic hash.
  struct sipkey *key = sip_keyof(hash_key);
  XML_SetHashSalt(p, (unsigned long)siphash24(data, size, key));
  (void)sip24_valid;

  XML_SetUserData(p, p);
  XML_SetElementHandler(p, start, end);
  XML_SetCharacterDataHandler(p, may_stop_character_handler);
  assert(size <= INT_MAX);
  void *buf = XML_GetBuffer(p, (int)size);
  assert(buf);
  memcpy(buf, data, size);
  XML_ParseBuffer(p, (int)size, 0);
  buf = XML_GetBuffer(p, (int)size);
  if (buf == NULL) {
    return;
  }
  memcpy(buf, data, size);
  if (XML_ParseBuffer(p, (int)size, 1) == XML_STATUS_ERROR) {
    XML_ErrorString(XML_GetErrorCode(p));
  }
  XML_GetCurrentLineNumber(p);
  if (size % 2) {
    XML_ParserReset(p, NULL);
  }
}

int
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  if (size == 0)
    return 0;

  XML_Parser parentParser = XML_ParserCreate(xstr(ENCODING_FOR_FUZZING));
  assert(parentParser);
  ParseOneInput(parentParser, data, size);
  // not freed yet, but used later and freed then

  XML_Parser namespaceParser = XML_ParserCreateNS(NULL, '!');
  assert(namespaceParser);
  ParseOneInput(namespaceParser, data, size);
  XML_ParserFree(namespaceParser);

  XML_Parser externalEntityParser
      = XML_ExternalEntityParserCreate(parentParser, "e1", NULL);
  if (externalEntityParser != NULL) {
    ParseOneInput(externalEntityParser, data, size);
    XML_ParserFree(externalEntityParser);
  }

  XML_Parser externalDtdParser
      = XML_ExternalEntityParserCreate(parentParser, NULL, NULL);
  if (externalDtdParser != NULL) {
    ParseOneInput(externalDtdParser, data, size);
    XML_ParserFree(externalDtdParser);
  }

  // finally frees this parser which served as parent
  XML_ParserFree(parentParser);
  return 0;
}

Line	Count	Source
1		/*
2		* Copyright (C) 2016 The Android Open Source Project
3		*
4		* Licensed under the Apache License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* https://www.apache.org/licenses/LICENSE-2.0
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*/
16
17		#include <assert.h>
18		#include <limits.h> // for INT_MAX
19		#include <stdint.h>
20		#include <string.h>
21
22		#include "expat.h"
23		#include "siphash.h"
24
25		// Macros to convert preprocessor macros to string literals. See
26		// https://gcc.gnu.org/onlinedocs/gcc-3.4.3/cpp/Stringification.html
27	137k	#define xstr(s) str(s)
28	137k	#define str(s) #s
29
30		// The encoder type that we wish to fuzz should come from the compile-time
31		// definition `ENCODING_FOR_FUZZING`. This allows us to have a separate fuzzer
32		// binary for
33		#ifndef ENCODING_FOR_FUZZING
34		# error "ENCODING_FOR_FUZZING was not provided to this fuzz target."
35		#endif
36
37		// 16-byte deterministic hash key.
38		static unsigned char hash_key[16] = "FUZZING IS FUN!";
39
40		static void XMLCALL
41	184M	start(void userData, const XML_Char name, const XML_Char **atts) {
42	184M	(void)userData;
43	184M	(void)name;
44	184M	(void)atts;
45	184M	}
46		static void XMLCALL
47	10.4M	end(void userData, const XML_Char name) {
48	10.4M	(void)userData;
49	10.4M	(void)name;
50	10.4M	}
51
52		static void XMLCALL
53	81.1M	may_stop_character_handler(void userData, const XML_Char s, int len) {
54	81.1M	XML_Parser parser = (XML_Parser)userData;
55	81.1M	if (len > 1 && s[0] == 's') {
56	3.93k	XML_StopParser(parser, s[1] == 'r' ? XML_FALSE : XML_TRUE);
57	3.93k	}
58	81.1M	}
59
60		static void
61	548k	ParseOneInput(XML_Parser p, const uint8_t *data, size_t size) {
62		// Set the hash salt using siphash to generate a deterministic hash.
63	548k	struct sipkey *key = sip_keyof(hash_key);
64	548k	XML_SetHashSalt(p, (unsigned long)siphash24(data, size, key));
65	548k	(void)sip24_valid;
66
67	548k	XML_SetUserData(p, p);
68	548k	XML_SetElementHandler(p, start, end);
69	548k	XML_SetCharacterDataHandler(p, may_stop_character_handler);
70	548k	assert(size <= INT_MAX);
71	548k	void *buf = XML_GetBuffer(p, (int)size);
72	548k	assert(buf);
73	548k	memcpy(buf, data, size);
74	548k	XML_ParseBuffer(p, (int)size, 0);
75	548k	buf = XML_GetBuffer(p, (int)size);
76	548k	if (buf == NULL) {
77	667	return;
78	667	}
79	548k	memcpy(buf, data, size);
80	548k	if (XML_ParseBuffer(p, (int)size, 1) == XML_STATUS_ERROR) {
81	531k	XML_ErrorString(XML_GetErrorCode(p));
82	531k	}
83	548k	XML_GetCurrentLineNumber(p);
84	548k	if (size % 2) {
85	224k	XML_ParserReset(p, NULL);
86	224k	}
87	548k	}
88
89		int
90	137k	LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
91	137k	if (size == 0)
92	0	return 0;
93
94	137k	XML_Parser parentParser = XML_ParserCreate(xstr(ENCODING_FOR_FUZZING));
95	137k	assert(parentParser);
96	137k	ParseOneInput(parentParser, data, size);
97		// not freed yet, but used later and freed then
98
99	137k	XML_Parser namespaceParser = XML_ParserCreateNS(NULL, '!');
100	137k	assert(namespaceParser);
101	137k	ParseOneInput(namespaceParser, data, size);
102	137k	XML_ParserFree(namespaceParser);
103
104	137k	XML_Parser externalEntityParser
105	137k	= XML_ExternalEntityParserCreate(parentParser, "e1", NULL);
106	137k	if (externalEntityParser != NULL) {
107	136k	ParseOneInput(externalEntityParser, data, size);
108	136k	XML_ParserFree(externalEntityParser);
109	136k	}
110
111	137k	XML_Parser externalDtdParser
112	137k	= XML_ExternalEntityParserCreate(parentParser, NULL, NULL);
113	137k	if (externalDtdParser != NULL) {
114	137k	ParseOneInput(externalDtdParser, data, size);
115	137k	XML_ParserFree(externalDtdParser);
116	137k	}
117
118		// finally frees this parser which served as parent
119	137k	XML_ParserFree(parentParser);
120	137k	return 0;
121	137k	}

Coverage Report

Created: 2026-04-12 06:11