/src/libxml2/fuzz/xpath.c

Source
/*
 * xpath.c: a libFuzzer target to test XPath and XPointer expressions.
 *
 * See Copyright for the status of this software.
 */

#include <libxml/parser.h>
#include <libxml/xpointer.h>
#include "fuzz.h"

int
LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
                     char ***argv ATTRIBUTE_UNUSED) {
    xmlFuzzMemSetup();
    xmlInitParser();
    xmlSetGenericErrorFunc(NULL, xmlFuzzErrorFunc);

    return 0;
}

int
LLVMFuzzerTestOneInput(const char *data, size_t size) {
    xmlDocPtr doc;
    const char *expr, *xml;
    size_t maxAlloc, exprSize, xmlSize;

    if (size > 10000)
        return(0);

    xmlFuzzDataInit(data, size);

    maxAlloc = xmlFuzzReadInt(4) % (size + 1);
    expr = xmlFuzzReadString(&exprSize);
    xml = xmlFuzzReadString(&xmlSize);

    /* Recovery mode allows more input to be fuzzed. */
    doc = xmlReadMemory(xml, xmlSize, NULL, NULL, XML_PARSE_RECOVER);
    if (doc != NULL) {
        xmlXPathContextPtr xpctxt;

        xmlFuzzMemSetLimit(maxAlloc);

        xpctxt = xmlXPathNewContext(doc);
        if (xpctxt != NULL) {
            /* Operation limit to avoid timeout */
            xpctxt->opLimit = 500000;

            xmlXPathFreeObject(xmlXPtrEval(BAD_CAST expr, xpctxt));
            xmlXPathFreeContext(xpctxt);
        }

        xmlFuzzMemSetLimit(0);
        xmlFreeDoc(doc);
    }

    xmlFuzzDataCleanup();
    xmlResetLastError();

    return(0);
}


Line	Count	Source
1		/*
2		* xpath.c: a libFuzzer target to test XPath and XPointer expressions.
3		*
4		* See Copyright for the status of this software.
5		*/
6
7		#include <libxml/parser.h>
8		#include <libxml/xpointer.h>
9		#include "fuzz.h"
10
11		int
12		LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
13	2	char ***argv ATTRIBUTE_UNUSED) {
14	2	xmlFuzzMemSetup();
15	2	xmlInitParser();
16	2	xmlSetGenericErrorFunc(NULL, xmlFuzzErrorFunc);
17
18	2	return 0;
19	2	}
20
21		int
22	28.3k	LLVMFuzzerTestOneInput(const char *data, size_t size) {
23	28.3k	xmlDocPtr doc;
24	28.3k	const char expr, xml;
25	28.3k	size_t maxAlloc, exprSize, xmlSize;
26
27	28.3k	if (size > 10000)
28	1	return(0);
29
30	28.3k	xmlFuzzDataInit(data, size);
31
32	28.3k	maxAlloc = xmlFuzzReadInt(4) % (size + 1);
33	28.3k	expr = xmlFuzzReadString(&exprSize);
34	28.3k	xml = xmlFuzzReadString(&xmlSize);
35
36		/* Recovery mode allows more input to be fuzzed. */
37	28.3k	doc = xmlReadMemory(xml, xmlSize, NULL, NULL, XML_PARSE_RECOVER);
38	28.3k	if (doc != NULL) {
39	27.8k	xmlXPathContextPtr xpctxt;
40
41	27.8k	xmlFuzzMemSetLimit(maxAlloc);
42
43	27.8k	xpctxt = xmlXPathNewContext(doc);
44	27.8k	if (xpctxt != NULL) {
45		/* Operation limit to avoid timeout */
46	27.3k	xpctxt->opLimit = 500000;
47
48	27.3k	xmlXPathFreeObject(xmlXPtrEval(BAD_CAST expr, xpctxt));
49	27.3k	xmlXPathFreeContext(xpctxt);
50	27.3k	}
51
52	27.8k	xmlFuzzMemSetLimit(0);
53	27.8k	xmlFreeDoc(doc);
54	27.8k	}
55
56	28.3k	xmlFuzzDataCleanup();
57	28.3k	xmlResetLastError();
58
59	28.3k	return(0);
60	28.3k	}
61

Coverage Report

Created: 2023-06-07 06:50