/src/libxml2/fuzz/regexp.c

Source (jump to first uncovered line)
/*
 * regexp.c: a libFuzzer target to test the regexp module.
 *
 * See Copyright for the status of this software.
 */

#include <stdio.h>
#include <stdlib.h>
#include <libxml/xmlregexp.h>
#include "fuzz.h"

int
LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
                     char ***argv ATTRIBUTE_UNUSED) {
    xmlFuzzMemSetup();

    return 0;
}

int
LLVMFuzzerTestOneInput(const char *data, size_t size) {
    xmlRegexpPtr regexp;
    size_t failurePos;
    const char *str1;

    if (size > 200)
        return(0);

    xmlFuzzDataInit(data, size);
    failurePos = xmlFuzzReadInt(4) % (size * 8 + 100);
    str1 = xmlFuzzReadString(NULL);

    xmlFuzzInjectFailure(failurePos);
    regexp = xmlRegexpCompile(BAD_CAST str1);
    if (xmlFuzzMallocFailed() && regexp != NULL) {
        fprintf(stderr, "malloc failure not reported\n");
        abort();
    }
    /* xmlRegexpExec has pathological performance in too many cases. */
#if 0
    xmlRegexpExec(regexp, BAD_CAST str2);
#endif
    xmlRegFreeRegexp(regexp);

    xmlFuzzInjectFailure(0);
    xmlFuzzDataCleanup();
    xmlResetLastError();

    return 0;
}

size_t
LLVMFuzzerCustomMutator(char *data, size_t size, size_t maxSize,
                        unsigned seed) {
    static const xmlFuzzChunkDesc chunks[] = {
        { 4, XML_FUZZ_PROB_ONE / 10 }, /* failurePos */
        { 0, 0 }
    };

    return xmlFuzzMutateChunks(chunks, data, size, maxSize, seed,
                               LLVMFuzzerMutate);
}


Line	Count	Source (jump to first uncovered line)
1		/*
2		* regexp.c: a libFuzzer target to test the regexp module.
3		*
4		* See Copyright for the status of this software.
5		*/
6
7		#include <stdio.h>
8		#include <stdlib.h>
9		#include <libxml/xmlregexp.h>
10		#include "fuzz.h"
11
12		int
13		LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
14	2	char ***argv ATTRIBUTE_UNUSED) {
15	2	xmlFuzzMemSetup();
16
17	2	return 0;
18	2	}
19
20		int
21	6.55k	LLVMFuzzerTestOneInput(const char *data, size_t size) {
22	6.55k	xmlRegexpPtr regexp;
23	6.55k	size_t failurePos;
24	6.55k	const char *str1;
25
26	6.55k	if (size > 200)
27	2	return(0);
28
29	6.55k	xmlFuzzDataInit(data, size);
30	6.55k	failurePos = xmlFuzzReadInt(4) % (size * 8 + 100);
31	6.55k	str1 = xmlFuzzReadString(NULL);
32
33	6.55k	xmlFuzzInjectFailure(failurePos);
34	6.55k	regexp = xmlRegexpCompile(BAD_CAST str1);
35	6.55k	if (xmlFuzzMallocFailed() && regexp != NULL) {
36	0	fprintf(stderr, "malloc failure not reported\n");
37	0	abort();
38	0	}
39		/* xmlRegexpExec has pathological performance in too many cases. */
40		#if 0
41		xmlRegexpExec(regexp, BAD_CAST str2);
42		#endif
43	6.55k	xmlRegFreeRegexp(regexp);
44
45	6.55k	xmlFuzzInjectFailure(0);
46	6.55k	xmlFuzzDataCleanup();
47	6.55k	xmlResetLastError();
48
49	6.55k	return 0;
50	6.55k	}
51
52		size_t
53		LLVMFuzzerCustomMutator(char *data, size_t size, size_t maxSize,
54	0	unsigned seed) {
55	0	static const xmlFuzzChunkDesc chunks[] = {
56	0	{ 4, XML_FUZZ_PROB_ONE / 10 }, /* failurePos */
57	0	{ 0, 0 }
58	0	};
59
60	0	return xmlFuzzMutateChunks(chunks, data, size, maxSize, seed,
61	0	LLVMFuzzerMutate);
62	0	}
63

Coverage Report

Created: 2025-07-11 06:36