/src/libxml2/fuzz/uri.c

Source (jump to first uncovered line)
/*
 * uri.c: a libFuzzer target to test the URI module.
 *
 * See Copyright for the status of this software.
 */

#include <libxml/uri.h>
#include "fuzz.h"

int
LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
                     char ***argv ATTRIBUTE_UNUSED) {
    xmlFuzzMemSetup();

    return 0;
}

int
LLVMFuzzerTestOneInput(const char *data, size_t size) {
    xmlURIPtr uri;
    size_t failurePos;
    const char *str1, *str2;
    char *copy;
    xmlChar *strRes;
    int intRes;

    if (size > 10000)
        return(0);

    xmlFuzzDataInit(data, size);
    failurePos = xmlFuzzReadInt(4) % (size * 8 + 100);
    str1 = xmlFuzzReadString(NULL);
    str2 = xmlFuzzReadString(NULL);

    xmlFuzzInjectFailure(failurePos);

    xmlFuzzResetFailure();
    intRes = xmlParseURISafe(str1, &uri);
    xmlFuzzCheckFailureReport("xmlParseURISafe", intRes == -1, 0);

    if (uri != NULL) {
        xmlFuzzResetFailure();
        strRes = xmlSaveUri(uri);
        xmlFuzzCheckFailureReport("xmlSaveURI", strRes == NULL, 0);
        xmlFree(strRes);
        xmlFreeURI(uri);
    }

    xmlFreeURI(xmlParseURI(str1));

    uri = xmlParseURIRaw(str1, 1);
    xmlFree(xmlSaveUri(uri));
    xmlFreeURI(uri);

    xmlFuzzResetFailure();
    strRes = BAD_CAST xmlURIUnescapeString(str1, -1, NULL);
    xmlFuzzCheckFailureReport("xmlURIUnescapeString",
                              str1 != NULL && strRes == NULL, 0);
    xmlFree(strRes);

    xmlFree(xmlURIEscape(BAD_CAST str1));

    xmlFuzzResetFailure();
    strRes = xmlCanonicPath(BAD_CAST str1);
    xmlFuzzCheckFailureReport("xmlCanonicPath",
                              str1 != NULL && strRes == NULL, 0);
    xmlFree(strRes);

    xmlFuzzResetFailure();
    strRes = xmlPathToURI(BAD_CAST str1);
    xmlFuzzCheckFailureReport("xmlPathToURI",
                              str1 != NULL && strRes == NULL, 0);
    xmlFree(strRes);

    xmlFuzzResetFailure();
    intRes = xmlBuildURISafe(BAD_CAST str2, BAD_CAST str1, &strRes);
    xmlFuzzCheckFailureReport("xmlBuildURISafe", intRes == -1, 0);
    xmlFree(strRes);

    xmlFree(xmlBuildURI(BAD_CAST str2, BAD_CAST str1));

    xmlFuzzResetFailure();
    intRes = xmlBuildRelativeURISafe(BAD_CAST str2, BAD_CAST str1, &strRes);
    xmlFuzzCheckFailureReport("xmlBuildRelativeURISafe", intRes == -1, 0);
    xmlFree(strRes);

    xmlFree(xmlBuildRelativeURI(BAD_CAST str2, BAD_CAST str1));

    xmlFuzzResetFailure();
    strRes = xmlURIEscapeStr(BAD_CAST str1, BAD_CAST str2);
    xmlFuzzCheckFailureReport("xmlURIEscapeStr",
                              str1 != NULL && strRes == NULL, 0);
    xmlFree(strRes);

    copy = (char *) xmlCharStrdup(str1);
    xmlNormalizeURIPath(copy);
    xmlFree(copy);

    xmlFuzzInjectFailure(0);
    xmlFuzzDataCleanup();

    return 0;
}

size_t
LLVMFuzzerCustomMutator(char *data, size_t size, size_t maxSize,
                        unsigned seed) {
    static const xmlFuzzChunkDesc chunks[] = {
        { 4, XML_FUZZ_PROB_ONE / 10 }, /* failurePos */
        { 0, 0 }
    };

    return xmlFuzzMutateChunks(chunks, data, size, maxSize, seed,
                               LLVMFuzzerMutate);
}


Line	Count	Source (jump to first uncovered line)
1		/*
2		* uri.c: a libFuzzer target to test the URI module.
3		*
4		* See Copyright for the status of this software.
5		*/
6
7		#include <libxml/uri.h>
8		#include "fuzz.h"
9
10		int
11		LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
12	2	char ***argv ATTRIBUTE_UNUSED) {
13	2	xmlFuzzMemSetup();
14
15	2	return 0;
16	2	}
17
18		int
19	3.99k	LLVMFuzzerTestOneInput(const char *data, size_t size) {
20	3.99k	xmlURIPtr uri;
21	3.99k	size_t failurePos;
22	3.99k	const char str1, str2;
23	3.99k	char *copy;
24	3.99k	xmlChar *strRes;
25	3.99k	int intRes;
26
27	3.99k	if (size > 10000)
28	7	return(0);
29
30	3.98k	xmlFuzzDataInit(data, size);
31	3.98k	failurePos = xmlFuzzReadInt(4) % (size * 8 + 100);
32	3.98k	str1 = xmlFuzzReadString(NULL);
33	3.98k	str2 = xmlFuzzReadString(NULL);
34
35	3.98k	xmlFuzzInjectFailure(failurePos);
36
37	3.98k	xmlFuzzResetFailure();
38	3.98k	intRes = xmlParseURISafe(str1, &uri);
39	3.98k	xmlFuzzCheckFailureReport("xmlParseURISafe", intRes == -1, 0);
40
41	3.98k	if (uri != NULL) {
42	2.49k	xmlFuzzResetFailure();
43	2.49k	strRes = xmlSaveUri(uri);
44	2.49k	xmlFuzzCheckFailureReport("xmlSaveURI", strRes == NULL, 0);
45	2.49k	xmlFree(strRes);
46	2.49k	xmlFreeURI(uri);
47	2.49k	}
48
49	3.98k	xmlFreeURI(xmlParseURI(str1));
50
51	3.98k	uri = xmlParseURIRaw(str1, 1);
52	3.98k	xmlFree(xmlSaveUri(uri));
53	3.98k	xmlFreeURI(uri);
54
55	3.98k	xmlFuzzResetFailure();
56	3.98k	strRes = BAD_CAST xmlURIUnescapeString(str1, -1, NULL);
57	3.98k	xmlFuzzCheckFailureReport("xmlURIUnescapeString",
58	3.98k	str1 != NULL && strRes == NULL, 0);
59	3.98k	xmlFree(strRes);
60
61	3.98k	xmlFree(xmlURIEscape(BAD_CAST str1));
62
63	3.98k	xmlFuzzResetFailure();
64	3.98k	strRes = xmlCanonicPath(BAD_CAST str1);
65	3.98k	xmlFuzzCheckFailureReport("xmlCanonicPath",
66	3.98k	str1 != NULL && strRes == NULL, 0);
67	3.98k	xmlFree(strRes);
68
69	3.98k	xmlFuzzResetFailure();
70	3.98k	strRes = xmlPathToURI(BAD_CAST str1);
71	3.98k	xmlFuzzCheckFailureReport("xmlPathToURI",
72	3.98k	str1 != NULL && strRes == NULL, 0);
73	3.98k	xmlFree(strRes);
74
75	3.98k	xmlFuzzResetFailure();
76	3.98k	intRes = xmlBuildURISafe(BAD_CAST str2, BAD_CAST str1, &strRes);
77	3.98k	xmlFuzzCheckFailureReport("xmlBuildURISafe", intRes == -1, 0);
78	3.98k	xmlFree(strRes);
79
80	3.98k	xmlFree(xmlBuildURI(BAD_CAST str2, BAD_CAST str1));
81
82	3.98k	xmlFuzzResetFailure();
83	3.98k	intRes = xmlBuildRelativeURISafe(BAD_CAST str2, BAD_CAST str1, &strRes);
84	3.98k	xmlFuzzCheckFailureReport("xmlBuildRelativeURISafe", intRes == -1, 0);
85	3.98k	xmlFree(strRes);
86
87	3.98k	xmlFree(xmlBuildRelativeURI(BAD_CAST str2, BAD_CAST str1));
88
89	3.98k	xmlFuzzResetFailure();
90	3.98k	strRes = xmlURIEscapeStr(BAD_CAST str1, BAD_CAST str2);
91	3.98k	xmlFuzzCheckFailureReport("xmlURIEscapeStr",
92	3.98k	str1 != NULL && strRes == NULL, 0);
93	3.98k	xmlFree(strRes);
94
95	3.98k	copy = (char *) xmlCharStrdup(str1);
96	3.98k	xmlNormalizeURIPath(copy);
97	3.98k	xmlFree(copy);
98
99	3.98k	xmlFuzzInjectFailure(0);
100	3.98k	xmlFuzzDataCleanup();
101
102	3.98k	return 0;
103	3.99k	}
104
105		size_t
106		LLVMFuzzerCustomMutator(char *data, size_t size, size_t maxSize,
107	0	unsigned seed) {
108	0	static const xmlFuzzChunkDesc chunks[] = {
109	0	{ 4, XML_FUZZ_PROB_ONE / 10 }, /* failurePos */
110	0	{ 0, 0 }
111	0	};
112
113	0	return xmlFuzzMutateChunks(chunks, data, size, maxSize, seed,
114	0	LLVMFuzzerMutate);
115	0	}
116

Coverage Report

Created: 2025-07-11 06:36