/src/libxml2/fuzz/xml.c

Source
/*
 * xml.c: a libFuzzer target to test several XML parser interfaces.
 *
 * See Copyright for the status of this software.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include <libxml/catalog.h>
#include <libxml/parser.h>
#include <libxml/tree.h>
#include <libxml/xmlerror.h>
#include <libxml/xmlsave.h>
#include "fuzz.h"

int
LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
                     char ***argv ATTRIBUTE_UNUSED) {
    xmlFuzzMemSetup();
    xmlInitParser();
#ifdef LIBXML_CATALOG_ENABLED
    xmlInitializeCatalog();
    xmlCatalogSetDefaults(XML_CATA_ALLOW_NONE);
#endif

    return 0;
}

int
LLVMFuzzerTestOneInput(const char *data, size_t size) {
    xmlParserCtxtPtr ctxt;
    xmlDocPtr doc;
    const char *docBuffer, *docUrl;
    size_t failurePos, docSize, maxChunkSize;
    int opts;
    int errorCode;
#ifdef LIBXML_OUTPUT_ENABLED
    xmlBufferPtr outbuf = NULL;
    const char *saveEncoding;
    int saveOpts;
#endif

    xmlFuzzDataInit(data, size);
    opts = (int) xmlFuzzReadInt(4);
    /*
     * Disable options that are known to cause timeouts
     */
    opts &= ~XML_PARSE_DTDVALID &
            ~XML_PARSE_SAX1;
    failurePos = xmlFuzzReadInt(4) % (size + 100);

    maxChunkSize = xmlFuzzReadInt(4) % (size + size / 8 + 1);
    if (maxChunkSize == 0)
        maxChunkSize = 1;

#ifdef LIBXML_OUTPUT_ENABLED
    /* TODO: Take from fuzz data */
    saveOpts = 0;
    saveEncoding = NULL;
#endif

    xmlFuzzReadEntities();
    docBuffer = xmlFuzzMainEntity(&docSize);
    docUrl = xmlFuzzMainUrl();
    if (docBuffer == NULL)
        goto exit;

    /* Pull parser */

    xmlFuzzInjectFailure(failurePos);
    ctxt = xmlNewParserCtxt();
    if (ctxt == NULL) {
        errorCode = XML_ERR_NO_MEMORY;
    } else {
        xmlCtxtSetErrorHandler(ctxt, xmlFuzzSErrorFunc, NULL);
        xmlCtxtSetResourceLoader(ctxt, xmlFuzzResourceLoader, NULL);
        doc = xmlCtxtReadMemory(ctxt, docBuffer, docSize, docUrl, NULL, opts);
        errorCode = ctxt->errNo;
        xmlFuzzCheckFailureReport("xmlCtxtReadMemory",
                doc == NULL && errorCode == XML_ERR_NO_MEMORY,
                doc == NULL && errorCode == XML_IO_EIO);

        if (doc != NULL) {
#ifdef LIBXML_OUTPUT_ENABLED
            xmlSaveCtxtPtr save;

            outbuf = xmlBufferCreate();

            /* Also test the serializer. */
            save = xmlSaveToBuffer(outbuf, saveEncoding, saveOpts);

            if (save == NULL) {
                xmlBufferFree(outbuf);
                outbuf = NULL;
            } else {
                int saveErr;

                xmlSaveDoc(save, doc);
                saveErr = xmlSaveFinish(save);
                xmlFuzzCheckFailureReport("xmlSaveToBuffer",
                                          saveErr == XML_ERR_NO_MEMORY,
                                          saveErr == XML_IO_EIO);
                if (saveErr != XML_ERR_OK) {
                    xmlBufferFree(outbuf);
                    outbuf = NULL;
                }
            }
#endif
            xmlFreeDoc(doc);
        }

        xmlFreeParserCtxt(ctxt);
    }

    /* Push parser */

#ifdef LIBXML_PUSH_ENABLED
    xmlFuzzInjectFailure(failurePos);
    /*
     * FIXME: xmlCreatePushParserCtxt can still report OOM errors
     * to stderr.
     */
    xmlSetGenericErrorFunc(NULL, xmlFuzzErrorFunc);
    ctxt = xmlCreatePushParserCtxt(NULL, NULL, NULL, 0, docUrl);
    xmlSetGenericErrorFunc(NULL, NULL);

    if (ctxt != NULL) {
        size_t consumed;
        int errorCodePush, numChunks, maxChunks;

        xmlCtxtSetErrorHandler(ctxt, xmlFuzzSErrorFunc, NULL);
        xmlCtxtSetResourceLoader(ctxt, xmlFuzzResourceLoader, NULL);
        xmlCtxtUseOptions(ctxt, opts);

        consumed = 0;
        numChunks = 0;
        maxChunks = 50 + docSize / 100;
        while (numChunks == 0 ||
               (consumed < docSize && numChunks < maxChunks)) {
            size_t chunkSize;
            int terminate;

            numChunks += 1;
            chunkSize = docSize - consumed;

            if (numChunks < maxChunks && chunkSize > maxChunkSize) {
                chunkSize = maxChunkSize;
                terminate = 0;
            } else {
                terminate = 1;
            }

            xmlParseChunk(ctxt, docBuffer + consumed, chunkSize, terminate);
            consumed += chunkSize;
        }

        errorCodePush = ctxt->errNo;
        xmlFuzzCheckFailureReport("xmlParseChunk",
                                  errorCodePush == XML_ERR_NO_MEMORY,
                                  errorCodePush == XML_IO_EIO);
        doc = ctxt->myDoc;

        /*
         * Push and pull parser differ in when exactly they
         * stop parsing, and the error code is the *last* error
         * reported, so we can't check whether the codes match.
         */
        if (errorCode != XML_ERR_NO_MEMORY &&
            errorCode != XML_IO_EIO &&
            errorCodePush != XML_ERR_NO_MEMORY &&
            errorCodePush != XML_IO_EIO &&
            (errorCode == XML_ERR_OK) != (errorCodePush == XML_ERR_OK)) {
            fprintf(stderr, "pull/push parser error mismatch: %d != %d\n",
                    errorCode, errorCodePush);
#if 0
            FILE *f = fopen("c.xml", "wb");
            fwrite(docBuffer, docSize, 1, f);
            fclose(f);
#endif
            abort();
        }

#ifdef LIBXML_OUTPUT_ENABLED
        /*
         * Verify that pull and push parser produce the same result.
         *
         * The NOBLANKS option doesn't work reliably in push mode.
         */
        if ((opts & XML_PARSE_NOBLANKS) == 0 &&
            errorCode == XML_ERR_OK &&
            errorCodePush == XML_ERR_OK &&
            outbuf != NULL) {
            xmlBufferPtr outbufPush;
            xmlSaveCtxtPtr save;

            outbufPush = xmlBufferCreate();

            save = xmlSaveToBuffer(outbufPush, saveEncoding, saveOpts);

            if (save != NULL) {
                int saveErr;

                xmlSaveDoc(save, doc);
                saveErr = xmlSaveFinish(save);

                if (saveErr == XML_ERR_OK) {
                    int outbufSize = xmlBufferLength(outbuf);

                    if (outbufSize != xmlBufferLength(outbufPush) ||
                        memcmp(xmlBufferContent(outbuf),
                               xmlBufferContent(outbufPush),
                               outbufSize) != 0) {
                        fprintf(stderr, "pull/push parser roundtrip "
                                "mismatch\n");
#if 0
                        FILE *f = fopen("c.xml", "wb");
                        fwrite(docBuffer, docSize, 1, f);
                        fclose(f);
                        fprintf(stderr, "opts: %X\n", opts);
                        fprintf(stderr, "---\n%s\n---\n%s\n---\n",
                                xmlBufferContent(outbuf),
                                xmlBufferContent(outbufPush));
#endif
                        abort();
                    }
                }
            }

            xmlBufferFree(outbufPush);
        }
#endif

        xmlFreeDoc(doc);
        xmlFreeParserCtxt(ctxt);
    }
#endif

exit:
#ifdef LIBXML_OUTPUT_ENABLED
    xmlBufferFree(outbuf);
#endif
    xmlFuzzInjectFailure(0);
    xmlFuzzDataCleanup();
    xmlResetLastError();
    return(0);
}

size_t
LLVMFuzzerCustomMutator(char *data, size_t size, size_t maxSize,
                        unsigned seed) {
    static const xmlFuzzChunkDesc chunks[] = {
        { 4, XML_FUZZ_PROB_ONE / 10 }, /* opts */
        { 4, XML_FUZZ_PROB_ONE / 10 }, /* failurePos */
        { 4, XML_FUZZ_PROB_ONE / 10 }, /* maxChunkSize */
        { 0, 0 }
    };

    return xmlFuzzMutateChunks(chunks, data, size, maxSize, seed,
                               LLVMFuzzerMutate);
}


Coverage Report

Created: 2025-10-10 06:45

Line	Count	Source
1		/*
2		* xml.c: a libFuzzer target to test several XML parser interfaces.
3		*
4		* See Copyright for the status of this software.
5		*/
6
7		#include <stdio.h>
8		#include <stdlib.h>
9		#include <string.h>
10
11		#include <libxml/catalog.h>
12		#include <libxml/parser.h>
13		#include <libxml/tree.h>
14		#include <libxml/xmlerror.h>
15		#include <libxml/xmlsave.h>
16		#include "fuzz.h"
17
18		int
19		LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
20	2	char ***argv ATTRIBUTE_UNUSED) {
21	2	xmlFuzzMemSetup();
22	2	xmlInitParser();
23	2	#ifdef LIBXML_CATALOG_ENABLED
24	2	xmlInitializeCatalog();
25	2	xmlCatalogSetDefaults(XML_CATA_ALLOW_NONE);
26	2	#endif
27
28	2	return 0;
29	2	}
30
31		int
32	25.4k	LLVMFuzzerTestOneInput(const char *data, size_t size) {
33	25.4k	xmlParserCtxtPtr ctxt;
34	25.4k	xmlDocPtr doc;
35	25.4k	const char docBuffer, docUrl;
36	25.4k	size_t failurePos, docSize, maxChunkSize;
37	25.4k	int opts;
38	25.4k	int errorCode;
39	25.4k	#ifdef LIBXML_OUTPUT_ENABLED
40	25.4k	xmlBufferPtr outbuf = NULL;
41	25.4k	const char *saveEncoding;
42	25.4k	int saveOpts;
43	25.4k	#endif
44
45	25.4k	xmlFuzzDataInit(data, size);
46	25.4k	opts = (int) xmlFuzzReadInt(4);
47		/*
48		* Disable options that are known to cause timeouts
49		*/
50	25.4k	opts &= ~XML_PARSE_DTDVALID &
51	25.4k	~XML_PARSE_SAX1;
52	25.4k	failurePos = xmlFuzzReadInt(4) % (size + 100);
53
54	25.4k	maxChunkSize = xmlFuzzReadInt(4) % (size + size / 8 + 1);
55	25.4k	if (maxChunkSize == 0)
56	2.11k	maxChunkSize = 1;
57
58	25.4k	#ifdef LIBXML_OUTPUT_ENABLED
59		/* TODO: Take from fuzz data */
60	25.4k	saveOpts = 0;
61	25.4k	saveEncoding = NULL;
62	25.4k	#endif
63
64	25.4k	xmlFuzzReadEntities();
65	25.4k	docBuffer = xmlFuzzMainEntity(&docSize);
66	25.4k	docUrl = xmlFuzzMainUrl();
67	25.4k	if (docBuffer == NULL)
68	135	goto exit;
69
70		/* Pull parser */
71
72	25.2k	xmlFuzzInjectFailure(failurePos);
73	25.2k	ctxt = xmlNewParserCtxt();
74	25.2k	if (ctxt == NULL) {
75	27	errorCode = XML_ERR_NO_MEMORY;
76	25.2k	} else {
77	25.2k	xmlCtxtSetErrorHandler(ctxt, xmlFuzzSErrorFunc, NULL);
78	25.2k	xmlCtxtSetResourceLoader(ctxt, xmlFuzzResourceLoader, NULL);
79	25.2k	doc = xmlCtxtReadMemory(ctxt, docBuffer, docSize, docUrl, NULL, opts);
80	25.2k	errorCode = ctxt->errNo;
81	25.2k	xmlFuzzCheckFailureReport("xmlCtxtReadMemory",
82	25.2k	doc == NULL && errorCode == XML_ERR_NO_MEMORY,
83	25.2k	doc == NULL && errorCode == XML_IO_EIO);
84
85	25.2k	if (doc != NULL) {
86	13.6k	#ifdef LIBXML_OUTPUT_ENABLED
87	13.6k	xmlSaveCtxtPtr save;
88
89	13.6k	outbuf = xmlBufferCreate();
90
91		/* Also test the serializer. */
92	13.6k	save = xmlSaveToBuffer(outbuf, saveEncoding, saveOpts);
93
94	13.6k	if (save == NULL) {
95	424	xmlBufferFree(outbuf);
96	424	outbuf = NULL;
97	13.2k	} else {
98	13.2k	int saveErr;
99
100	13.2k	xmlSaveDoc(save, doc);
101	13.2k	saveErr = xmlSaveFinish(save);
102	13.2k	xmlFuzzCheckFailureReport("xmlSaveToBuffer",
103	13.2k	saveErr == XML_ERR_NO_MEMORY,
104	13.2k	saveErr == XML_IO_EIO);
105	13.2k	if (saveErr != XML_ERR_OK) {
106	65	xmlBufferFree(outbuf);
107	65	outbuf = NULL;
108	65	}
109	13.2k	}
110	13.6k	#endif
111	13.6k	xmlFreeDoc(doc);
112	13.6k	}
113
114	25.2k	xmlFreeParserCtxt(ctxt);
115	25.2k	}
116
117		/* Push parser */
118
119	25.2k	#ifdef LIBXML_PUSH_ENABLED
120	25.2k	xmlFuzzInjectFailure(failurePos);
121		/*
122		* FIXME: xmlCreatePushParserCtxt can still report OOM errors
123		* to stderr.
124		*/
125	25.2k	xmlSetGenericErrorFunc(NULL, xmlFuzzErrorFunc);
126	25.2k	ctxt = xmlCreatePushParserCtxt(NULL, NULL, NULL, 0, docUrl);
127	25.2k	xmlSetGenericErrorFunc(NULL, NULL);
128
129	25.2k	if (ctxt != NULL) {
130	25.2k	size_t consumed;
131	25.2k	int errorCodePush, numChunks, maxChunks;
132
133	25.2k	xmlCtxtSetErrorHandler(ctxt, xmlFuzzSErrorFunc, NULL);
134	25.2k	xmlCtxtSetResourceLoader(ctxt, xmlFuzzResourceLoader, NULL);
135	25.2k	xmlCtxtUseOptions(ctxt, opts);
136
137	25.2k	consumed = 0;
138	25.2k	numChunks = 0;
139	25.2k	maxChunks = 50 + docSize / 100;
140	566k	while (numChunks == 0 \|\|
141	541k	(consumed < docSize && numChunks < maxChunks)) {
142	541k	size_t chunkSize;
143	541k	int terminate;
144
145	541k	numChunks += 1;
146	541k	chunkSize = docSize - consumed;
147
148	541k	if (numChunks < maxChunks && chunkSize > maxChunkSize) {
149	515k	chunkSize = maxChunkSize;
150	515k	terminate = 0;
151	515k	} else {
152	25.2k	terminate = 1;
153	25.2k	}
154
155	541k	xmlParseChunk(ctxt, docBuffer + consumed, chunkSize, terminate);
156	541k	consumed += chunkSize;
157	541k	}
158
159	25.2k	errorCodePush = ctxt->errNo;
160	25.2k	xmlFuzzCheckFailureReport("xmlParseChunk",
161	25.2k	errorCodePush == XML_ERR_NO_MEMORY,
162	25.2k	errorCodePush == XML_IO_EIO);
163	25.2k	doc = ctxt->myDoc;
164
165		/*
166		* Push and pull parser differ in when exactly they
167		* stop parsing, and the error code is the last error
168		* reported, so we can't check whether the codes match.
169		*/
170	25.2k	if (errorCode != XML_ERR_NO_MEMORY &&
171	20.4k	errorCode != XML_IO_EIO &&
172	20.4k	errorCodePush != XML_ERR_NO_MEMORY &&
173	20.3k	errorCodePush != XML_IO_EIO &&
174	20.3k	(errorCode == XML_ERR_OK) != (errorCodePush == XML_ERR_OK)) {
175	0	fprintf(stderr, "pull/push parser error mismatch: %d != %d\n",
176	0	errorCode, errorCodePush);
177		#if 0
178		FILE *f = fopen("c.xml", "wb");
179		fwrite(docBuffer, docSize, 1, f);
180		fclose(f);
181		#endif
182	0	abort();
183	0	}
184
185	25.2k	#ifdef LIBXML_OUTPUT_ENABLED
186		/*
187		* Verify that pull and push parser produce the same result.
188		*
189		* The NOBLANKS option doesn't work reliably in push mode.
190		*/
191	25.2k	if ((opts & XML_PARSE_NOBLANKS) == 0 &&
192	14.1k	errorCode == XML_ERR_OK &&
193	118	errorCodePush == XML_ERR_OK &&
194	118	outbuf != NULL) {
195	115	xmlBufferPtr outbufPush;
196	115	xmlSaveCtxtPtr save;
197
198	115	outbufPush = xmlBufferCreate();
199
200	115	save = xmlSaveToBuffer(outbufPush, saveEncoding, saveOpts);
201
202	115	if (save != NULL) {
203	115	int saveErr;
204
205	115	xmlSaveDoc(save, doc);
206	115	saveErr = xmlSaveFinish(save);
207
208	115	if (saveErr == XML_ERR_OK) {
209	115	int outbufSize = xmlBufferLength(outbuf);
210
211	115	if (outbufSize != xmlBufferLength(outbufPush) \|\|
212	115	memcmp(xmlBufferContent(outbuf),
213	115	xmlBufferContent(outbufPush),
214	115	outbufSize) != 0) {
215	0	fprintf(stderr, "pull/push parser roundtrip "
216	0	"mismatch\n");
217		#if 0
218		FILE *f = fopen("c.xml", "wb");
219		fwrite(docBuffer, docSize, 1, f);
220		fclose(f);
221		fprintf(stderr, "opts: %X\n", opts);
222		fprintf(stderr, "---\n%s\n---\n%s\n---\n",
223		xmlBufferContent(outbuf),
224		xmlBufferContent(outbufPush));
225		#endif
226	0	abort();
227	0	}
228	115	}
229	115	}
230
231	115	xmlBufferFree(outbufPush);
232	115	}
233	25.2k	#endif
234
235	25.2k	xmlFreeDoc(doc);
236	25.2k	xmlFreeParserCtxt(ctxt);
237	25.2k	}
238	25.2k	#endif
239
240	25.4k	exit:
241	25.4k	#ifdef LIBXML_OUTPUT_ENABLED
242	25.4k	xmlBufferFree(outbuf);
243	25.4k	#endif
244	25.4k	xmlFuzzInjectFailure(0);
245	25.4k	xmlFuzzDataCleanup();
246	25.4k	xmlResetLastError();
247	25.4k	return(0);
248	25.2k	}
249
250		size_t
251		LLVMFuzzerCustomMutator(char *data, size_t size, size_t maxSize,
252	0	unsigned seed) {
253	0	static const xmlFuzzChunkDesc chunks[] = {
254	0	{ 4, XML_FUZZ_PROB_ONE / 10 }, /* opts */
255	0	{ 4, XML_FUZZ_PROB_ONE / 10 }, /* failurePos */
256	0	{ 4, XML_FUZZ_PROB_ONE / 10 }, /* maxChunkSize */
257	0	{ 0, 0 }
258	0	};
259
260	0	return xmlFuzzMutateChunks(chunks, data, size, maxSize, seed,
261	0	LLVMFuzzerMutate);
262	0	}
263