/src/libxml2/fuzz/xpath.c

Source
/*
 * xpath.c: a libFuzzer target to test XPath and XPointer expressions.
 *
 * See Copyright for the status of this software.
 */

#include <libxml/catalog.h>
#include <libxml/parser.h>
#include <libxml/xpointer.h>
#include "fuzz.h"

int
LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
                     char ***argv ATTRIBUTE_UNUSED) {
    xmlFuzzMemSetup();
    xmlInitParser();
#ifdef LIBXML_CATALOG_ENABLED
    xmlInitializeCatalog();
    xmlCatalogSetDefaults(XML_CATA_ALLOW_NONE);
#endif
    xmlSetGenericErrorFunc(NULL, xmlFuzzErrorFunc);

    return 0;
}

int
LLVMFuzzerTestOneInput(const char *data, size_t size) {
    xmlDocPtr doc;
    const char *expr, *xml;
    size_t failurePos, exprSize, xmlSize;

    if (size > 10000)
        return(0);

    xmlFuzzDataInit(data, size);

    failurePos = xmlFuzzReadInt(4) % (size + 100);
    expr = xmlFuzzReadString(&exprSize);
    xml = xmlFuzzReadString(&xmlSize);

    /* Recovery mode allows more input to be fuzzed. */
    doc = xmlReadMemory(xml, xmlSize, NULL, NULL, XML_PARSE_RECOVER);
    if (doc != NULL) {
        xmlXPathContextPtr xpctxt;

        xmlFuzzInjectFailure(failurePos);

        xpctxt = xmlXPathNewContext(doc);
        if (xpctxt != NULL) {
            int res;

            /* Operation limit to avoid timeout */
            xpctxt->opLimit = 500000;

            res = xmlXPathContextSetCache(xpctxt, 1, 4, 0);
            xmlFuzzCheckFailureReport("xmlXPathContextSetCache", res == -1, 0);

            xmlFuzzResetFailure();
            xmlXPathFreeObject(xmlXPtrEval(BAD_CAST expr, xpctxt));
            xmlFuzzCheckFailureReport("xmlXPtrEval",
                    xpctxt->lastError.code == XML_ERR_NO_MEMORY, 0);
            xmlXPathFreeContext(xpctxt);
        }

        xmlFuzzInjectFailure(0);
        xmlFreeDoc(doc);
    }

    xmlFuzzDataCleanup();
    xmlResetLastError();

    return(0);
}

size_t
LLVMFuzzerCustomMutator(char *data, size_t size, size_t maxSize,
                        unsigned seed) {
    static const xmlFuzzChunkDesc chunks[] = {
        { 4, XML_FUZZ_PROB_ONE / 10 }, /* failurePos */
        { 0, 0 }
    };

    return xmlFuzzMutateChunks(chunks, data, size, maxSize, seed,
                               LLVMFuzzerMutate);
}


Line	Count	Source
1		/*
2		* xpath.c: a libFuzzer target to test XPath and XPointer expressions.
3		*
4		* See Copyright for the status of this software.
5		*/
6
7		#include <libxml/catalog.h>
8		#include <libxml/parser.h>
9		#include <libxml/xpointer.h>
10		#include "fuzz.h"
11
12		int
13		LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
14	2	char ***argv ATTRIBUTE_UNUSED) {
15	2	xmlFuzzMemSetup();
16	2	xmlInitParser();
17	2	#ifdef LIBXML_CATALOG_ENABLED
18	2	xmlInitializeCatalog();
19	2	xmlCatalogSetDefaults(XML_CATA_ALLOW_NONE);
20	2	#endif
21	2	xmlSetGenericErrorFunc(NULL, xmlFuzzErrorFunc);
22
23	2	return 0;
24	2	}
25
26		int
27	26.3k	LLVMFuzzerTestOneInput(const char *data, size_t size) {
28	26.3k	xmlDocPtr doc;
29	26.3k	const char expr, xml;
30	26.3k	size_t failurePos, exprSize, xmlSize;
31
32	26.3k	if (size > 10000)
33	1	return(0);
34
35	26.3k	xmlFuzzDataInit(data, size);
36
37	26.3k	failurePos = xmlFuzzReadInt(4) % (size + 100);
38	26.3k	expr = xmlFuzzReadString(&exprSize);
39	26.3k	xml = xmlFuzzReadString(&xmlSize);
40
41		/* Recovery mode allows more input to be fuzzed. */
42	26.3k	doc = xmlReadMemory(xml, xmlSize, NULL, NULL, XML_PARSE_RECOVER);
43	26.3k	if (doc != NULL) {
44	26.3k	xmlXPathContextPtr xpctxt;
45
46	26.3k	xmlFuzzInjectFailure(failurePos);
47
48	26.3k	xpctxt = xmlXPathNewContext(doc);
49	26.3k	if (xpctxt != NULL) {
50	26.2k	int res;
51
52		/* Operation limit to avoid timeout */
53	26.2k	xpctxt->opLimit = 500000;
54
55	26.2k	res = xmlXPathContextSetCache(xpctxt, 1, 4, 0);
56	26.2k	xmlFuzzCheckFailureReport("xmlXPathContextSetCache", res == -1, 0);
57
58	26.2k	xmlFuzzResetFailure();
59	26.2k	xmlXPathFreeObject(xmlXPtrEval(BAD_CAST expr, xpctxt));
60	26.2k	xmlFuzzCheckFailureReport("xmlXPtrEval",
61	26.2k	xpctxt->lastError.code == XML_ERR_NO_MEMORY, 0);
62	26.2k	xmlXPathFreeContext(xpctxt);
63	26.2k	}
64
65	26.3k	xmlFuzzInjectFailure(0);
66	26.3k	xmlFreeDoc(doc);
67	26.3k	}
68
69	26.3k	xmlFuzzDataCleanup();
70	26.3k	xmlResetLastError();
71
72	26.3k	return(0);
73	26.3k	}
74
75		size_t
76		LLVMFuzzerCustomMutator(char *data, size_t size, size_t maxSize,
77	0	unsigned seed) {
78	0	static const xmlFuzzChunkDesc chunks[] = {
79	0	{ 4, XML_FUZZ_PROB_ONE / 10 }, /* failurePos */
80	0	{ 0, 0 }
81	0	};
82
83	0	return xmlFuzzMutateChunks(chunks, data, size, maxSize, seed,
84	0	LLVMFuzzerMutate);
85	0	}
86

Coverage Report

Created: 2025-11-24 06:34