/src/libxml2/fuzz/schema.c

Source
/*
 * schema.c: a libFuzzer target to test the XML Schema processor.
 *
 * See Copyright for the status of this software.
 */

#ifndef XML_DEPRECATED
  #define XML_DEPRECATED
#endif

#include <libxml/catalog.h>
#include <libxml/xmlschemas.h>
#include <libxml/xmlschemastypes.h>
#include "fuzz.h"

int
LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
                     char ***argv ATTRIBUTE_UNUSED) {
    xmlFuzzMemSetup();
    xmlInitParser();
#ifdef LIBXML_CATALOG_ENABLED
    xmlInitializeCatalog();
    xmlCatalogSetDefaults(XML_CATA_ALLOW_NONE);
#endif

    return 0;
}

int
LLVMFuzzerTestOneInput(const char *data, size_t size) {
    xmlSchemaParserCtxtPtr pctxt;
    xmlSchemaPtr schema;
    size_t failurePos;

    if (size > 200000)
        return(0);

    xmlFuzzDataInit(data, size);

    failurePos = xmlFuzzReadInt(4) % (size + 100);

    xmlFuzzReadEntities();

    xmlFuzzInjectFailure(failurePos);
    pctxt = xmlSchemaNewParserCtxt(xmlFuzzMainUrl());
    xmlSchemaSetParserStructuredErrors(pctxt, xmlFuzzSErrorFunc, NULL);
    xmlSchemaSetResourceLoader(pctxt, xmlFuzzResourceLoader, NULL);
    schema = xmlSchemaParse(pctxt);
    xmlSchemaFreeParserCtxt(pctxt);

    if (schema != NULL) {
        xmlSchemaValidCtxtPtr vctxt;
        xmlParserCtxtPtr ctxt;
        xmlDocPtr doc;

        ctxt = xmlNewParserCtxt();
        xmlCtxtSetErrorHandler(ctxt, xmlFuzzSErrorFunc, NULL);
        xmlCtxtSetResourceLoader(ctxt, xmlFuzzResourceLoader, NULL);
        doc = xmlCtxtReadFile(ctxt, xmlFuzzSecondaryUrl(), NULL,
                              XML_PARSE_NOENT);
        xmlFreeParserCtxt(ctxt);

        vctxt = xmlSchemaNewValidCtxt(schema);
        xmlSchemaSetValidStructuredErrors(vctxt, xmlFuzzSErrorFunc, NULL);
        xmlSchemaValidateDoc(vctxt, doc);
        xmlSchemaFreeValidCtxt(vctxt);

        xmlFreeDoc(doc);
        xmlSchemaFree(schema);
    }

    xmlFuzzInjectFailure(0);
    xmlFuzzDataCleanup();
    xmlResetLastError();
    xmlSchemaCleanupTypes();

    return(0);
}

size_t
LLVMFuzzerCustomMutator(char *data, size_t size, size_t maxSize,
                        unsigned seed) {
    static const xmlFuzzChunkDesc chunks[] = {
        { 4, XML_FUZZ_PROB_ONE / 10 }, /* failurePos */
        { 0, 0 }
    };

    return xmlFuzzMutateChunks(chunks, data, size, maxSize, seed,
                               LLVMFuzzerMutate);
}


Line	Count	Source
1		/*
2		* schema.c: a libFuzzer target to test the XML Schema processor.
3		*
4		* See Copyright for the status of this software.
5		*/
6
7		#ifndef XML_DEPRECATED
8		#define XML_DEPRECATED
9		#endif
10
11		#include <libxml/catalog.h>
12		#include <libxml/xmlschemas.h>
13		#include <libxml/xmlschemastypes.h>
14		#include "fuzz.h"
15
16		int
17		LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
18	2	char ***argv ATTRIBUTE_UNUSED) {
19	2	xmlFuzzMemSetup();
20	2	xmlInitParser();
21	2	#ifdef LIBXML_CATALOG_ENABLED
22	2	xmlInitializeCatalog();
23	2	xmlCatalogSetDefaults(XML_CATA_ALLOW_NONE);
24	2	#endif
25
26	2	return 0;
27	2	}
28
29		int
30	33.8k	LLVMFuzzerTestOneInput(const char *data, size_t size) {
31	33.8k	xmlSchemaParserCtxtPtr pctxt;
32	33.8k	xmlSchemaPtr schema;
33	33.8k	size_t failurePos;
34
35	33.8k	if (size > 200000)
36	1	return(0);
37
38	33.8k	xmlFuzzDataInit(data, size);
39
40	33.8k	failurePos = xmlFuzzReadInt(4) % (size + 100);
41
42	33.8k	xmlFuzzReadEntities();
43
44	33.8k	xmlFuzzInjectFailure(failurePos);
45	33.8k	pctxt = xmlSchemaNewParserCtxt(xmlFuzzMainUrl());
46	33.8k	xmlSchemaSetParserStructuredErrors(pctxt, xmlFuzzSErrorFunc, NULL);
47	33.8k	xmlSchemaSetResourceLoader(pctxt, xmlFuzzResourceLoader, NULL);
48	33.8k	schema = xmlSchemaParse(pctxt);
49	33.8k	xmlSchemaFreeParserCtxt(pctxt);
50
51	33.8k	if (schema != NULL) {
52	5.73k	xmlSchemaValidCtxtPtr vctxt;
53	5.73k	xmlParserCtxtPtr ctxt;
54	5.73k	xmlDocPtr doc;
55
56	5.73k	ctxt = xmlNewParserCtxt();
57	5.73k	xmlCtxtSetErrorHandler(ctxt, xmlFuzzSErrorFunc, NULL);
58	5.73k	xmlCtxtSetResourceLoader(ctxt, xmlFuzzResourceLoader, NULL);
59	5.73k	doc = xmlCtxtReadFile(ctxt, xmlFuzzSecondaryUrl(), NULL,
60	5.73k	XML_PARSE_NOENT);
61	5.73k	xmlFreeParserCtxt(ctxt);
62
63	5.73k	vctxt = xmlSchemaNewValidCtxt(schema);
64	5.73k	xmlSchemaSetValidStructuredErrors(vctxt, xmlFuzzSErrorFunc, NULL);
65	5.73k	xmlSchemaValidateDoc(vctxt, doc);
66	5.73k	xmlSchemaFreeValidCtxt(vctxt);
67
68	5.73k	xmlFreeDoc(doc);
69	5.73k	xmlSchemaFree(schema);
70	5.73k	}
71
72	33.8k	xmlFuzzInjectFailure(0);
73	33.8k	xmlFuzzDataCleanup();
74	33.8k	xmlResetLastError();
75	33.8k	xmlSchemaCleanupTypes();
76
77	33.8k	return(0);
78	33.8k	}
79
80		size_t
81		LLVMFuzzerCustomMutator(char *data, size_t size, size_t maxSize,
82	0	unsigned seed) {
83	0	static const xmlFuzzChunkDesc chunks[] = {
84	0	{ 4, XML_FUZZ_PROB_ONE / 10 }, /* failurePos */
85	0	{ 0, 0 }
86	0	};
87
88	0	return xmlFuzzMutateChunks(chunks, data, size, maxSize, seed,
89	0	LLVMFuzzerMutate);
90	0	}
91

Coverage Report

Created: 2025-12-03 06:21