/src/libxml2/fuzz/xml.c

Source
/*
 * xml.c: a libFuzzer target to test several XML parser interfaces.
 *
 * See Copyright for the status of this software.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include <libxml/catalog.h>
#include <libxml/parser.h>
#include <libxml/tree.h>
#include <libxml/xmlerror.h>
#include <libxml/xmlsave.h>
#include "fuzz.h"

int
LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
                     char ***argv ATTRIBUTE_UNUSED) {
    xmlFuzzMemSetup();
    xmlInitParser();
#ifdef LIBXML_CATALOG_ENABLED
    xmlInitializeCatalog();
    xmlCatalogSetDefaults(XML_CATA_ALLOW_NONE);
#endif

    return 0;
}

int
LLVMFuzzerTestOneInput(const char *data, size_t size) {
    xmlParserCtxtPtr ctxt;
    xmlDocPtr doc;
    const char *docBuffer, *docUrl;
    size_t failurePos, docSize, maxChunkSize;
    int opts;
    int errorCode;
#ifdef LIBXML_OUTPUT_ENABLED
    xmlBufferPtr outbuf = NULL;
    const char *saveEncoding;
    int saveOpts;
#endif

    xmlFuzzDataInit(data, size);
    opts = (int) xmlFuzzReadInt(4);
    /*
     * Disable options that are known to cause timeouts
     */
    opts &= ~XML_PARSE_DTDVALID &
            ~XML_PARSE_SAX1;
    failurePos = xmlFuzzReadInt(4) % (size + 100);

    maxChunkSize = xmlFuzzReadInt(4) % (size + size / 8 + 1);
    if (maxChunkSize == 0)
        maxChunkSize = 1;

#ifdef LIBXML_OUTPUT_ENABLED
    /* TODO: Take from fuzz data */
    saveOpts = 0;
    saveEncoding = NULL;
#endif

    xmlFuzzReadEntities();
    docBuffer = xmlFuzzMainEntity(&docSize);
    docUrl = xmlFuzzMainUrl();
    if (docBuffer == NULL)
        goto exit;

    /* Pull parser */

    xmlFuzzInjectFailure(failurePos);
    ctxt = xmlNewParserCtxt();
    if (ctxt == NULL) {
        errorCode = XML_ERR_NO_MEMORY;
    } else {
        xmlCtxtSetErrorHandler(ctxt, xmlFuzzSErrorFunc, NULL);
        xmlCtxtSetResourceLoader(ctxt, xmlFuzzResourceLoader, NULL);
        doc = xmlCtxtReadMemory(ctxt, docBuffer, docSize, docUrl, NULL, opts);
        errorCode = ctxt->errNo;
        xmlFuzzCheckFailureReport("xmlCtxtReadMemory",
                doc == NULL && errorCode == XML_ERR_NO_MEMORY,
                doc == NULL && errorCode == XML_IO_EIO);

        if (doc != NULL) {
#ifdef LIBXML_OUTPUT_ENABLED
            xmlSaveCtxtPtr save;

            outbuf = xmlBufferCreate();

            /* Also test the serializer. */
            save = xmlSaveToBuffer(outbuf, saveEncoding, saveOpts);

            if (save == NULL) {
                xmlBufferFree(outbuf);
                outbuf = NULL;
            } else {
                int saveErr;

                xmlSaveDoc(save, doc);
                saveErr = xmlSaveFinish(save);
                xmlFuzzCheckFailureReport("xmlSaveToBuffer",
                                          saveErr == XML_ERR_NO_MEMORY,
                                          saveErr == XML_IO_EIO);
                if (saveErr != XML_ERR_OK) {
                    xmlBufferFree(outbuf);
                    outbuf = NULL;
                }
            }
#endif
            xmlFreeDoc(doc);
        }

        xmlFreeParserCtxt(ctxt);
    }

    /* Push parser */

#ifdef LIBXML_PUSH_ENABLED
    xmlFuzzInjectFailure(failurePos);
    /*
     * FIXME: xmlCreatePushParserCtxt can still report OOM errors
     * to stderr.
     */
    xmlSetGenericErrorFunc(NULL, xmlFuzzErrorFunc);
    ctxt = xmlCreatePushParserCtxt(NULL, NULL, NULL, 0, docUrl);
    xmlSetGenericErrorFunc(NULL, NULL);

    if (ctxt != NULL) {
        size_t consumed;
        int errorCodePush, numChunks, maxChunks;

        xmlCtxtSetErrorHandler(ctxt, xmlFuzzSErrorFunc, NULL);
        xmlCtxtSetResourceLoader(ctxt, xmlFuzzResourceLoader, NULL);
        xmlCtxtUseOptions(ctxt, opts);

        consumed = 0;
        numChunks = 0;
        maxChunks = 50 + docSize / 100;
        while (numChunks == 0 ||
               (consumed < docSize && numChunks < maxChunks)) {
            size_t chunkSize;
            int terminate;

            numChunks += 1;
            chunkSize = docSize - consumed;

            if (numChunks < maxChunks && chunkSize > maxChunkSize) {
                chunkSize = maxChunkSize;
                terminate = 0;
            } else {
                terminate = 1;
            }

            xmlParseChunk(ctxt, docBuffer + consumed, chunkSize, terminate);
            consumed += chunkSize;
        }

        errorCodePush = ctxt->errNo;
        xmlFuzzCheckFailureReport("xmlParseChunk",
                                  errorCodePush == XML_ERR_NO_MEMORY,
                                  errorCodePush == XML_IO_EIO);
        doc = ctxt->myDoc;

        /*
         * Push and pull parser differ in when exactly they
         * stop parsing, and the error code is the *last* error
         * reported, so we can't check whether the codes match.
         */
        if (errorCode != XML_ERR_NO_MEMORY &&
            errorCode != XML_IO_EIO &&
            errorCodePush != XML_ERR_NO_MEMORY &&
            errorCodePush != XML_IO_EIO &&
            (errorCode == XML_ERR_OK) != (errorCodePush == XML_ERR_OK)) {
            fprintf(stderr, "pull/push parser error mismatch: %d != %d\n",
                    errorCode, errorCodePush);
#if 0
            FILE *f = fopen("c.xml", "wb");
            fwrite(docBuffer, docSize, 1, f);
            fclose(f);
#endif
            abort();
        }

#ifdef LIBXML_OUTPUT_ENABLED
        /*
         * Verify that pull and push parser produce the same result.
         *
         * The NOBLANKS option doesn't work reliably in push mode.
         */
        if ((opts & XML_PARSE_NOBLANKS) == 0 &&
            errorCode == XML_ERR_OK &&
            errorCodePush == XML_ERR_OK &&
            outbuf != NULL) {
            xmlBufferPtr outbufPush;
            xmlSaveCtxtPtr save;

            outbufPush = xmlBufferCreate();

            save = xmlSaveToBuffer(outbufPush, saveEncoding, saveOpts);

            if (save != NULL) {
                int saveErr;

                xmlSaveDoc(save, doc);
                saveErr = xmlSaveFinish(save);

                if (saveErr == XML_ERR_OK) {
                    int outbufSize = xmlBufferLength(outbuf);

                    if (outbufSize != xmlBufferLength(outbufPush) ||
                        memcmp(xmlBufferContent(outbuf),
                               xmlBufferContent(outbufPush),
                               outbufSize) != 0) {
                        fprintf(stderr, "pull/push parser roundtrip "
                                "mismatch\n");
#if 0
                        FILE *f = fopen("c.xml", "wb");
                        fwrite(docBuffer, docSize, 1, f);
                        fclose(f);
                        fprintf(stderr, "opts: %X\n", opts);
                        fprintf(stderr, "---\n%s\n---\n%s\n---\n",
                                xmlBufferContent(outbuf),
                                xmlBufferContent(outbufPush));
#endif
                        abort();
                    }
                }
            }

            xmlBufferFree(outbufPush);
        }
#endif

        xmlFreeDoc(doc);
        xmlFreeParserCtxt(ctxt);
    }
#endif

exit:
#ifdef LIBXML_OUTPUT_ENABLED
    xmlBufferFree(outbuf);
#endif
    xmlFuzzInjectFailure(0);
    xmlFuzzDataCleanup();
    xmlResetLastError();
    return(0);
}

size_t
LLVMFuzzerCustomMutator(char *data, size_t size, size_t maxSize,
                        unsigned seed) {
    static const xmlFuzzChunkDesc chunks[] = {
        { 4, XML_FUZZ_PROB_ONE / 10 }, /* opts */
        { 4, XML_FUZZ_PROB_ONE / 10 }, /* failurePos */
        { 4, XML_FUZZ_PROB_ONE / 10 }, /* maxChunkSize */
        { 0, 0 }
    };

    return xmlFuzzMutateChunks(chunks, data, size, maxSize, seed,
                               LLVMFuzzerMutate);
}


Coverage Report

Created: 2026-06-10 06:23

Line	Count	Source
1		/*
2		* xml.c: a libFuzzer target to test several XML parser interfaces.
3		*
4		* See Copyright for the status of this software.
5		*/
6
7		#include <stdio.h>
8		#include <stdlib.h>
9		#include <string.h>
10
11		#include <libxml/catalog.h>
12		#include <libxml/parser.h>
13		#include <libxml/tree.h>
14		#include <libxml/xmlerror.h>
15		#include <libxml/xmlsave.h>
16		#include "fuzz.h"
17
18		int
19		LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
20	2	char ***argv ATTRIBUTE_UNUSED) {
21	2	xmlFuzzMemSetup();
22	2	xmlInitParser();
23	2	#ifdef LIBXML_CATALOG_ENABLED
24	2	xmlInitializeCatalog();
25	2	xmlCatalogSetDefaults(XML_CATA_ALLOW_NONE);
26	2	#endif
27
28	2	return 0;
29	2	}
30
31		int
32	24.7k	LLVMFuzzerTestOneInput(const char *data, size_t size) {
33	24.7k	xmlParserCtxtPtr ctxt;
34	24.7k	xmlDocPtr doc;
35	24.7k	const char docBuffer, docUrl;
36	24.7k	size_t failurePos, docSize, maxChunkSize;
37	24.7k	int opts;
38	24.7k	int errorCode;
39	24.7k	#ifdef LIBXML_OUTPUT_ENABLED
40	24.7k	xmlBufferPtr outbuf = NULL;
41	24.7k	const char *saveEncoding;
42	24.7k	int saveOpts;
43	24.7k	#endif
44
45	24.7k	xmlFuzzDataInit(data, size);
46	24.7k	opts = (int) xmlFuzzReadInt(4);
47		/*
48		* Disable options that are known to cause timeouts
49		*/
50	24.7k	opts &= ~XML_PARSE_DTDVALID &
51	24.7k	~XML_PARSE_SAX1;
52	24.7k	failurePos = xmlFuzzReadInt(4) % (size + 100);
53
54	24.7k	maxChunkSize = xmlFuzzReadInt(4) % (size + size / 8 + 1);
55	24.7k	if (maxChunkSize == 0)
56	2.16k	maxChunkSize = 1;
57
58	24.7k	#ifdef LIBXML_OUTPUT_ENABLED
59		/* TODO: Take from fuzz data */
60	24.7k	saveOpts = 0;
61	24.7k	saveEncoding = NULL;
62	24.7k	#endif
63
64	24.7k	xmlFuzzReadEntities();
65	24.7k	docBuffer = xmlFuzzMainEntity(&docSize);
66	24.7k	docUrl = xmlFuzzMainUrl();
67	24.7k	if (docBuffer == NULL)
68	132	goto exit;
69
70		/* Pull parser */
71
72	24.5k	xmlFuzzInjectFailure(failurePos);
73	24.5k	ctxt = xmlNewParserCtxt();
74	24.5k	if (ctxt == NULL) {
75	23	errorCode = XML_ERR_NO_MEMORY;
76	24.5k	} else {
77	24.5k	xmlCtxtSetErrorHandler(ctxt, xmlFuzzSErrorFunc, NULL);
78	24.5k	xmlCtxtSetResourceLoader(ctxt, xmlFuzzResourceLoader, NULL);
79	24.5k	doc = xmlCtxtReadMemory(ctxt, docBuffer, docSize, docUrl, NULL, opts);
80	24.5k	errorCode = ctxt->errNo;
81	24.5k	xmlFuzzCheckFailureReport("xmlCtxtReadMemory",
82	24.5k	doc == NULL && errorCode == XML_ERR_NO_MEMORY,
83	24.5k	doc == NULL && errorCode == XML_IO_EIO);
84
85	24.5k	if (doc != NULL) {
86	13.2k	#ifdef LIBXML_OUTPUT_ENABLED
87	13.2k	xmlSaveCtxtPtr save;
88
89	13.2k	outbuf = xmlBufferCreate();
90
91		/* Also test the serializer. */
92	13.2k	save = xmlSaveToBuffer(outbuf, saveEncoding, saveOpts);
93
94	13.2k	if (save == NULL) {
95	397	xmlBufferFree(outbuf);
96	397	outbuf = NULL;
97	12.8k	} else {
98	12.8k	int saveErr;
99
100	12.8k	xmlSaveDoc(save, doc);
101	12.8k	saveErr = xmlSaveFinish(save);
102	12.8k	xmlFuzzCheckFailureReport("xmlSaveToBuffer",
103	12.8k	saveErr == XML_ERR_NO_MEMORY,
104	12.8k	saveErr == XML_IO_EIO);
105	12.8k	if (saveErr != XML_ERR_OK) {
106	62	xmlBufferFree(outbuf);
107	62	outbuf = NULL;
108	62	}
109	12.8k	}
110	13.2k	#endif
111	13.2k	xmlFreeDoc(doc);
112	13.2k	}
113
114	24.5k	xmlFreeParserCtxt(ctxt);
115	24.5k	}
116
117		/* Push parser */
118
119	24.5k	#ifdef LIBXML_PUSH_ENABLED
120	24.5k	xmlFuzzInjectFailure(failurePos);
121		/*
122		* FIXME: xmlCreatePushParserCtxt can still report OOM errors
123		* to stderr.
124		*/
125	24.5k	xmlSetGenericErrorFunc(NULL, xmlFuzzErrorFunc);
126	24.5k	ctxt = xmlCreatePushParserCtxt(NULL, NULL, NULL, 0, docUrl);
127	24.5k	xmlSetGenericErrorFunc(NULL, NULL);
128
129	24.5k	if (ctxt != NULL) {
130	24.5k	size_t consumed;
131	24.5k	int errorCodePush, numChunks, maxChunks;
132
133	24.5k	xmlCtxtSetErrorHandler(ctxt, xmlFuzzSErrorFunc, NULL);
134	24.5k	xmlCtxtSetResourceLoader(ctxt, xmlFuzzResourceLoader, NULL);
135	24.5k	xmlCtxtUseOptions(ctxt, opts);
136
137	24.5k	consumed = 0;
138	24.5k	numChunks = 0;
139	24.5k	maxChunks = 50 + docSize / 100;
140	519k	while (numChunks == 0 \|\|
141	494k	(consumed < docSize && numChunks < maxChunks)) {
142	494k	size_t chunkSize;
143	494k	int terminate;
144
145	494k	numChunks += 1;
146	494k	chunkSize = docSize - consumed;
147
148	494k	if (numChunks < maxChunks && chunkSize > maxChunkSize) {
149	470k	chunkSize = maxChunkSize;
150	470k	terminate = 0;
151	470k	} else {
152	24.5k	terminate = 1;
153	24.5k	}
154
155	494k	xmlParseChunk(ctxt, docBuffer + consumed, chunkSize, terminate);
156	494k	consumed += chunkSize;
157	494k	}
158
159	24.5k	errorCodePush = ctxt->errNo;
160	24.5k	xmlFuzzCheckFailureReport("xmlParseChunk",
161	24.5k	errorCodePush == XML_ERR_NO_MEMORY,
162	24.5k	errorCodePush == XML_IO_EIO);
163	24.5k	doc = ctxt->myDoc;
164
165		/*
166		* Push and pull parser differ in when exactly they
167		* stop parsing, and the error code is the last error
168		* reported, so we can't check whether the codes match.
169		*/
170	24.5k	if (errorCode != XML_ERR_NO_MEMORY &&
171	19.8k	errorCode != XML_IO_EIO &&
172	19.8k	errorCodePush != XML_ERR_NO_MEMORY &&
173	19.6k	errorCodePush != XML_IO_EIO &&
174	19.6k	(errorCode == XML_ERR_OK) != (errorCodePush == XML_ERR_OK)) {
175	0	fprintf(stderr, "pull/push parser error mismatch: %d != %d\n",
176	0	errorCode, errorCodePush);
177		#if 0
178		FILE *f = fopen("c.xml", "wb");
179		fwrite(docBuffer, docSize, 1, f);
180		fclose(f);
181		#endif
182	0	abort();
183	0	}
184
185	24.5k	#ifdef LIBXML_OUTPUT_ENABLED
186		/*
187		* Verify that pull and push parser produce the same result.
188		*
189		* The NOBLANKS option doesn't work reliably in push mode.
190		*/
191	24.5k	if ((opts & XML_PARSE_NOBLANKS) == 0 &&
192	13.6k	errorCode == XML_ERR_OK &&
193	111	errorCodePush == XML_ERR_OK &&
194	110	outbuf != NULL) {
195	108	xmlBufferPtr outbufPush;
196	108	xmlSaveCtxtPtr save;
197
198	108	outbufPush = xmlBufferCreate();
199
200	108	save = xmlSaveToBuffer(outbufPush, saveEncoding, saveOpts);
201
202	108	if (save != NULL) {
203	108	int saveErr;
204
205	108	xmlSaveDoc(save, doc);
206	108	saveErr = xmlSaveFinish(save);
207
208	108	if (saveErr == XML_ERR_OK) {
209	107	int outbufSize = xmlBufferLength(outbuf);
210
211	107	if (outbufSize != xmlBufferLength(outbufPush) \|\|
212	107	memcmp(xmlBufferContent(outbuf),
213	107	xmlBufferContent(outbufPush),
214	107	outbufSize) != 0) {
215	0	fprintf(stderr, "pull/push parser roundtrip "
216	0	"mismatch\n");
217		#if 0
218		FILE *f = fopen("c.xml", "wb");
219		fwrite(docBuffer, docSize, 1, f);
220		fclose(f);
221		fprintf(stderr, "opts: %X\n", opts);
222		fprintf(stderr, "---\n%s\n---\n%s\n---\n",
223		xmlBufferContent(outbuf),
224		xmlBufferContent(outbufPush));
225		#endif
226	0	abort();
227	0	}
228	107	}
229	108	}
230
231	108	xmlBufferFree(outbufPush);
232	108	}
233	24.5k	#endif
234
235	24.5k	xmlFreeDoc(doc);
236	24.5k	xmlFreeParserCtxt(ctxt);
237	24.5k	}
238	24.5k	#endif
239
240	24.7k	exit:
241	24.7k	#ifdef LIBXML_OUTPUT_ENABLED
242	24.7k	xmlBufferFree(outbuf);
243	24.7k	#endif
244	24.7k	xmlFuzzInjectFailure(0);
245	24.7k	xmlFuzzDataCleanup();
246	24.7k	xmlResetLastError();
247	24.7k	return(0);
248	24.5k	}
249
250		size_t
251		LLVMFuzzerCustomMutator(char *data, size_t size, size_t maxSize,
252	0	unsigned seed) {
253	0	static const xmlFuzzChunkDesc chunks[] = {
254	0	{ 4, XML_FUZZ_PROB_ONE / 10 }, /* opts */
255	0	{ 4, XML_FUZZ_PROB_ONE / 10 }, /* failurePos */
256	0	{ 4, XML_FUZZ_PROB_ONE / 10 }, /* maxChunkSize */
257	0	{ 0, 0 }
258	0	};
259
260	0	return xmlFuzzMutateChunks(chunks, data, size, maxSize, seed,
261	0	LLVMFuzzerMutate);
262	0	}
263