/src/libxml2/fuzz/reader.c

Source
/*
 * reader.c: a libFuzzer target to test the XML Reader API.
 *
 * See Copyright for the status of this software.
 */

#include <libxml/catalog.h>
#include <libxml/parser.h>
#include <libxml/tree.h>
#include <libxml/xmlerror.h>
#include <libxml/xmlreader.h>
#include <libxml/xmlsave.h>
#include "fuzz.h"

#include <string.h>

#if 0
  #define DEBUG
#endif

typedef enum {
    OP_READ = 1,
    OP_READ_INNER_XML,
    OP_READ_OUTER_XML,
    OP_READ_STRING,
    OP_READ_ATTRIBUTE_VALUE,
    OP_ATTRIBUTE_COUNT,
    OP_DEPTH,
    OP_HAS_ATTRIBUTES,
    OP_HAS_VALUE,
    OP_IS_DEFAULT,
    OP_IS_EMPTY_ELEMENT,
    OP_NODE_TYPE,
    OP_QUOTE_CHAR,
    OP_READ_STATE,
    OP_IS_NAMESPACE_DECL,
    OP_CONST_BASE_URI,
    OP_CONST_LOCAL_NAME,
    OP_CONST_NAME,
    OP_CONST_NAMESPACE_URI,
    OP_CONST_PREFIX,
    OP_CONST_XML_LANG,
    OP_CONST_VALUE,
    OP_BASE_URI,
    OP_LOCAL_NAME,
    OP_NAME,
    OP_NAMESPACE_URI,
    OP_PREFIX,
    OP_XML_LANG,
    OP_VALUE,
    OP_CLOSE,
    OP_GET_ATTRIBUTE_NO,
    OP_GET_ATTRIBUTE,
    OP_GET_ATTRIBUTE_NS,
    OP_GET_REMAINDER,
    OP_LOOKUP_NAMESPACE,
    OP_MOVE_TO_ATTRIBUTE_NO,
    OP_MOVE_TO_ATTRIBUTE,
    OP_MOVE_TO_ATTRIBUTE_NS,
    OP_MOVE_TO_FIRST_ATTRIBUTE,
    OP_MOVE_TO_NEXT_ATTRIBUTE,
    OP_MOVE_TO_ELEMENT,
    OP_NORMALIZATION,
    OP_CONST_ENCODING,
    OP_GET_PARSER_PROP,
    OP_CURRENT_NODE,
    OP_GET_PARSER_LINE_NUMBER,
    OP_GET_PARSER_COLUMN_NUMBER,
    OP_PRESERVE,
    OP_CURRENT_DOC,
    OP_EXPAND,
    OP_NEXT,
    OP_NEXT_SIBLING,
    OP_IS_VALID,
    OP_CONST_XML_VERSION,
    OP_STANDALONE,
    OP_BYTE_CONSUMED,

    OP_MAX
} opType;

static void
startOp(const char *name) {
    (void) name;
#ifdef DEBUG
    fprintf(stderr, "%s\n", name);
#endif
}

int
LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
                     char ***argv ATTRIBUTE_UNUSED) {
    xmlFuzzMemSetup();
    xmlInitParser();
#ifdef LIBXML_CATALOG_ENABLED
    xmlInitializeCatalog();
    xmlCatalogSetDefaults(XML_CATA_ALLOW_NONE);
#endif

    return 0;
}

int
LLVMFuzzerTestOneInput(const char *data, size_t size) {
    xmlTextReaderPtr reader;
    xmlDocPtr doc = NULL;
    const xmlError *error;
    const char *docBuffer;
    const unsigned char *program;
    size_t failurePos, docSize, programSize, i;
    size_t totalStringSize = 0;
    int opts;
    int oomReport = 0;

    xmlFuzzDataInit(data, size);
    opts = (int) xmlFuzzReadInt(4);
    failurePos = xmlFuzzReadInt(4) % (size + 100);

    program = (const unsigned char *) xmlFuzzReadString(&programSize);
    if (programSize > 1000)
        programSize = 1000;

    xmlFuzzReadEntities();
    docBuffer = xmlFuzzMainEntity(&docSize);
    if (docBuffer == NULL)
        goto exit;

#ifdef DEBUG
    fprintf(stderr, "Input document (%d bytes):\n", (int) docSize);
    for (i = 0; (size_t) i < docSize; i++) {
        int c = (unsigned char) docBuffer[i];

        if ((c == '\n' || (c >= 0x20 && c <= 0x7E)))
            putc(c, stderr);
        else
            fprintf(stderr, "\\x%02X", c);
    }
    fprintf(stderr, "\nEOF\n");
#endif

    xmlFuzzInjectFailure(failurePos);
    reader = xmlReaderForMemory(docBuffer, docSize, NULL, NULL, opts);
    if (reader == NULL)
        goto exit;

    xmlTextReaderSetStructuredErrorHandler(reader, xmlFuzzSErrorFunc, NULL);
    xmlTextReaderSetResourceLoader(reader, xmlFuzzResourceLoader, NULL);

    i = 0;
    while (i < programSize) {
        int op = program[i++];

#define READ_BYTE() (i < programSize ? program[i++] : 0)
#define FREE_STRING(str) \
    do { \
        if (str != NULL) { \
            totalStringSize += strlen((char *) str); \
            xmlFree(str); \
        } \
    } while (0)

        switch (op & 0x3F) {
            case OP_READ:
            default:
                startOp("Read");
                xmlTextReaderRead(reader);
                break;

            case OP_READ_INNER_XML: {
                xmlChar *result;

                startOp("ReadInnerXml");
                result = xmlTextReaderReadInnerXml(reader);
                FREE_STRING(result);
                break;
            }

            case OP_READ_OUTER_XML: {
                xmlChar *result;

                startOp("ReadOuterXml");
                result = xmlTextReaderReadOuterXml(reader);
                FREE_STRING(result);
                break;
            }

            case OP_READ_STRING: {
                xmlChar *result;

                startOp("ReadString");
                result = xmlTextReaderReadString(reader);
                FREE_STRING(result);
                break;
            }

            case OP_READ_ATTRIBUTE_VALUE:
                startOp("ReadAttributeValue");
                xmlTextReaderReadAttributeValue(reader);
                break;

            case OP_ATTRIBUTE_COUNT:
                startOp("AttributeCount");
                xmlTextReaderAttributeCount(reader);
                break;

            case OP_DEPTH:
                startOp("Depth");
                xmlTextReaderDepth(reader);
                break;

            case OP_HAS_ATTRIBUTES:
                startOp("HasAttributes");
                xmlTextReaderHasAttributes(reader);
                break;

            case OP_HAS_VALUE:
                startOp("HasValue");
                xmlTextReaderHasValue(reader);
                break;

            case OP_IS_DEFAULT:
                startOp("IsDefault");
                xmlTextReaderIsDefault(reader);
                break;

            case OP_IS_EMPTY_ELEMENT:
                startOp("IsEmptyElement");
                xmlTextReaderIsEmptyElement(reader);
                break;

            case OP_NODE_TYPE:
                startOp("NodeType");
                xmlTextReaderNodeType(reader);
                break;

            case OP_QUOTE_CHAR:
                startOp("QuoteChar");
                xmlTextReaderQuoteChar(reader);
                break;

            case OP_READ_STATE:
                startOp("ReadState");
                xmlTextReaderReadState(reader);
                break;

            case OP_IS_NAMESPACE_DECL:
                startOp("IsNamespaceDecl");
                xmlTextReaderIsNamespaceDecl(reader);
                break;

            case OP_CONST_BASE_URI:
                startOp("ConstBaseUri");
                xmlTextReaderConstBaseUri(reader);
                break;

            case OP_CONST_LOCAL_NAME:
                startOp("ConstLocalName");
                xmlTextReaderConstLocalName(reader);
                break;

            case OP_CONST_NAME:
                startOp("ConstName");
                xmlTextReaderConstName(reader);
                break;

            case OP_CONST_NAMESPACE_URI:
                startOp("ConstNamespaceUri");
                xmlTextReaderConstNamespaceUri(reader);
                break;

            case OP_CONST_PREFIX:
                startOp("ConstPrefix");
                xmlTextReaderConstPrefix(reader);
                break;

            case OP_CONST_XML_LANG:
                startOp("ConstXmlLang");
                xmlTextReaderConstXmlLang(reader);
                oomReport = -1;
                break;

            case OP_CONST_VALUE:
                startOp("ConstValue");
                xmlTextReaderConstValue(reader);
                break;

            case OP_BASE_URI: {
                xmlChar *result;

                startOp("BaseUri");
                result = xmlTextReaderBaseUri(reader);
                FREE_STRING(result);
                break;
            }

            case OP_LOCAL_NAME: {
                xmlChar *result;

                startOp("LocalName");
                result = xmlTextReaderLocalName(reader);
                FREE_STRING(result);
                break;
            }

            case OP_NAME: {
                xmlChar *result;

                startOp("Name");
                result = xmlTextReaderName(reader);
                FREE_STRING(result);
                break;
            }

            case OP_NAMESPACE_URI: {
                xmlChar *result;

                startOp("NamespaceUri");
                result = xmlTextReaderNamespaceUri(reader);
                FREE_STRING(result);
                break;
            }

            case OP_PREFIX: {
                xmlChar *result;

                startOp("Prefix");
                result = xmlTextReaderPrefix(reader);
                FREE_STRING(result);
                break;
            }

            case OP_XML_LANG: {
                xmlChar *result;

                startOp("XmlLang");
                result = xmlTextReaderXmlLang(reader);
                oomReport = -1;
                FREE_STRING(result);
                break;
            }

            case OP_VALUE: {
                xmlChar *result;

                startOp("Value");
                result = xmlTextReaderValue(reader);
                FREE_STRING(result);
                break;
            }

            case OP_CLOSE:
                startOp("Close");
                if (doc == NULL)
                    doc = xmlTextReaderCurrentDoc(reader);
                xmlTextReaderClose(reader);
                break;

            case OP_GET_ATTRIBUTE_NO: {
                xmlChar *result;
                int no = READ_BYTE();

                startOp("GetAttributeNo");
                result = xmlTextReaderGetAttributeNo(reader, no);
                FREE_STRING(result);
                break;
            }

            case OP_GET_ATTRIBUTE: {
                const xmlChar *name = xmlTextReaderConstName(reader);
                xmlChar *result;

                startOp("GetAttribute");
                result = xmlTextReaderGetAttribute(reader, name);
                FREE_STRING(result);
                break;
            }

            case OP_GET_ATTRIBUTE_NS: {
                const xmlChar *localName, *namespaceUri;
                xmlChar *result;

                startOp("GetAttributeNs");
                localName = xmlTextReaderConstLocalName(reader);
                namespaceUri = xmlTextReaderConstNamespaceUri(reader);
                result = xmlTextReaderGetAttributeNs(reader, localName,
                                                     namespaceUri);
                FREE_STRING(result);
                break;
            }

            case OP_GET_REMAINDER:
                startOp("GetRemainder");
                if (doc == NULL)
                    doc = xmlTextReaderCurrentDoc(reader);
                xmlFreeParserInputBuffer(xmlTextReaderGetRemainder(reader));
                break;

            case OP_LOOKUP_NAMESPACE: {
                const xmlChar *prefix = xmlTextReaderConstPrefix(reader);
                xmlChar *result;

                startOp("LookupNamespace");
                result = xmlTextReaderLookupNamespace(reader, prefix);
                FREE_STRING(result);
                break;
            }

            case OP_MOVE_TO_ATTRIBUTE_NO: {
                int no = READ_BYTE();

                startOp("MoveToAttributeNo");
                xmlTextReaderMoveToAttributeNo(reader, no);
                break;
            }

            case OP_MOVE_TO_ATTRIBUTE: {
                const xmlChar *name = xmlTextReaderConstName(reader);

                startOp("MoveToAttribute");
                xmlTextReaderMoveToAttribute(reader, name);
                break;
            }

            case OP_MOVE_TO_ATTRIBUTE_NS: {
                const xmlChar *localName, *namespaceUri;

                startOp("MoveToAttributeNs");
                localName = xmlTextReaderConstLocalName(reader);
                namespaceUri = xmlTextReaderConstNamespaceUri(reader);
                xmlTextReaderMoveToAttributeNs(reader, localName,
                                               namespaceUri);
                break;
            }

            case OP_MOVE_TO_FIRST_ATTRIBUTE:
                startOp("MoveToFirstAttribute");
                xmlTextReaderMoveToFirstAttribute(reader);
                break;

            case OP_MOVE_TO_NEXT_ATTRIBUTE:
                startOp("MoveToNextAttribute");
                xmlTextReaderMoveToNextAttribute(reader);
                break;

            case OP_MOVE_TO_ELEMENT:
                startOp("MoveToElement");
                xmlTextReaderMoveToElement(reader);
                break;

            case OP_NORMALIZATION:
                startOp("Normalization");
                xmlTextReaderNormalization(reader);
                break;

            case OP_CONST_ENCODING:
                startOp("ConstEncoding");
                xmlTextReaderConstEncoding(reader);
                break;

            case OP_GET_PARSER_PROP: {
                int prop = READ_BYTE();

                startOp("GetParserProp");
                xmlTextReaderGetParserProp(reader, prop);
                break;
            }

            case OP_CURRENT_NODE:
                startOp("CurrentNode");
                xmlTextReaderCurrentNode(reader);
                break;

            case OP_GET_PARSER_LINE_NUMBER:
                startOp("GetParserLineNumber");
                xmlTextReaderGetParserLineNumber(reader);
                break;

            case OP_GET_PARSER_COLUMN_NUMBER:
                startOp("GetParserColumnNumber");
                xmlTextReaderGetParserColumnNumber(reader);
                break;

            case OP_PRESERVE:
                startOp("Preserve");
                xmlTextReaderPreserve(reader);
                break;

            case OP_CURRENT_DOC: {
                xmlDocPtr result;

                startOp("CurrentDoc");
                result = xmlTextReaderCurrentDoc(reader);
                if (doc == NULL)
                    doc = result;
                break;
            }

            case OP_EXPAND:
                startOp("Expand");
                xmlTextReaderExpand(reader);
                break;

            case OP_NEXT:
                startOp("Next");
                xmlTextReaderNext(reader);
                break;

            case OP_NEXT_SIBLING:
                startOp("NextSibling");
                xmlTextReaderNextSibling(reader);
                break;

            case OP_IS_VALID:
                startOp("IsValid");
                xmlTextReaderIsValid(reader);
                break;

            case OP_CONST_XML_VERSION:
                startOp("ConstXmlVersion");
                xmlTextReaderConstXmlVersion(reader);
                break;

            case OP_STANDALONE:
                startOp("Standalone");
                xmlTextReaderStandalone(reader);
                break;

            case OP_BYTE_CONSUMED:
                startOp("ByteConsumed");
                xmlTextReaderByteConsumed(reader);
                oomReport = -1;
                break;
        }

        if (totalStringSize > docSize * 2)
            break;
    }

    error = xmlTextReaderGetLastError(reader);
    if (error->code == XML_ERR_NO_MEMORY)
        oomReport = 1;
    xmlFuzzCheckFailureReport("reader", oomReport, error->code == XML_IO_EIO);

    xmlFreeTextReader(reader);

    if (doc != NULL)
        xmlFreeDoc(doc);

exit:
    xmlFuzzInjectFailure(0);
    xmlFuzzDataCleanup();
    xmlResetLastError();
    return(0);
}

size_t
LLVMFuzzerCustomMutator(char *data, size_t size, size_t maxSize,
                        unsigned seed) {
    static const xmlFuzzChunkDesc chunks[] = {
        { 4, XML_FUZZ_PROB_ONE / 10 }, /* opts */
        { 4, XML_FUZZ_PROB_ONE / 10 }, /* failurePos */
        { 0, 0 }
    };

    return xmlFuzzMutateChunks(chunks, data, size, maxSize, seed,
                               LLVMFuzzerMutate);
}


Coverage Report

Created: 2025-11-24 06:35

Line	Count	Source
1		/*
2		* reader.c: a libFuzzer target to test the XML Reader API.
3		*
4		* See Copyright for the status of this software.
5		*/
6
7		#include <libxml/catalog.h>
8		#include <libxml/parser.h>
9		#include <libxml/tree.h>
10		#include <libxml/xmlerror.h>
11		#include <libxml/xmlreader.h>
12		#include <libxml/xmlsave.h>
13		#include "fuzz.h"
14
15		#include <string.h>
16
17		#if 0
18		#define DEBUG
19		#endif
20
21		typedef enum {
22		OP_READ = 1,
23		OP_READ_INNER_XML,
24		OP_READ_OUTER_XML,
25		OP_READ_STRING,
26		OP_READ_ATTRIBUTE_VALUE,
27		OP_ATTRIBUTE_COUNT,
28		OP_DEPTH,
29		OP_HAS_ATTRIBUTES,
30		OP_HAS_VALUE,
31		OP_IS_DEFAULT,
32		OP_IS_EMPTY_ELEMENT,
33		OP_NODE_TYPE,
34		OP_QUOTE_CHAR,
35		OP_READ_STATE,
36		OP_IS_NAMESPACE_DECL,
37		OP_CONST_BASE_URI,
38		OP_CONST_LOCAL_NAME,
39		OP_CONST_NAME,
40		OP_CONST_NAMESPACE_URI,
41		OP_CONST_PREFIX,
42		OP_CONST_XML_LANG,
43		OP_CONST_VALUE,
44		OP_BASE_URI,
45		OP_LOCAL_NAME,
46		OP_NAME,
47		OP_NAMESPACE_URI,
48		OP_PREFIX,
49		OP_XML_LANG,
50		OP_VALUE,
51		OP_CLOSE,
52		OP_GET_ATTRIBUTE_NO,
53		OP_GET_ATTRIBUTE,
54		OP_GET_ATTRIBUTE_NS,
55		OP_GET_REMAINDER,
56		OP_LOOKUP_NAMESPACE,
57		OP_MOVE_TO_ATTRIBUTE_NO,
58		OP_MOVE_TO_ATTRIBUTE,
59		OP_MOVE_TO_ATTRIBUTE_NS,
60		OP_MOVE_TO_FIRST_ATTRIBUTE,
61		OP_MOVE_TO_NEXT_ATTRIBUTE,
62		OP_MOVE_TO_ELEMENT,
63		OP_NORMALIZATION,
64		OP_CONST_ENCODING,
65		OP_GET_PARSER_PROP,
66		OP_CURRENT_NODE,
67		OP_GET_PARSER_LINE_NUMBER,
68		OP_GET_PARSER_COLUMN_NUMBER,
69		OP_PRESERVE,
70		OP_CURRENT_DOC,
71		OP_EXPAND,
72		OP_NEXT,
73		OP_NEXT_SIBLING,
74		OP_IS_VALID,
75		OP_CONST_XML_VERSION,
76		OP_STANDALONE,
77		OP_BYTE_CONSUMED,
78
79		OP_MAX
80		} opType;
81
82		static void
83	765k	startOp(const char *name) {
84	765k	(void) name;
85		#ifdef DEBUG
86		fprintf(stderr, "%s\n", name);
87		#endif
88	765k	}
89
90		int
91		LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
92	20	char ***argv ATTRIBUTE_UNUSED) {
93	20	xmlFuzzMemSetup();
94	20	xmlInitParser();
95	20	#ifdef LIBXML_CATALOG_ENABLED
96	20	xmlInitializeCatalog();
97	20	xmlCatalogSetDefaults(XML_CATA_ALLOW_NONE);
98	20	#endif
99
100	20	return 0;
101	20	}
102
103		int
104	39.0k	LLVMFuzzerTestOneInput(const char *data, size_t size) {
105	39.0k	xmlTextReaderPtr reader;
106	39.0k	xmlDocPtr doc = NULL;
107	39.0k	const xmlError *error;
108	39.0k	const char *docBuffer;
109	39.0k	const unsigned char *program;
110	39.0k	size_t failurePos, docSize, programSize, i;
111	39.0k	size_t totalStringSize = 0;
112	39.0k	int opts;
113	39.0k	int oomReport = 0;
114
115	39.0k	xmlFuzzDataInit(data, size);
116	39.0k	opts = (int) xmlFuzzReadInt(4);
117	39.0k	failurePos = xmlFuzzReadInt(4) % (size + 100);
118
119	39.0k	program = (const unsigned char *) xmlFuzzReadString(&programSize);
120	39.0k	if (programSize > 1000)
121	42	programSize = 1000;
122
123	39.0k	xmlFuzzReadEntities();
124	39.0k	docBuffer = xmlFuzzMainEntity(&docSize);
125	39.0k	if (docBuffer == NULL)
126	117	goto exit;
127
128		#ifdef DEBUG
129		fprintf(stderr, "Input document (%d bytes):\n", (int) docSize);
130		for (i = 0; (size_t) i < docSize; i++) {
131		int c = (unsigned char) docBuffer[i];
132
133		if ((c == '\n' \|\| (c >= 0x20 && c <= 0x7E)))
134		putc(c, stderr);
135		else
136		fprintf(stderr, "\\x%02X", c);
137		}
138		fprintf(stderr, "\nEOF\n");
139		#endif
140
141	38.9k	xmlFuzzInjectFailure(failurePos);
142	38.9k	reader = xmlReaderForMemory(docBuffer, docSize, NULL, NULL, opts);
143	38.9k	if (reader == NULL)
144	68	goto exit;
145
146	38.8k	xmlTextReaderSetStructuredErrorHandler(reader, xmlFuzzSErrorFunc, NULL);
147	38.8k	xmlTextReaderSetResourceLoader(reader, xmlFuzzResourceLoader, NULL);
148
149	38.8k	i = 0;
150	803k	while (i < programSize) {
151	765k	int op = program[i++];
152
153	765k	#define READ_BYTE() (i < programSize ? program[i++] : 0)
154	765k	#define FREE_STRING(str) \
155	765k	do { \
156	162k	if (str != NULL) { \
157	52.8k	totalStringSize += strlen((char *) str); \
158	52.8k	xmlFree(str); \
159	52.8k	} \
160	162k	} while (0)
161
162	765k	switch (op & 0x3F) {
163	57.3k	case OP_READ:
164	265k	default:
165	265k	startOp("Read");
166	265k	xmlTextReaderRead(reader);
167	265k	break;
168
169	13.0k	case OP_READ_INNER_XML: {
170	13.0k	xmlChar *result;
171
172	13.0k	startOp("ReadInnerXml");
173	13.0k	result = xmlTextReaderReadInnerXml(reader);
174	13.0k	FREE_STRING(result);
175	13.0k	break;
176	57.3k	}
177
178	32.0k	case OP_READ_OUTER_XML: {
179	32.0k	xmlChar *result;
180
181	32.0k	startOp("ReadOuterXml");
182	32.0k	result = xmlTextReaderReadOuterXml(reader);
183	32.0k	FREE_STRING(result);
184	32.0k	break;
185	57.3k	}
186
187	10.1k	case OP_READ_STRING: {
188	10.1k	xmlChar *result;
189
190	10.1k	startOp("ReadString");
191	10.1k	result = xmlTextReaderReadString(reader);
192	10.1k	FREE_STRING(result);
193	10.1k	break;
194	57.3k	}
195
196	9.96k	case OP_READ_ATTRIBUTE_VALUE:
197	9.96k	startOp("ReadAttributeValue");
198	9.96k	xmlTextReaderReadAttributeValue(reader);
199	9.96k	break;
200
201	9.40k	case OP_ATTRIBUTE_COUNT:
202	9.40k	startOp("AttributeCount");
203	9.40k	xmlTextReaderAttributeCount(reader);
204	9.40k	break;
205
206	4.51k	case OP_DEPTH:
207	4.51k	startOp("Depth");
208	4.51k	xmlTextReaderDepth(reader);
209	4.51k	break;
210
211	2.74k	case OP_HAS_ATTRIBUTES:
212	2.74k	startOp("HasAttributes");
213	2.74k	xmlTextReaderHasAttributes(reader);
214	2.74k	break;
215
216	12.8k	case OP_HAS_VALUE:
217	12.8k	startOp("HasValue");
218	12.8k	xmlTextReaderHasValue(reader);
219	12.8k	break;
220
221	5.74k	case OP_IS_DEFAULT:
222	5.74k	startOp("IsDefault");
223	5.74k	xmlTextReaderIsDefault(reader);
224	5.74k	break;
225
226	10.7k	case OP_IS_EMPTY_ELEMENT:
227	10.7k	startOp("IsEmptyElement");
228	10.7k	xmlTextReaderIsEmptyElement(reader);
229	10.7k	break;
230
231	10.7k	case OP_NODE_TYPE:
232	10.7k	startOp("NodeType");
233	10.7k	xmlTextReaderNodeType(reader);
234	10.7k	break;
235
236	3.26k	case OP_QUOTE_CHAR:
237	3.26k	startOp("QuoteChar");
238	3.26k	xmlTextReaderQuoteChar(reader);
239	3.26k	break;
240
241	6.52k	case OP_READ_STATE:
242	6.52k	startOp("ReadState");
243	6.52k	xmlTextReaderReadState(reader);
244	6.52k	break;
245
246	3.70k	case OP_IS_NAMESPACE_DECL:
247	3.70k	startOp("IsNamespaceDecl");
248	3.70k	xmlTextReaderIsNamespaceDecl(reader);
249	3.70k	break;
250
251	42.5k	case OP_CONST_BASE_URI:
252	42.5k	startOp("ConstBaseUri");
253	42.5k	xmlTextReaderConstBaseUri(reader);
254	42.5k	break;
255
256	2.20k	case OP_CONST_LOCAL_NAME:
257	2.20k	startOp("ConstLocalName");
258	2.20k	xmlTextReaderConstLocalName(reader);
259	2.20k	break;
260
261	4.92k	case OP_CONST_NAME:
262	4.92k	startOp("ConstName");
263	4.92k	xmlTextReaderConstName(reader);
264	4.92k	break;
265
266	5.45k	case OP_CONST_NAMESPACE_URI:
267	5.45k	startOp("ConstNamespaceUri");
268	5.45k	xmlTextReaderConstNamespaceUri(reader);
269	5.45k	break;
270
271	12.4k	case OP_CONST_PREFIX:
272	12.4k	startOp("ConstPrefix");
273	12.4k	xmlTextReaderConstPrefix(reader);
274	12.4k	break;
275
276	6.92k	case OP_CONST_XML_LANG:
277	6.92k	startOp("ConstXmlLang");
278	6.92k	xmlTextReaderConstXmlLang(reader);
279	6.92k	oomReport = -1;
280	6.92k	break;
281
282	6.11k	case OP_CONST_VALUE:
283	6.11k	startOp("ConstValue");
284	6.11k	xmlTextReaderConstValue(reader);
285	6.11k	break;
286
287	8.25k	case OP_BASE_URI: {
288	8.25k	xmlChar *result;
289
290	8.25k	startOp("BaseUri");
291	8.25k	result = xmlTextReaderBaseUri(reader);
292	8.25k	FREE_STRING(result);
293	8.25k	break;
294	57.3k	}
295
296	5.02k	case OP_LOCAL_NAME: {
297	5.02k	xmlChar *result;
298
299	5.02k	startOp("LocalName");
300	5.02k	result = xmlTextReaderLocalName(reader);
301	5.02k	FREE_STRING(result);
302	5.02k	break;
303	57.3k	}
304
305	6.96k	case OP_NAME: {
306	6.96k	xmlChar *result;
307
308	6.96k	startOp("Name");
309	6.96k	result = xmlTextReaderName(reader);
310	6.96k	FREE_STRING(result);
311	6.96k	break;
312	57.3k	}
313
314	3.16k	case OP_NAMESPACE_URI: {
315	3.16k	xmlChar *result;
316
317	3.16k	startOp("NamespaceUri");
318	3.16k	result = xmlTextReaderNamespaceUri(reader);
319	3.16k	FREE_STRING(result);
320	3.16k	break;
321	57.3k	}
322
323	4.05k	case OP_PREFIX: {
324	4.05k	xmlChar *result;
325
326	4.05k	startOp("Prefix");
327	4.05k	result = xmlTextReaderPrefix(reader);
328	4.05k	FREE_STRING(result);
329	4.05k	break;
330	57.3k	}
331
332	3.16k	case OP_XML_LANG: {
333	3.16k	xmlChar *result;
334
335	3.16k	startOp("XmlLang");
336	3.16k	result = xmlTextReaderXmlLang(reader);
337	3.16k	oomReport = -1;
338	3.16k	FREE_STRING(result);
339	3.16k	break;
340	57.3k	}
341
342	10.5k	case OP_VALUE: {
343	10.5k	xmlChar *result;
344
345	10.5k	startOp("Value");
346	10.5k	result = xmlTextReaderValue(reader);
347	10.5k	FREE_STRING(result);
348	10.5k	break;
349	57.3k	}
350
351	1.57k	case OP_CLOSE:
352	1.57k	startOp("Close");
353	1.57k	if (doc == NULL)
354	499	doc = xmlTextReaderCurrentDoc(reader);
355	1.57k	xmlTextReaderClose(reader);
356	1.57k	break;
357
358	4.25k	case OP_GET_ATTRIBUTE_NO: {
359	4.25k	xmlChar *result;
360	4.25k	int no = READ_BYTE();
361
362	4.25k	startOp("GetAttributeNo");
363	4.25k	result = xmlTextReaderGetAttributeNo(reader, no);
364	4.25k	FREE_STRING(result);
365	4.25k	break;
366	57.3k	}
367
368	31.1k	case OP_GET_ATTRIBUTE: {
369	31.1k	const xmlChar *name = xmlTextReaderConstName(reader);
370	31.1k	xmlChar *result;
371
372	31.1k	startOp("GetAttribute");
373	31.1k	result = xmlTextReaderGetAttribute(reader, name);
374	31.1k	FREE_STRING(result);
375	31.1k	break;
376	57.3k	}
377
378	23.4k	case OP_GET_ATTRIBUTE_NS: {
379	23.4k	const xmlChar localName, namespaceUri;
380	23.4k	xmlChar *result;
381
382	23.4k	startOp("GetAttributeNs");
383	23.4k	localName = xmlTextReaderConstLocalName(reader);
384	23.4k	namespaceUri = xmlTextReaderConstNamespaceUri(reader);
385	23.4k	result = xmlTextReaderGetAttributeNs(reader, localName,
386	23.4k	namespaceUri);
387	23.4k	FREE_STRING(result);
388	23.4k	break;
389	57.3k	}
390
391	3.63k	case OP_GET_REMAINDER:
392	3.63k	startOp("GetRemainder");
393	3.63k	if (doc == NULL)
394	1.78k	doc = xmlTextReaderCurrentDoc(reader);
395	3.63k	xmlFreeParserInputBuffer(xmlTextReaderGetRemainder(reader));
396	3.63k	break;
397
398	7.52k	case OP_LOOKUP_NAMESPACE: {
399	7.52k	const xmlChar *prefix = xmlTextReaderConstPrefix(reader);
400	7.52k	xmlChar *result;
401
402	7.52k	startOp("LookupNamespace");
403	7.52k	result = xmlTextReaderLookupNamespace(reader, prefix);
404	7.52k	FREE_STRING(result);
405	7.52k	break;
406	57.3k	}
407
408	7.87k	case OP_MOVE_TO_ATTRIBUTE_NO: {
409	7.87k	int no = READ_BYTE();
410
411	7.87k	startOp("MoveToAttributeNo");
412	7.87k	xmlTextReaderMoveToAttributeNo(reader, no);
413	7.87k	break;
414	57.3k	}
415
416	12.8k	case OP_MOVE_TO_ATTRIBUTE: {
417	12.8k	const xmlChar *name = xmlTextReaderConstName(reader);
418
419	12.8k	startOp("MoveToAttribute");
420	12.8k	xmlTextReaderMoveToAttribute(reader, name);
421	12.8k	break;
422	57.3k	}
423
424	10.4k	case OP_MOVE_TO_ATTRIBUTE_NS: {
425	10.4k	const xmlChar localName, namespaceUri;
426
427	10.4k	startOp("MoveToAttributeNs");
428	10.4k	localName = xmlTextReaderConstLocalName(reader);
429	10.4k	namespaceUri = xmlTextReaderConstNamespaceUri(reader);
430	10.4k	xmlTextReaderMoveToAttributeNs(reader, localName,
431	10.4k	namespaceUri);
432	10.4k	break;
433	57.3k	}
434
435	12.3k	case OP_MOVE_TO_FIRST_ATTRIBUTE:
436	12.3k	startOp("MoveToFirstAttribute");
437	12.3k	xmlTextReaderMoveToFirstAttribute(reader);
438	12.3k	break;
439
440	8.17k	case OP_MOVE_TO_NEXT_ATTRIBUTE:
441	8.17k	startOp("MoveToNextAttribute");
442	8.17k	xmlTextReaderMoveToNextAttribute(reader);
443	8.17k	break;
444
445	5.32k	case OP_MOVE_TO_ELEMENT:
446	5.32k	startOp("MoveToElement");
447	5.32k	xmlTextReaderMoveToElement(reader);
448	5.32k	break;
449
450	1.63k	case OP_NORMALIZATION:
451	1.63k	startOp("Normalization");
452	1.63k	xmlTextReaderNormalization(reader);
453	1.63k	break;
454
455	3.25k	case OP_CONST_ENCODING:
456	3.25k	startOp("ConstEncoding");
457	3.25k	xmlTextReaderConstEncoding(reader);
458	3.25k	break;
459
460	8.10k	case OP_GET_PARSER_PROP: {
461	8.10k	int prop = READ_BYTE();
462
463	8.10k	startOp("GetParserProp");
464	8.10k	xmlTextReaderGetParserProp(reader, prop);
465	8.10k	break;
466	57.3k	}
467
468	11.8k	case OP_CURRENT_NODE:
469	11.8k	startOp("CurrentNode");
470	11.8k	xmlTextReaderCurrentNode(reader);
471	11.8k	break;
472
473	5.80k	case OP_GET_PARSER_LINE_NUMBER:
474	5.80k	startOp("GetParserLineNumber");
475	5.80k	xmlTextReaderGetParserLineNumber(reader);
476	5.80k	break;
477
478	8.14k	case OP_GET_PARSER_COLUMN_NUMBER:
479	8.14k	startOp("GetParserColumnNumber");
480	8.14k	xmlTextReaderGetParserColumnNumber(reader);
481	8.14k	break;
482
483	9.15k	case OP_PRESERVE:
484	9.15k	startOp("Preserve");
485	9.15k	xmlTextReaderPreserve(reader);
486	9.15k	break;
487
488	8.59k	case OP_CURRENT_DOC: {
489	8.59k	xmlDocPtr result;
490
491	8.59k	startOp("CurrentDoc");
492	8.59k	result = xmlTextReaderCurrentDoc(reader);
493	8.59k	if (doc == NULL)
494	2.95k	doc = result;
495	8.59k	break;
496	57.3k	}
497
498	7.48k	case OP_EXPAND:
499	7.48k	startOp("Expand");
500	7.48k	xmlTextReaderExpand(reader);
501	7.48k	break;
502
503	22.3k	case OP_NEXT:
504	22.3k	startOp("Next");
505	22.3k	xmlTextReaderNext(reader);
506	22.3k	break;
507
508	8.45k	case OP_NEXT_SIBLING:
509	8.45k	startOp("NextSibling");
510	8.45k	xmlTextReaderNextSibling(reader);
511	8.45k	break;
512
513	4.24k	case OP_IS_VALID:
514	4.24k	startOp("IsValid");
515	4.24k	xmlTextReaderIsValid(reader);
516	4.24k	break;
517
518	4.69k	case OP_CONST_XML_VERSION:
519	4.69k	startOp("ConstXmlVersion");
520	4.69k	xmlTextReaderConstXmlVersion(reader);
521	4.69k	break;
522
523	5.17k	case OP_STANDALONE:
524	5.17k	startOp("Standalone");
525	5.17k	xmlTextReaderStandalone(reader);
526	5.17k	break;
527
528	5.60k	case OP_BYTE_CONSUMED:
529	5.60k	startOp("ByteConsumed");
530	5.60k	xmlTextReaderByteConsumed(reader);
531	5.60k	oomReport = -1;
532	5.60k	break;
533	765k	}
534
535	765k	if (totalStringSize > docSize * 2)
536	1.18k	break;
537	765k	}
538
539	38.8k	error = xmlTextReaderGetLastError(reader);
540	38.8k	if (error->code == XML_ERR_NO_MEMORY)
541	8.71k	oomReport = 1;
542	38.8k	xmlFuzzCheckFailureReport("reader", oomReport, error->code == XML_IO_EIO);
543
544	38.8k	xmlFreeTextReader(reader);
545
546	38.8k	if (doc != NULL)
547	3.60k	xmlFreeDoc(doc);
548
549	39.0k	exit:
550	39.0k	xmlFuzzInjectFailure(0);
551	39.0k	xmlFuzzDataCleanup();
552	39.0k	xmlResetLastError();
553	39.0k	return(0);
554	38.8k	}
555
556		size_t
557		LLVMFuzzerCustomMutator(char *data, size_t size, size_t maxSize,
558	0	unsigned seed) {
559	0	static const xmlFuzzChunkDesc chunks[] = {
560	0	{ 4, XML_FUZZ_PROB_ONE / 10 }, /* opts */
561	0	{ 4, XML_FUZZ_PROB_ONE / 10 }, /* failurePos */
562	0	{ 0, 0 }
563	0	};
564
565	0	return xmlFuzzMutateChunks(chunks, data, size, maxSize, seed,
566	0	LLVMFuzzerMutate);
567	0	}
568