Coverage Report

Created: 2025-11-24 06:35

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/libxml2/fuzz/xinclude.c
Line
Count
Source
1
/*
2
 * xinclude.c: a libFuzzer target to test the XInclude engine.
3
 *
4
 * See Copyright for the status of this software.
5
 */
6
7
#include <libxml/catalog.h>
8
#include <libxml/parser.h>
9
#include <libxml/tree.h>
10
#include <libxml/xmlerror.h>
11
#include <libxml/xinclude.h>
12
#include "fuzz.h"
13
14
int
15
LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
16
20
                     char ***argv ATTRIBUTE_UNUSED) {
17
20
    xmlFuzzMemSetup();
18
20
    xmlInitParser();
19
20
#ifdef LIBXML_CATALOG_ENABLED
20
20
    xmlInitializeCatalog();
21
20
    xmlCatalogSetDefaults(XML_CATA_ALLOW_NONE);
22
20
#endif
23
20
    xmlSetGenericErrorFunc(NULL, xmlFuzzErrorFunc);
24
25
20
    return 0;
26
20
}
27
28
int
29
31.0k
LLVMFuzzerTestOneInput(const char *data, size_t size) {
30
31.0k
    xmlParserCtxtPtr ctxt;
31
31.0k
    xmlDocPtr doc;
32
31.0k
    const char *docBuffer, *docUrl;
33
31.0k
    size_t failurePos, docSize;
34
31.0k
    int opts;
35
36
31.0k
    xmlFuzzDataInit(data, size);
37
31.0k
    opts = (int) xmlFuzzReadInt(4);
38
31.0k
    opts &= ~XML_PARSE_DTDVALID &
39
31.0k
            ~XML_PARSE_SAX1;
40
31.0k
    failurePos = xmlFuzzReadInt(4) % (size + 100);
41
42
31.0k
    xmlFuzzReadEntities();
43
31.0k
    docBuffer = xmlFuzzMainEntity(&docSize);
44
31.0k
    docUrl = xmlFuzzMainUrl();
45
31.0k
    if (docBuffer == NULL)
46
68
        goto exit;
47
48
    /* Pull parser */
49
50
30.9k
    xmlFuzzInjectFailure(failurePos);
51
30.9k
    ctxt = xmlNewParserCtxt();
52
30.9k
    if (ctxt != NULL) {
53
30.9k
        xmlXIncludeCtxtPtr xinc;
54
30.9k
        xmlDocPtr copy;
55
56
30.9k
        xmlCtxtSetResourceLoader(ctxt, xmlFuzzResourceLoader, NULL);
57
58
30.9k
        doc = xmlCtxtReadMemory(ctxt, docBuffer, docSize, docUrl, NULL, opts);
59
30.9k
        xmlFuzzCheckFailureReport("xmlCtxtReadMemory",
60
30.9k
                doc == NULL && ctxt->errNo == XML_ERR_NO_MEMORY,
61
30.9k
                doc == NULL && ctxt->errNo == XML_IO_EIO);
62
63
30.9k
        xinc = xmlXIncludeNewContext(doc);
64
30.9k
        xmlXIncludeSetResourceLoader(xinc, xmlFuzzResourceLoader, NULL);
65
30.9k
        xmlXIncludeSetFlags(xinc, opts);
66
30.9k
        xmlXIncludeProcessNode(xinc, (xmlNodePtr) doc);
67
30.9k
        if (doc != NULL) {
68
21.4k
            xmlFuzzCheckFailureReport("xmlXIncludeProcessNode",
69
21.4k
                    xinc == NULL ||
70
21.3k
                    xmlXIncludeGetLastError(xinc) == XML_ERR_NO_MEMORY,
71
21.4k
                    xinc != NULL &&
72
21.3k
                    xmlXIncludeGetLastError(xinc) == XML_IO_EIO);
73
21.4k
        }
74
30.9k
        xmlXIncludeFreeContext(xinc);
75
76
30.9k
        xmlFuzzResetFailure();
77
30.9k
        copy = xmlCopyDoc(doc, 1);
78
30.9k
        if (doc != NULL)
79
21.4k
            xmlFuzzCheckFailureReport("xmlCopyNode", copy == NULL, 0);
80
30.9k
        xmlFreeDoc(copy);
81
82
30.9k
        xmlFreeDoc(doc);
83
30.9k
        xmlFreeParserCtxt(ctxt);
84
30.9k
    }
85
86
31.0k
exit:
87
31.0k
    xmlFuzzInjectFailure(0);
88
31.0k
    xmlFuzzDataCleanup();
89
31.0k
    xmlResetLastError();
90
31.0k
    return(0);
91
30.9k
}
92
93
size_t
94
LLVMFuzzerCustomMutator(char *data, size_t size, size_t maxSize,
95
0
                        unsigned seed) {
96
0
    static const xmlFuzzChunkDesc chunks[] = {
97
0
        { 4, XML_FUZZ_PROB_ONE / 10 }, /* opts */
98
0
        { 4, XML_FUZZ_PROB_ONE / 10 }, /* failurePos */
99
0
        { 0, 0 }
100
0
    };
101
102
0
    return xmlFuzzMutateChunks(chunks, data, size, maxSize, seed,
103
0
                               LLVMFuzzerMutate);
104
0
}
105