/src/libyaml_emitter_fuzzer.c

Source
// Copyright 2020 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

#include "yaml.h"
#include "yaml_write_handler.h"
#include <assert.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef NDEBUG
#undef NDEBUG
#endif

#define MAX_EVENTS 1024

bool events_equal(yaml_event_t *event1, yaml_event_t *event2) {
  
  const bool equal = true;

  if (event1->type != event2->type)
    return equal;

  switch (event1->type) {
  case YAML_STREAM_START_EVENT:
    return !equal;

  case YAML_DOCUMENT_START_EVENT:
    if ((event1->data.document_start.version_directive &&
         !event2->data.document_start.version_directive) ||
        (!event1->data.document_start.version_directive &&
         event2->data.document_start.version_directive) ||
        (event1->data.document_start.version_directive &&
         event2->data.document_start.version_directive &&
         (event1->data.document_start.version_directive->major !=
              event2->data.document_start.version_directive->major ||
          event1->data.document_start.version_directive->minor !=
              event2->data.document_start.version_directive->minor)))
      return equal;
    if ((event1->data.document_start.tag_directives.end -
         event1->data.document_start.tag_directives.start) !=
        (event2->data.document_start.tag_directives.end -
         event2->data.document_start.tag_directives.start))
      return equal;
    for (int k = 0; k < (event1->data.document_start.tag_directives.end -
                         event1->data.document_start.tag_directives.start);
         k++) {
      if ((strcmp((char *)event1->data.document_start.tag_directives.start[k]
                      .handle,
                  (char *)event2->data.document_start.tag_directives.start[k]
                      .handle) != 0) ||
          (strcmp((char *)event1->data.document_start.tag_directives.start[k]
                      .prefix,
                  (char *)event2->data.document_start.tag_directives.start[k]
                      .prefix) != 0))
        return equal;
    }
    return !equal;

  case YAML_DOCUMENT_END_EVENT:
    return !equal;

  case YAML_ALIAS_EVENT:
    return (strcmp((char *)event1->data.alias.anchor,
                   (char *)event2->data.alias.anchor) == 0);

  case YAML_SCALAR_EVENT:
    if ((event1->data.scalar.anchor && !event2->data.scalar.anchor) ||
        (!event1->data.scalar.anchor && event2->data.scalar.anchor) ||
        (event1->data.scalar.anchor && event2->data.scalar.anchor &&
         strcmp((char *)event1->data.scalar.anchor,
                (char *)event2->data.scalar.anchor) != 0))
      return equal;
    if ((event1->data.scalar.tag && !event2->data.scalar.tag &&
         strcmp((char *)event1->data.scalar.tag, "!") != 0) ||
        (!event1->data.scalar.tag && event2->data.scalar.tag &&
         strcmp((char *)event2->data.scalar.tag, "!") != 0) ||
        (event1->data.scalar.tag && event2->data.scalar.tag &&
         strcmp((char *)event1->data.scalar.tag,
                (char *)event2->data.scalar.tag) != 0))
      return equal;
    if ((event1->data.scalar.length != event2->data.scalar.length) ||
        memcmp(event1->data.scalar.value, event2->data.scalar.value,
               event1->data.scalar.length) != 0)
      return equal;
    if ((event1->data.scalar.plain_implicit !=
         event2->data.scalar.plain_implicit) ||
        (event1->data.scalar.quoted_implicit !=
         event2->data.scalar.quoted_implicit))
      return equal;
    return !equal;

  case YAML_SEQUENCE_START_EVENT:
    if ((event1->data.sequence_start.anchor &&
         !event2->data.sequence_start.anchor) ||
        (!event1->data.sequence_start.anchor &&
         event2->data.sequence_start.anchor) ||
        (event1->data.sequence_start.anchor &&
         event2->data.sequence_start.anchor &&
         strcmp((char *)event1->data.sequence_start.anchor,
                (char *)event2->data.sequence_start.anchor) != 0))
      return equal;
    if ((event1->data.sequence_start.tag && !event2->data.sequence_start.tag) ||
        (!event1->data.sequence_start.tag && event2->data.sequence_start.tag) ||
        (event1->data.sequence_start.tag && event2->data.sequence_start.tag &&
         strcmp((char *)event1->data.sequence_start.tag,
                (char *)event2->data.sequence_start.tag) != 0))
      return equal;
    if ((event1->data.sequence_start.implicit !=
         event2->data.sequence_start.implicit))
      return equal;
    return !equal;

  case YAML_MAPPING_START_EVENT:
    if ((event1->data.mapping_start.anchor &&
         !event2->data.mapping_start.anchor) ||
        (!event1->data.mapping_start.anchor &&
         event2->data.mapping_start.anchor) ||
        (event1->data.mapping_start.anchor &&
         event2->data.mapping_start.anchor &&
         strcmp((char *)event1->data.mapping_start.anchor,
                (char *)event2->data.mapping_start.anchor) != 0))
      return equal;
    if ((event1->data.mapping_start.tag && !event2->data.mapping_start.tag) ||
        (!event1->data.mapping_start.tag && event2->data.mapping_start.tag) ||
        (event1->data.mapping_start.tag && event2->data.mapping_start.tag &&
         strcmp((char *)event1->data.mapping_start.tag,
                (char *)event2->data.mapping_start.tag) != 0))
      return equal;
    if ((event1->data.mapping_start.implicit !=
         event2->data.mapping_start.implicit))
      return equal;
    return !equal;

  default:
    return !equal;
  }
}

bool copy_event(yaml_event_t *event_to, yaml_event_t *event_from) {

  switch (event_from->type) {
  case YAML_STREAM_START_EVENT:
    return yaml_stream_start_event_initialize(
        event_to, event_from->data.stream_start.encoding);

  case YAML_STREAM_END_EVENT:
    return yaml_stream_end_event_initialize(event_to);

  case YAML_DOCUMENT_START_EVENT:
    return yaml_document_start_event_initialize(
        event_to, event_from->data.document_start.version_directive,
        event_from->data.document_start.tag_directives.start,
        event_from->data.document_start.tag_directives.end,
        event_from->data.document_start.implicit);

  case YAML_DOCUMENT_END_EVENT:
    return yaml_document_end_event_initialize(
        event_to, event_from->data.document_end.implicit);

  case YAML_ALIAS_EVENT:
    return yaml_alias_event_initialize(event_to, event_from->data.alias.anchor);

  case YAML_SCALAR_EVENT:
    return yaml_scalar_event_initialize(
        event_to, event_from->data.scalar.anchor, event_from->data.scalar.tag,
        event_from->data.scalar.value, event_from->data.scalar.length,
        event_from->data.scalar.plain_implicit,
        event_from->data.scalar.quoted_implicit, event_from->data.scalar.style);

  case YAML_SEQUENCE_START_EVENT:
    return yaml_sequence_start_event_initialize(
        event_to, event_from->data.sequence_start.anchor,
        event_from->data.sequence_start.tag,
        event_from->data.sequence_start.implicit,
        event_from->data.sequence_start.style);

  case YAML_SEQUENCE_END_EVENT:
    return yaml_sequence_end_event_initialize(event_to);

  case YAML_MAPPING_START_EVENT:
    return yaml_mapping_start_event_initialize(
        event_to, event_from->data.mapping_start.anchor,
        event_from->data.mapping_start.tag,
        event_from->data.mapping_start.implicit,
        event_from->data.mapping_start.style);

  case YAML_MAPPING_END_EVENT:
    return yaml_mapping_end_event_initialize(event_to);
  }

  return false;
}

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  if (size < 2)
    return 0;

  yaml_parser_t parser;
  yaml_emitter_t emitter;
  yaml_event_t event;
  yaml_event_t events[MAX_EVENTS];
  size_t event_number = 0;
  bool done = false;
  int count = 0;
  bool is_canonical = data[0] & 1;
  bool is_unicode = data[1] & 1;
  data += 2;
  size -= 2;

  if (!yaml_parser_initialize(&parser))
    return 0;

  yaml_parser_set_input_string(&parser, data, size);
  if (!yaml_emitter_initialize(&emitter)) {
    yaml_parser_delete(&parser);
    return 0;
  }

  yaml_emitter_set_canonical(&emitter, is_canonical);
  yaml_emitter_set_unicode(&emitter, is_unicode);

  yaml_output_buffer_t out = {/*buf=*/NULL, /*size=*/0, /*capacity=*/1000};
  yaml_emitter_set_output(&emitter, yaml_write_handler, &out);

  while (!done) {
    if (!yaml_parser_parse(&parser, &event)) {
      goto delete_parser;
    }

    done = (event.type == YAML_STREAM_END_EVENT);
    if (event_number >= MAX_EVENTS) {
      yaml_event_delete(&event);
      goto delete_parser;
    }

    if (!copy_event(&events[event_number], &event)) {
      yaml_event_delete(&event);
      goto delete_parser;
    }
    event_number++;

    if (!yaml_emitter_emit(&emitter, &event)) {
      goto delete_parser;
    }

  }

  yaml_parser_delete(&parser);

  if (!out.buf || out.size == 0)
    goto error;

  done = false;
  if (!yaml_parser_initialize(&parser))
    goto error;

  yaml_parser_set_input_string(&parser, out.buf, out.size);

  while (!done) {
    if (!yaml_parser_parse(&parser, &event))
      break;

    done = (event.type == YAML_STREAM_END_EVENT);
    if (events_equal(events + count, &event)) {
      yaml_event_delete(&event);
      break;
    }

    yaml_event_delete(&event);
    count++;
  }

delete_parser:

  yaml_parser_delete(&parser);

error:

  yaml_emitter_delete(&emitter);

  for (int k = 0; k < event_number; k++) {
    yaml_event_delete(events + k);
  }

  free(out.buf);

  return 0;
}

Coverage Report

Created: 2026-03-12 06:57

Line	Count	Source
1		// Copyright 2020 Google LLC
2		//
3		// Licensed under the Apache License, Version 2.0 (the "License");
4		// you may not use this file except in compliance with the License.
5		// You may obtain a copy of the License at
6		//
7		// http://www.apache.org/licenses/LICENSE-2.0
8		//
9		// Unless required by applicable law or agreed to in writing, software
10		// distributed under the License is distributed on an "AS IS" BASIS,
11		// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12		// See the License for the specific language governing permissions and
13		// limitations under the License.
14
15		#include "yaml.h"
16		#include "yaml_write_handler.h"
17		#include <assert.h>
18		#include <stdbool.h>
19		#include <stdint.h>
20		#include <stdio.h>
21		#include <stdlib.h>
22		#include <string.h>
23
24		#ifdef NDEBUG
25		#undef NDEBUG
26		#endif
27
28	259k	#define MAX_EVENTS 1024
29
30	103k	bool events_equal(yaml_event_t event1, yaml_event_t event2) {
31
32	103k	const bool equal = true;
33
34	103k	if (event1->type != event2->type)
35	0	return equal;
36
37	103k	switch (event1->type) {
38	619	case YAML_STREAM_START_EVENT:
39	619	return !equal;
40
41	4.31k	case YAML_DOCUMENT_START_EVENT:
42	4.31k	if ((event1->data.document_start.version_directive &&
43	186	!event2->data.document_start.version_directive) \|\|
44	4.31k	(!event1->data.document_start.version_directive &&
45	4.13k	event2->data.document_start.version_directive) \|\|
46	4.31k	(event1->data.document_start.version_directive &&
47	186	event2->data.document_start.version_directive &&
48	186	(event1->data.document_start.version_directive->major !=
49	186	event2->data.document_start.version_directive->major \|\|
50	186	event1->data.document_start.version_directive->minor !=
51	186	event2->data.document_start.version_directive->minor)))
52	0	return equal;
53	4.31k	if ((event1->data.document_start.tag_directives.end -
54	4.31k	event1->data.document_start.tag_directives.start) !=
55	4.31k	(event2->data.document_start.tag_directives.end -
56	4.31k	event2->data.document_start.tag_directives.start))
57	0	return equal;
58	4.66k	for (int k = 0; k < (event1->data.document_start.tag_directives.end -
59	4.66k	event1->data.document_start.tag_directives.start);
60	4.31k	k++) {
61	349	if ((strcmp((char *)event1->data.document_start.tag_directives.start[k]
62	349	.handle,
63	349	(char *)event2->data.document_start.tag_directives.start[k]
64	349	.handle) != 0) \|\|
65	349	(strcmp((char *)event1->data.document_start.tag_directives.start[k]
66	349	.prefix,
67	349	(char *)event2->data.document_start.tag_directives.start[k]
68	349	.prefix) != 0))
69	0	return equal;
70	349	}
71	4.31k	return !equal;
72
73	4.27k	case YAML_DOCUMENT_END_EVENT:
74	4.27k	return !equal;
75
76	21	case YAML_ALIAS_EVENT:
77	21	return (strcmp((char *)event1->data.alias.anchor,
78	21	(char *)event2->data.alias.anchor) == 0);
79
80	45.2k	case YAML_SCALAR_EVENT:
81	45.2k	if ((event1->data.scalar.anchor && !event2->data.scalar.anchor) \|\|
82	45.2k	(!event1->data.scalar.anchor && event2->data.scalar.anchor) \|\|
83	45.2k	(event1->data.scalar.anchor && event2->data.scalar.anchor &&
84	169	strcmp((char *)event1->data.scalar.anchor,
85	169	(char *)event2->data.scalar.anchor) != 0))
86	0	return equal;
87	45.2k	if ((event1->data.scalar.tag && !event2->data.scalar.tag &&
88	201	strcmp((char *)event1->data.scalar.tag, "!") != 0) \|\|
89	45.2k	(!event1->data.scalar.tag && event2->data.scalar.tag &&
90	10.9k	strcmp((char *)event2->data.scalar.tag, "!") != 0) \|\|
91	45.2k	(event1->data.scalar.tag && event2->data.scalar.tag &&
92	4.19k	strcmp((char *)event1->data.scalar.tag,
93	4.19k	(char *)event2->data.scalar.tag) != 0))
94	0	return equal;
95	45.2k	if ((event1->data.scalar.length != event2->data.scalar.length) \|\|
96	45.2k	memcmp(event1->data.scalar.value, event2->data.scalar.value,
97	45.2k	event1->data.scalar.length) != 0)
98	16	return equal;
99	45.2k	if ((event1->data.scalar.plain_implicit !=
100	45.2k	event2->data.scalar.plain_implicit) \|\|
101	45.2k	(event1->data.scalar.quoted_implicit !=
102	45.2k	event2->data.scalar.quoted_implicit))
103	4	return equal;
104	45.2k	return !equal;
105
106	18.9k	case YAML_SEQUENCE_START_EVENT:
107	18.9k	if ((event1->data.sequence_start.anchor &&
108	26	!event2->data.sequence_start.anchor) \|\|
109	18.9k	(!event1->data.sequence_start.anchor &&
110	18.9k	event2->data.sequence_start.anchor) \|\|
111	18.9k	(event1->data.sequence_start.anchor &&
112	26	event2->data.sequence_start.anchor &&
113	26	strcmp((char *)event1->data.sequence_start.anchor,
114	26	(char *)event2->data.sequence_start.anchor) != 0))
115	0	return equal;
116	18.9k	if ((event1->data.sequence_start.tag && !event2->data.sequence_start.tag) \|\|
117	18.9k	(!event1->data.sequence_start.tag && event2->data.sequence_start.tag) \|\|
118	18.9k	(event1->data.sequence_start.tag && event2->data.sequence_start.tag &&
119	816	strcmp((char *)event1->data.sequence_start.tag,
120	816	(char *)event2->data.sequence_start.tag) != 0))
121	0	return equal;
122	18.9k	if ((event1->data.sequence_start.implicit !=
123	18.9k	event2->data.sequence_start.implicit))
124	0	return equal;
125	18.9k	return !equal;
126
127	5.44k	case YAML_MAPPING_START_EVENT:
128	5.44k	if ((event1->data.mapping_start.anchor &&
129	61	!event2->data.mapping_start.anchor) \|\|
130	5.44k	(!event1->data.mapping_start.anchor &&
131	5.38k	event2->data.mapping_start.anchor) \|\|
132	5.44k	(event1->data.mapping_start.anchor &&
133	61	event2->data.mapping_start.anchor &&
134	61	strcmp((char *)event1->data.mapping_start.anchor,
135	61	(char *)event2->data.mapping_start.anchor) != 0))
136	0	return equal;
137	5.44k	if ((event1->data.mapping_start.tag && !event2->data.mapping_start.tag) \|\|
138	5.44k	(!event1->data.mapping_start.tag && event2->data.mapping_start.tag) \|\|
139	5.44k	(event1->data.mapping_start.tag && event2->data.mapping_start.tag &&
140	473	strcmp((char *)event1->data.mapping_start.tag,
141	473	(char *)event2->data.mapping_start.tag) != 0))
142	0	return equal;
143	5.44k	if ((event1->data.mapping_start.implicit !=
144	5.44k	event2->data.mapping_start.implicit))
145	0	return equal;
146	5.44k	return !equal;
147
148	24.9k	default:
149	24.9k	return !equal;
150	103k	}
151	103k	}
152
153	259k	bool copy_event(yaml_event_t event_to, yaml_event_t event_from) {
154
155	259k	switch (event_from->type) {
156	3.61k	case YAML_STREAM_START_EVENT:
157	3.61k	return yaml_stream_start_event_initialize(
158	3.61k	event_to, event_from->data.stream_start.encoding);
159
160	673	case YAML_STREAM_END_EVENT:
161	673	return yaml_stream_end_event_initialize(event_to);
162
163	7.67k	case YAML_DOCUMENT_START_EVENT:
164	7.67k	return yaml_document_start_event_initialize(
165	7.67k	event_to, event_from->data.document_start.version_directive,
166	7.67k	event_from->data.document_start.tag_directives.start,
167	7.67k	event_from->data.document_start.tag_directives.end,
168	7.67k	event_from->data.document_start.implicit);
169
170	6.42k	case YAML_DOCUMENT_END_EVENT:
171	6.42k	return yaml_document_end_event_initialize(
172	6.42k	event_to, event_from->data.document_end.implicit);
173
174	768	case YAML_ALIAS_EVENT:
175	768	return yaml_alias_event_initialize(event_to, event_from->data.alias.anchor);
176
177	129k	case YAML_SCALAR_EVENT:
178	129k	return yaml_scalar_event_initialize(
179	129k	event_to, event_from->data.scalar.anchor, event_from->data.scalar.tag,
180	129k	event_from->data.scalar.value, event_from->data.scalar.length,
181	129k	event_from->data.scalar.plain_implicit,
182	129k	event_from->data.scalar.quoted_implicit, event_from->data.scalar.style);
183
184	40.8k	case YAML_SEQUENCE_START_EVENT:
185	40.8k	return yaml_sequence_start_event_initialize(
186	40.8k	event_to, event_from->data.sequence_start.anchor,
187	40.8k	event_from->data.sequence_start.tag,
188	40.8k	event_from->data.sequence_start.implicit,
189	40.8k	event_from->data.sequence_start.style);
190
191	24.0k	case YAML_SEQUENCE_END_EVENT:
192	24.0k	return yaml_sequence_end_event_initialize(event_to);
193
194	30.3k	case YAML_MAPPING_START_EVENT:
195	30.3k	return yaml_mapping_start_event_initialize(
196	30.3k	event_to, event_from->data.mapping_start.anchor,
197	30.3k	event_from->data.mapping_start.tag,
198	30.3k	event_from->data.mapping_start.implicit,
199	30.3k	event_from->data.mapping_start.style);
200
201	15.5k	case YAML_MAPPING_END_EVENT:
202	15.5k	return yaml_mapping_end_event_initialize(event_to);
203	259k	}
204
205	0	return false;
206	259k	}
207
208	3.79k	int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
209	3.79k	if (size < 2)
210	1	return 0;
211
212	3.79k	yaml_parser_t parser;
213	3.79k	yaml_emitter_t emitter;
214	3.79k	yaml_event_t event;
215	3.79k	yaml_event_t events[MAX_EVENTS];
216	3.79k	size_t event_number = 0;
217	3.79k	bool done = false;
218	3.79k	int count = 0;
219	3.79k	bool is_canonical = data[0] & 1;
220	3.79k	bool is_unicode = data[1] & 1;
221	3.79k	data += 2;
222	3.79k	size -= 2;
223
224	3.79k	if (!yaml_parser_initialize(&parser))
225	0	return 0;
226
227	3.79k	yaml_parser_set_input_string(&parser, data, size);
228	3.79k	if (!yaml_emitter_initialize(&emitter)) {
229	0	yaml_parser_delete(&parser);
230	0	return 0;
231	0	}
232
233	3.79k	yaml_emitter_set_canonical(&emitter, is_canonical);
234	3.79k	yaml_emitter_set_unicode(&emitter, is_unicode);
235
236	3.79k	yaml_output_buffer_t out = {/buf=/NULL, /size=/0, /capacity=/1000};
237	3.79k	yaml_emitter_set_output(&emitter, yaml_write_handler, &out);
238
239	262k	while (!done) {
240	261k	if (!yaml_parser_parse(&parser, &event)) {
241	2.06k	goto delete_parser;
242	2.06k	}
243
244	259k	done = (event.type == YAML_STREAM_END_EVENT);
245	259k	if (event_number >= MAX_EVENTS) {
246	26	yaml_event_delete(&event);
247	26	goto delete_parser;
248	26	}
249
250	259k	if (!copy_event(&events[event_number], &event)) {
251	10	yaml_event_delete(&event);
252	10	goto delete_parser;
253	10	}
254	259k	event_number++;
255
256	259k	if (!yaml_emitter_emit(&emitter, &event)) {
257	1.02k	goto delete_parser;
258	1.02k	}
259
260	259k	}
261
262	664	yaml_parser_delete(&parser);
263
264	664	if (!out.buf \|\| out.size == 0)
265	45	goto error;
266
267	619	done = false;
268	619	if (!yaml_parser_initialize(&parser))
269	0	goto error;
270
271	619	yaml_parser_set_input_string(&parser, out.buf, out.size);
272
273	104k	while (!done) {
274	103k	if (!yaml_parser_parse(&parser, &event))
275	2	break;
276
277	103k	done = (event.type == YAML_STREAM_END_EVENT);
278	103k	if (events_equal(events + count, &event)) {
279	41	yaml_event_delete(&event);
280	41	break;
281	41	}
282
283	103k	yaml_event_delete(&event);
284	103k	count++;
285	103k	}
286
287	3.74k	delete_parser:
288
289	3.74k	yaml_parser_delete(&parser);
290
291	3.79k	error:
292
293	3.79k	yaml_emitter_delete(&emitter);
294
295	263k	for (int k = 0; k < event_number; k++) {
296	259k	yaml_event_delete(events + k);
297	259k	}
298
299	3.79k	free(out.buf);
300
301	3.79k	return 0;
302	3.74k	}