/src/libyaml_emitter_fuzzer.c

Source
// Copyright 2020 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

#include "yaml.h"
#include "yaml_write_handler.h"
#include <assert.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef NDEBUG
#undef NDEBUG
#endif

#define MAX_EVENTS 1024

bool events_equal(yaml_event_t *event1, yaml_event_t *event2) {
  
  const bool equal = true;

  if (event1->type != event2->type)
    return equal;

  switch (event1->type) {
  case YAML_STREAM_START_EVENT:
    return !equal;

  case YAML_DOCUMENT_START_EVENT:
    if ((event1->data.document_start.version_directive &&
         !event2->data.document_start.version_directive) ||
        (!event1->data.document_start.version_directive &&
         event2->data.document_start.version_directive) ||
        (event1->data.document_start.version_directive &&
         event2->data.document_start.version_directive &&
         (event1->data.document_start.version_directive->major !=
              event2->data.document_start.version_directive->major ||
          event1->data.document_start.version_directive->minor !=
              event2->data.document_start.version_directive->minor)))
      return equal;
    if ((event1->data.document_start.tag_directives.end -
         event1->data.document_start.tag_directives.start) !=
        (event2->data.document_start.tag_directives.end -
         event2->data.document_start.tag_directives.start))
      return equal;
    for (int k = 0; k < (event1->data.document_start.tag_directives.end -
                         event1->data.document_start.tag_directives.start);
         k++) {
      if ((strcmp((char *)event1->data.document_start.tag_directives.start[k]
                      .handle,
                  (char *)event2->data.document_start.tag_directives.start[k]
                      .handle) != 0) ||
          (strcmp((char *)event1->data.document_start.tag_directives.start[k]
                      .prefix,
                  (char *)event2->data.document_start.tag_directives.start[k]
                      .prefix) != 0))
        return equal;
    }
    return !equal;

  case YAML_DOCUMENT_END_EVENT:
    return !equal;

  case YAML_ALIAS_EVENT:
    return (strcmp((char *)event1->data.alias.anchor,
                   (char *)event2->data.alias.anchor) == 0);

  case YAML_SCALAR_EVENT:
    if ((event1->data.scalar.anchor && !event2->data.scalar.anchor) ||
        (!event1->data.scalar.anchor && event2->data.scalar.anchor) ||
        (event1->data.scalar.anchor && event2->data.scalar.anchor &&
         strcmp((char *)event1->data.scalar.anchor,
                (char *)event2->data.scalar.anchor) != 0))
      return equal;
    if ((event1->data.scalar.tag && !event2->data.scalar.tag &&
         strcmp((char *)event1->data.scalar.tag, "!") != 0) ||
        (!event1->data.scalar.tag && event2->data.scalar.tag &&
         strcmp((char *)event2->data.scalar.tag, "!") != 0) ||
        (event1->data.scalar.tag && event2->data.scalar.tag &&
         strcmp((char *)event1->data.scalar.tag,
                (char *)event2->data.scalar.tag) != 0))
      return equal;
    if ((event1->data.scalar.length != event2->data.scalar.length) ||
        memcmp(event1->data.scalar.value, event2->data.scalar.value,
               event1->data.scalar.length) != 0)
      return equal;
    if ((event1->data.scalar.plain_implicit !=
         event2->data.scalar.plain_implicit) ||
        (event1->data.scalar.quoted_implicit !=
         event2->data.scalar.quoted_implicit))
      return equal;
    return !equal;

  case YAML_SEQUENCE_START_EVENT:
    if ((event1->data.sequence_start.anchor &&
         !event2->data.sequence_start.anchor) ||
        (!event1->data.sequence_start.anchor &&
         event2->data.sequence_start.anchor) ||
        (event1->data.sequence_start.anchor &&
         event2->data.sequence_start.anchor &&
         strcmp((char *)event1->data.sequence_start.anchor,
                (char *)event2->data.sequence_start.anchor) != 0))
      return equal;
    if ((event1->data.sequence_start.tag && !event2->data.sequence_start.tag) ||
        (!event1->data.sequence_start.tag && event2->data.sequence_start.tag) ||
        (event1->data.sequence_start.tag && event2->data.sequence_start.tag &&
         strcmp((char *)event1->data.sequence_start.tag,
                (char *)event2->data.sequence_start.tag) != 0))
      return equal;
    if ((event1->data.sequence_start.implicit !=
         event2->data.sequence_start.implicit))
      return equal;
    return !equal;

  case YAML_MAPPING_START_EVENT:
    if ((event1->data.mapping_start.anchor &&
         !event2->data.mapping_start.anchor) ||
        (!event1->data.mapping_start.anchor &&
         event2->data.mapping_start.anchor) ||
        (event1->data.mapping_start.anchor &&
         event2->data.mapping_start.anchor &&
         strcmp((char *)event1->data.mapping_start.anchor,
                (char *)event2->data.mapping_start.anchor) != 0))
      return equal;
    if ((event1->data.mapping_start.tag && !event2->data.mapping_start.tag) ||
        (!event1->data.mapping_start.tag && event2->data.mapping_start.tag) ||
        (event1->data.mapping_start.tag && event2->data.mapping_start.tag &&
         strcmp((char *)event1->data.mapping_start.tag,
                (char *)event2->data.mapping_start.tag) != 0))
      return equal;
    if ((event1->data.mapping_start.implicit !=
         event2->data.mapping_start.implicit))
      return equal;
    return !equal;

  default:
    return !equal;
  }
}

bool copy_event(yaml_event_t *event_to, yaml_event_t *event_from) {

  switch (event_from->type) {
  case YAML_STREAM_START_EVENT:
    return yaml_stream_start_event_initialize(
        event_to, event_from->data.stream_start.encoding);

  case YAML_STREAM_END_EVENT:
    return yaml_stream_end_event_initialize(event_to);

  case YAML_DOCUMENT_START_EVENT:
    return yaml_document_start_event_initialize(
        event_to, event_from->data.document_start.version_directive,
        event_from->data.document_start.tag_directives.start,
        event_from->data.document_start.tag_directives.end,
        event_from->data.document_start.implicit);

  case YAML_DOCUMENT_END_EVENT:
    return yaml_document_end_event_initialize(
        event_to, event_from->data.document_end.implicit);

  case YAML_ALIAS_EVENT:
    return yaml_alias_event_initialize(event_to, event_from->data.alias.anchor);

  case YAML_SCALAR_EVENT:
    return yaml_scalar_event_initialize(
        event_to, event_from->data.scalar.anchor, event_from->data.scalar.tag,
        event_from->data.scalar.value, event_from->data.scalar.length,
        event_from->data.scalar.plain_implicit,
        event_from->data.scalar.quoted_implicit, event_from->data.scalar.style);

  case YAML_SEQUENCE_START_EVENT:
    return yaml_sequence_start_event_initialize(
        event_to, event_from->data.sequence_start.anchor,
        event_from->data.sequence_start.tag,
        event_from->data.sequence_start.implicit,
        event_from->data.sequence_start.style);

  case YAML_SEQUENCE_END_EVENT:
    return yaml_sequence_end_event_initialize(event_to);

  case YAML_MAPPING_START_EVENT:
    return yaml_mapping_start_event_initialize(
        event_to, event_from->data.mapping_start.anchor,
        event_from->data.mapping_start.tag,
        event_from->data.mapping_start.implicit,
        event_from->data.mapping_start.style);

  case YAML_MAPPING_END_EVENT:
    return yaml_mapping_end_event_initialize(event_to);
  }

  return false;
}

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  if (size < 2)
    return 0;

  yaml_parser_t parser;
  yaml_emitter_t emitter;
  yaml_event_t event;
  yaml_event_t events[MAX_EVENTS];
  size_t event_number = 0;
  bool done = false;
  int count = 0;
  bool is_canonical = data[0] & 1;
  bool is_unicode = data[1] & 1;
  data += 2;
  size -= 2;

  if (!yaml_parser_initialize(&parser))
    return 0;

  yaml_parser_set_input_string(&parser, data, size);
  if (!yaml_emitter_initialize(&emitter)) {
    yaml_parser_delete(&parser);
    return 0;
  }

  yaml_emitter_set_canonical(&emitter, is_canonical);
  yaml_emitter_set_unicode(&emitter, is_unicode);

  yaml_output_buffer_t out = {/*buf=*/NULL, /*size=*/0, /*capacity=*/1000};
  yaml_emitter_set_output(&emitter, yaml_write_handler, &out);

  while (!done) {
    if (!yaml_parser_parse(&parser, &event)) {
      goto delete_parser;
    }

    done = (event.type == YAML_STREAM_END_EVENT);
    if (event_number >= MAX_EVENTS) {
      yaml_event_delete(&event);
      goto delete_parser;
    }

    if (!copy_event(&events[event_number], &event)) {
      yaml_event_delete(&event);
      goto delete_parser;
    }
    event_number++;

    if (!yaml_emitter_emit(&emitter, &event)) {
      goto delete_parser;
    }

  }

  yaml_parser_delete(&parser);

  if (!out.buf || out.size == 0)
    goto error;

  done = false;
  if (!yaml_parser_initialize(&parser))
    goto error;

  yaml_parser_set_input_string(&parser, out.buf, out.size);

  while (!done) {
    if (!yaml_parser_parse(&parser, &event))
      break;

    done = (event.type == YAML_STREAM_END_EVENT);
    if (events_equal(events + count, &event)) {
      yaml_event_delete(&event);
      break;
    }

    yaml_event_delete(&event);
    count++;
  }

delete_parser:

  yaml_parser_delete(&parser);

error:

  yaml_emitter_delete(&emitter);

  for (int k = 0; k < event_number; k++) {
    yaml_event_delete(events + k);
  }

  free(out.buf);

  return 0;
}

Coverage Report

Created: 2026-06-15 06:35

Line	Count	Source
1		// Copyright 2020 Google LLC
2		//
3		// Licensed under the Apache License, Version 2.0 (the "License");
4		// you may not use this file except in compliance with the License.
5		// You may obtain a copy of the License at
6		//
7		// http://www.apache.org/licenses/LICENSE-2.0
8		//
9		// Unless required by applicable law or agreed to in writing, software
10		// distributed under the License is distributed on an "AS IS" BASIS,
11		// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12		// See the License for the specific language governing permissions and
13		// limitations under the License.
14
15		#include "yaml.h"
16		#include "yaml_write_handler.h"
17		#include <assert.h>
18		#include <stdbool.h>
19		#include <stdint.h>
20		#include <stdio.h>
21		#include <stdlib.h>
22		#include <string.h>
23
24		#ifdef NDEBUG
25		#undef NDEBUG
26		#endif
27
28	523k	#define MAX_EVENTS 1024
29
30	287k	bool events_equal(yaml_event_t event1, yaml_event_t event2) {
31
32	287k	const bool equal = true;
33
34	287k	if (event1->type != event2->type)
35	1	return equal;
36
37	287k	switch (event1->type) {
38	1.73k	case YAML_STREAM_START_EVENT:
39	1.73k	return !equal;
40
41	12.6k	case YAML_DOCUMENT_START_EVENT:
42	12.6k	if ((event1->data.document_start.version_directive &&
43	1.14k	!event2->data.document_start.version_directive) \|\|
44	12.6k	(!event1->data.document_start.version_directive &&
45	11.4k	event2->data.document_start.version_directive) \|\|
46	12.6k	(event1->data.document_start.version_directive &&
47	1.14k	event2->data.document_start.version_directive &&
48	1.14k	(event1->data.document_start.version_directive->major !=
49	1.14k	event2->data.document_start.version_directive->major \|\|
50	1.14k	event1->data.document_start.version_directive->minor !=
51	1.14k	event2->data.document_start.version_directive->minor)))
52	0	return equal;
53	12.6k	if ((event1->data.document_start.tag_directives.end -
54	12.6k	event1->data.document_start.tag_directives.start) !=
55	12.6k	(event2->data.document_start.tag_directives.end -
56	12.6k	event2->data.document_start.tag_directives.start))
57	0	return equal;
58	15.7k	for (int k = 0; k < (event1->data.document_start.tag_directives.end -
59	15.7k	event1->data.document_start.tag_directives.start);
60	12.6k	k++) {
61	3.10k	if ((strcmp((char *)event1->data.document_start.tag_directives.start[k]
62	3.10k	.handle,
63	3.10k	(char *)event2->data.document_start.tag_directives.start[k]
64	3.10k	.handle) != 0) \|\|
65	3.10k	(strcmp((char *)event1->data.document_start.tag_directives.start[k]
66	3.10k	.prefix,
67	3.10k	(char *)event2->data.document_start.tag_directives.start[k]
68	3.10k	.prefix) != 0))
69	0	return equal;
70	3.10k	}
71	12.6k	return !equal;
72
73	12.5k	case YAML_DOCUMENT_END_EVENT:
74	12.5k	return !equal;
75
76	18	case YAML_ALIAS_EVENT:
77	18	return (strcmp((char *)event1->data.alias.anchor,
78	18	(char *)event2->data.alias.anchor) == 0);
79
80	84.0k	case YAML_SCALAR_EVENT:
81	84.0k	if ((event1->data.scalar.anchor && !event2->data.scalar.anchor) \|\|
82	84.0k	(!event1->data.scalar.anchor && event2->data.scalar.anchor) \|\|
83	84.0k	(event1->data.scalar.anchor && event2->data.scalar.anchor &&
84	1.03k	strcmp((char *)event1->data.scalar.anchor,
85	1.03k	(char *)event2->data.scalar.anchor) != 0))
86	0	return equal;
87	84.0k	if ((event1->data.scalar.tag && !event2->data.scalar.tag &&
88	214	strcmp((char *)event1->data.scalar.tag, "!") != 0) \|\|
89	84.0k	(!event1->data.scalar.tag && event2->data.scalar.tag &&
90	45.8k	strcmp((char *)event2->data.scalar.tag, "!") != 0) \|\|
91	84.0k	(event1->data.scalar.tag && event2->data.scalar.tag &&
92	2.55k	strcmp((char *)event1->data.scalar.tag,
93	2.55k	(char *)event2->data.scalar.tag) != 0))
94	19	return equal;
95	84.0k	if ((event1->data.scalar.length != event2->data.scalar.length) \|\|
96	84.0k	memcmp(event1->data.scalar.value, event2->data.scalar.value,
97	84.0k	event1->data.scalar.length) != 0)
98	5	return equal;
99	84.0k	if ((event1->data.scalar.plain_implicit !=
100	84.0k	event2->data.scalar.plain_implicit) \|\|
101	84.0k	(event1->data.scalar.quoted_implicit !=
102	84.0k	event2->data.scalar.quoted_implicit))
103	26	return equal;
104	84.0k	return !equal;
105
106	45.3k	case YAML_SEQUENCE_START_EVENT:
107	45.3k	if ((event1->data.sequence_start.anchor &&
108	249	!event2->data.sequence_start.anchor) \|\|
109	45.3k	(!event1->data.sequence_start.anchor &&
110	45.1k	event2->data.sequence_start.anchor) \|\|
111	45.3k	(event1->data.sequence_start.anchor &&
112	249	event2->data.sequence_start.anchor &&
113	249	strcmp((char *)event1->data.sequence_start.anchor,
114	249	(char *)event2->data.sequence_start.anchor) != 0))
115	0	return equal;
116	45.3k	if ((event1->data.sequence_start.tag && !event2->data.sequence_start.tag) \|\|
117	45.3k	(!event1->data.sequence_start.tag && event2->data.sequence_start.tag) \|\|
118	45.3k	(event1->data.sequence_start.tag && event2->data.sequence_start.tag &&
119	339	strcmp((char *)event1->data.sequence_start.tag,
120	339	(char *)event2->data.sequence_start.tag) != 0))
121	2	return equal;
122	45.3k	if ((event1->data.sequence_start.implicit !=
123	45.3k	event2->data.sequence_start.implicit))
124	0	return equal;
125	45.3k	return !equal;
126
127	42.2k	case YAML_MAPPING_START_EVENT:
128	42.2k	if ((event1->data.mapping_start.anchor &&
129	316	!event2->data.mapping_start.anchor) \|\|
130	42.2k	(!event1->data.mapping_start.anchor &&
131	41.8k	event2->data.mapping_start.anchor) \|\|
132	42.2k	(event1->data.mapping_start.anchor &&
133	316	event2->data.mapping_start.anchor &&
134	316	strcmp((char *)event1->data.mapping_start.anchor,
135	316	(char *)event2->data.mapping_start.anchor) != 0))
136	0	return equal;
137	42.2k	if ((event1->data.mapping_start.tag && !event2->data.mapping_start.tag) \|\|
138	42.2k	(!event1->data.mapping_start.tag && event2->data.mapping_start.tag) \|\|
139	42.2k	(event1->data.mapping_start.tag && event2->data.mapping_start.tag &&
140	475	strcmp((char *)event1->data.mapping_start.tag,
141	475	(char *)event2->data.mapping_start.tag) != 0))
142	2	return equal;
143	42.2k	if ((event1->data.mapping_start.implicit !=
144	42.2k	event2->data.mapping_start.implicit))
145	0	return equal;
146	42.2k	return !equal;
147
148	88.8k	default:
149	88.8k	return !equal;
150	287k	}
151	287k	}
152
153	523k	bool copy_event(yaml_event_t event_to, yaml_event_t event_from) {
154
155	523k	switch (event_from->type) {
156	10.3k	case YAML_STREAM_START_EVENT:
157	10.3k	return yaml_stream_start_event_initialize(
158	10.3k	event_to, event_from->data.stream_start.encoding);
159
160	1.91k	case YAML_STREAM_END_EVENT:
161	1.91k	return yaml_stream_end_event_initialize(event_to);
162
163	22.8k	case YAML_DOCUMENT_START_EVENT:
164	22.8k	return yaml_document_start_event_initialize(
165	22.8k	event_to, event_from->data.document_start.version_directive,
166	22.8k	event_from->data.document_start.tag_directives.start,
167	22.8k	event_from->data.document_start.tag_directives.end,
168	22.8k	event_from->data.document_start.implicit);
169
170	20.5k	case YAML_DOCUMENT_END_EVENT:
171	20.5k	return yaml_document_end_event_initialize(
172	20.5k	event_to, event_from->data.document_end.implicit);
173
174	857	case YAML_ALIAS_EVENT:
175	857	return yaml_alias_event_initialize(event_to, event_from->data.alias.anchor);
176
177	170k	case YAML_SCALAR_EVENT:
178	170k	return yaml_scalar_event_initialize(
179	170k	event_to, event_from->data.scalar.anchor, event_from->data.scalar.tag,
180	170k	event_from->data.scalar.value, event_from->data.scalar.length,
181	170k	event_from->data.scalar.plain_implicit,
182	170k	event_from->data.scalar.quoted_implicit, event_from->data.scalar.style);
183
184	85.5k	case YAML_SEQUENCE_START_EVENT:
185	85.5k	return yaml_sequence_start_event_initialize(
186	85.5k	event_to, event_from->data.sequence_start.anchor,
187	85.5k	event_from->data.sequence_start.tag,
188	85.5k	event_from->data.sequence_start.implicit,
189	85.5k	event_from->data.sequence_start.style);
190
191	61.7k	case YAML_SEQUENCE_END_EVENT:
192	61.7k	return yaml_sequence_end_event_initialize(event_to);
193
194	93.5k	case YAML_MAPPING_START_EVENT:
195	93.5k	return yaml_mapping_start_event_initialize(
196	93.5k	event_to, event_from->data.mapping_start.anchor,
197	93.5k	event_from->data.mapping_start.tag,
198	93.5k	event_from->data.mapping_start.implicit,
199	93.5k	event_from->data.mapping_start.style);
200
201	56.0k	case YAML_MAPPING_END_EVENT:
202	56.0k	return yaml_mapping_end_event_initialize(event_to);
203	523k	}
204
205	0	return false;
206	523k	}
207
208	10.4k	int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
209	10.4k	if (size < 2)
210	1	return 0;
211
212	10.4k	yaml_parser_t parser;
213	10.4k	yaml_emitter_t emitter;
214	10.4k	yaml_event_t event;
215	10.4k	yaml_event_t events[MAX_EVENTS];
216	10.4k	size_t event_number = 0;
217	10.4k	bool done = false;
218	10.4k	int count = 0;
219	10.4k	bool is_canonical = data[0] & 1;
220	10.4k	bool is_unicode = data[1] & 1;
221	10.4k	data += 2;
222	10.4k	size -= 2;
223
224	10.4k	if (!yaml_parser_initialize(&parser))
225	0	return 0;
226
227	10.4k	yaml_parser_set_input_string(&parser, data, size);
228	10.4k	if (!yaml_emitter_initialize(&emitter)) {
229	0	yaml_parser_delete(&parser);
230	0	return 0;
231	0	}
232
233	10.4k	yaml_emitter_set_canonical(&emitter, is_canonical);
234	10.4k	yaml_emitter_set_unicode(&emitter, is_unicode);
235
236	10.4k	yaml_output_buffer_t out = {/buf=/NULL, /size=/0, /capacity=/1000};
237	10.4k	yaml_emitter_set_output(&emitter, yaml_write_handler, &out);
238
239	530k	while (!done) {
240	528k	if (!yaml_parser_parse(&parser, &event)) {
241	4.34k	goto delete_parser;
242	4.34k	}
243
244	523k	done = (event.type == YAML_STREAM_END_EVENT);
245	523k	if (event_number >= MAX_EVENTS) {
246	19	yaml_event_delete(&event);
247	19	goto delete_parser;
248	19	}
249
250	523k	if (!copy_event(&events[event_number], &event)) {
251	44	yaml_event_delete(&event);
252	44	goto delete_parser;
253	44	}
254	523k	event_number++;
255
256	523k	if (!yaml_emitter_emit(&emitter, &event)) {
257	4.19k	goto delete_parser;
258	4.19k	}
259
260	523k	}
261
262	1.88k	yaml_parser_delete(&parser);
263
264	1.88k	if (!out.buf \|\| out.size == 0)
265	153	goto error;
266
267	1.73k	done = false;
268	1.73k	if (!yaml_parser_initialize(&parser))
269	0	goto error;
270
271	1.73k	yaml_parser_set_input_string(&parser, out.buf, out.size);
272
273	289k	while (!done) {
274	287k	if (!yaml_parser_parse(&parser, &event))
275	2	break;
276
277	287k	done = (event.type == YAML_STREAM_END_EVENT);
278	287k	if (events_equal(events + count, &event)) {
279	73	yaml_event_delete(&event);
280	73	break;
281	73	}
282
283	287k	yaml_event_delete(&event);
284	287k	count++;
285	287k	}
286
287	10.3k	delete_parser:
288
289	10.3k	yaml_parser_delete(&parser);
290
291	10.4k	error:
292
293	10.4k	yaml_emitter_delete(&emitter);
294
295	534k	for (int k = 0; k < event_number; k++) {
296	523k	yaml_event_delete(events + k);
297	523k	}
298
299	10.4k	free(out.buf);
300
301	10.4k	return 0;
302	10.3k	}