/src/wget2/fuzz/libwget_iri_fuzzer.c
Line | Count | Source |
1 | | /* |
2 | | * Copyright (c) 2017-2026 Free Software Foundation, Inc. |
3 | | * |
4 | | * This file is part of libwget. |
5 | | * |
6 | | * Libwget is free software: you can redistribute it and/or modify |
7 | | * it under the terms of the GNU Lesser General Public License as published by |
8 | | * the Free Software Foundation, either version 3 of the License, or |
9 | | * (at your option) any later version. |
10 | | * |
11 | | * Libwget is distributed in the hope that it will be useful, |
12 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
13 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
14 | | * GNU Lesser General Public License for more details. |
15 | | * |
16 | | * You should have received a copy of the GNU Lesser General Public License |
17 | | * along with libwget. If not, see <https://www.gnu.org/licenses/>. |
18 | | */ |
19 | | |
20 | | #include <config.h> |
21 | | |
22 | | #include <assert.h> |
23 | | #include <stdio.h> |
24 | | #include <stdint.h> |
25 | | #include <stdlib.h> |
26 | | #include <string.h> |
27 | | |
28 | | #include "wget.h" |
29 | | #include "fuzzer.h" |
30 | | |
31 | | static void test(char *in, size_t len, const char *encoding) |
32 | 8.70k | { |
33 | 8.70k | wget_iri *base; |
34 | 8.70k | base = wget_iri_parse("http://x.org", encoding); |
35 | 8.70k | assert(base != NULL); |
36 | | |
37 | 8.70k | wget_iri *iri, *iri2; |
38 | 8.70k | iri = wget_iri_parse(in, encoding); |
39 | 8.70k | iri2 = wget_iri_clone(iri); |
40 | 8.70k | wget_iri_free(&iri2); |
41 | 8.70k | iri2 = wget_iri_parse_base(NULL, in, encoding); |
42 | 8.70k | wget_iri_free(&iri2); |
43 | 8.70k | iri2 = wget_iri_parse_base(base, in, encoding); |
44 | 8.70k | int x = wget_iri_compare(iri, iri2); |
45 | 8.70k | wget_iri_free(&iri2); |
46 | | |
47 | 8.70k | wget_buffer buf; |
48 | 8.70k | wget_buffer_init(&buf, NULL, 32); |
49 | 8.70k | wget_buffer_printf(&buf, "%d", x); // use x to avoid optimization (removal of call to wget_iri_compare) |
50 | | |
51 | 8.70k | wget_iri_relative_to_abs(base, (const char *) in, len, &buf); |
52 | 8.70k | wget_iri_escape(in, &buf); |
53 | 8.70k | wget_iri_escape_path(in, &buf); |
54 | 8.70k | wget_iri_escape_query(in, &buf); |
55 | 8.70k | if (iri) { |
56 | 7.31k | if (wget_iri_supported(iri)) { |
57 | 7.31k | wget_iri_set_scheme(iri, WGET_IRI_SCHEME_HTTPS); |
58 | | // clone after set_scheme may trigger a buffer overflow |
59 | 7.31k | iri2 = wget_iri_clone(iri); |
60 | 7.31k | wget_iri_free(&iri2); |
61 | 7.31k | } |
62 | 7.31k | wget_iri_get_escaped_host(iri, &buf); |
63 | 7.31k | wget_iri_get_escaped_resource(iri, &buf); |
64 | 7.31k | wget_iri_get_path(iri, &buf, encoding); |
65 | 7.31k | wget_iri_get_query_as_filename(iri, &buf, encoding); |
66 | 7.31k | wget_iri_get_basename(iri, &buf, encoding, WGET_IRI_WITH_QUERY); |
67 | 7.31k | wget_iri_get_connection_part(iri, &buf); |
68 | 7.31k | } |
69 | | |
70 | 8.70k | wget_buffer_deinit(&buf); |
71 | 8.70k | wget_iri_free(&iri); |
72 | 8.70k | wget_iri_free(&base); |
73 | 8.70k | } |
74 | | |
75 | | int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) |
76 | 4.35k | { |
77 | 4.35k | if (size > 10000) // same as max_len = 10000 in .options file |
78 | 5 | return 0; |
79 | | |
80 | 4.35k | char *in = (char *) malloc(size + 1); |
81 | 4.35k | assert(in != NULL); |
82 | | |
83 | | // 0 terminate |
84 | 4.35k | memcpy(in, data, size); |
85 | 4.35k | in[size] = 0; |
86 | | |
87 | | // the expression avoids removal of calls to pure functions |
88 | 4.35k | if (wget_iri_isreserved('=')) |
89 | 4.35k | wget_iri_set_defaultpage("index.html"); |
90 | | |
91 | 4.35k | test(in, size, "iso-8859-1"); |
92 | 4.35k | test(in, size, "utf-8"); |
93 | | |
94 | 4.35k | free(in); |
95 | | |
96 | 4.35k | return 0; |
97 | 4.35k | } |