1 /*
2 * xpath.c: a libFuzzer target to test XPath and XPointer expressions.
3 *
4 * See Copyright for the status of this software.
5 */
6
7 #include <libxml/catalog.h>
8 #include <libxml/parser.h>
9 #include <libxml/xpointer.h>
10 #include "fuzz.h"
11
12 int
LLVMFuzzerInitialize(int * argc ATTRIBUTE_UNUSED,char *** argv ATTRIBUTE_UNUSED)13 LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
14 char ***argv ATTRIBUTE_UNUSED) {
15 xmlFuzzMemSetup();
16 xmlInitParser();
17 #ifdef LIBXML_CATALOG_ENABLED
18 xmlInitializeCatalog();
19 xmlCatalogSetDefaults(XML_CATA_ALLOW_NONE);
20 #endif
21 xmlSetGenericErrorFunc(NULL, xmlFuzzErrorFunc);
22
23 return 0;
24 }
25
26 int
LLVMFuzzerTestOneInput(const char * data,size_t size)27 LLVMFuzzerTestOneInput(const char *data, size_t size) {
28 xmlDocPtr doc;
29 const char *expr, *xml;
30 size_t maxAlloc, exprSize, xmlSize;
31
32 if (size > 10000)
33 return(0);
34
35 xmlFuzzDataInit(data, size);
36
37 maxAlloc = xmlFuzzReadInt(4) % (size + 100);
38 expr = xmlFuzzReadString(&exprSize);
39 xml = xmlFuzzReadString(&xmlSize);
40
41 /* Recovery mode allows more input to be fuzzed. */
42 doc = xmlReadMemory(xml, xmlSize, NULL, NULL, XML_PARSE_RECOVER);
43 if (doc != NULL) {
44 xmlXPathContextPtr xpctxt;
45
46 xmlFuzzMemSetLimit(maxAlloc);
47
48 xpctxt = xmlXPathNewContext(doc);
49 if (xpctxt != NULL) {
50 int res;
51
52 /* Operation limit to avoid timeout */
53 xpctxt->opLimit = 500000;
54
55 res = xmlXPathContextSetCache(xpctxt, 1, 4, 0);
56 xmlFuzzCheckMallocFailure("xmlXPathContextSetCache", res == -1);
57
58 xmlFuzzResetMallocFailed();
59 xmlXPathFreeObject(xmlXPtrEval(BAD_CAST expr, xpctxt));
60 xmlFuzzCheckMallocFailure("xmlXPtrEval",
61 xpctxt->lastError.code ==
62 XML_ERR_NO_MEMORY);
63 xmlXPathFreeContext(xpctxt);
64 }
65
66 xmlFuzzMemSetLimit(0);
67 xmlFreeDoc(doc);
68 }
69
70 xmlFuzzDataCleanup();
71 xmlResetLastError();
72
73 return(0);
74 }
75
76