1 /*
2 * xpath.c: a libFuzzer target to test XPath and XPointer expressions.
3 *
4 * See Copyright for the status of this software.
5 */
6
7 #include <libxml/parser.h>
8 #include <libxml/xpointer.h>
9 #include "fuzz.h"
10
11 int
LLVMFuzzerInitialize(int * argc ATTRIBUTE_UNUSED,char *** argv ATTRIBUTE_UNUSED)12 LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
13 char ***argv ATTRIBUTE_UNUSED) {
14 xmlInitParser();
15 xmlSetGenericErrorFunc(NULL, xmlFuzzErrorFunc);
16
17 return 0;
18 }
19
20 int
LLVMFuzzerTestOneInput(const char * data,size_t size)21 LLVMFuzzerTestOneInput(const char *data, size_t size) {
22 xmlDocPtr doc;
23 const char *expr, *xml;
24 size_t exprSize, xmlSize;
25
26 if (size > 10000)
27 return(0);
28
29 xmlFuzzDataInit(data, size);
30
31 expr = xmlFuzzReadString(&exprSize);
32 xml = xmlFuzzReadString(&xmlSize);
33
34 /* Recovery mode allows more input to be fuzzed. */
35 doc = xmlReadMemory(xml, xmlSize, NULL, NULL, XML_PARSE_RECOVER);
36 if (doc != NULL) {
37 xmlXPathContextPtr xpctxt = xmlXPathNewContext(doc);
38
39 /* Operation limit to avoid timeout */
40 xpctxt->opLimit = 500000;
41
42 xmlXPathFreeObject(xmlXPtrEval(BAD_CAST expr, xpctxt));
43 xmlXPathFreeContext(xpctxt);
44 }
45 xmlFreeDoc(doc);
46
47 xmlFuzzDataCleanup();
48 xmlResetLastError();
49
50 return(0);
51 }
52
53