• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * xpath.c: a libFuzzer target to test XPath and XPointer expressions.
3  *
4  * See Copyright for the status of this software.
5  */
6 
7 #include <libxml/parser.h>
8 #include <libxml/xpointer.h>
9 #include "fuzz.h"
10 
11 int
LLVMFuzzerInitialize(int * argc ATTRIBUTE_UNUSED,char *** argv ATTRIBUTE_UNUSED)12 LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
13                      char ***argv ATTRIBUTE_UNUSED) {
14     xmlInitParser();
15     xmlSetGenericErrorFunc(NULL, xmlFuzzErrorFunc);
16 
17     return 0;
18 }
19 
20 int
LLVMFuzzerTestOneInput(const char * data,size_t size)21 LLVMFuzzerTestOneInput(const char *data, size_t size) {
22     xmlDocPtr doc;
23     const char *expr, *xml;
24     size_t exprSize, xmlSize;
25 
26     if (size > 10000)
27         return(0);
28 
29     xmlFuzzDataInit(data, size);
30 
31     expr = xmlFuzzReadString(&exprSize);
32     xml = xmlFuzzReadString(&xmlSize);
33 
34     /* Recovery mode allows more input to be fuzzed. */
35     doc = xmlReadMemory(xml, xmlSize, NULL, NULL, XML_PARSE_RECOVER);
36     if (doc != NULL) {
37         xmlXPathContextPtr xpctxt = xmlXPathNewContext(doc);
38 
39         /* Operation limit to avoid timeout */
40         xpctxt->opLimit = 500000;
41 
42         xmlXPathFreeObject(xmlXPtrEval(BAD_CAST expr, xpctxt));
43         xmlXPathFreeContext(xpctxt);
44     }
45     xmlFreeDoc(doc);
46 
47     xmlFuzzDataCleanup();
48     xmlResetLastError();
49 
50     return(0);
51 }
52 
53