• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * uri.c: a libFuzzer target to test the URI module.
3  *
4  * See Copyright for the status of this software.
5  */
6 
7 #include <libxml/uri.h>
8 #include "fuzz.h"
9 
10 int
LLVMFuzzerInitialize(int * argc ATTRIBUTE_UNUSED,char *** argv ATTRIBUTE_UNUSED)11 LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
12                      char ***argv ATTRIBUTE_UNUSED) {
13     xmlFuzzMemSetup();
14 
15     return 0;
16 }
17 
18 int
LLVMFuzzerTestOneInput(const char * data,size_t size)19 LLVMFuzzerTestOneInput(const char *data, size_t size) {
20     xmlURIPtr uri;
21     size_t failurePos;
22     const char *str1, *str2;
23     char *copy;
24     xmlChar *strRes;
25     int intRes;
26 
27     if (size > 10000)
28         return(0);
29 
30     xmlFuzzDataInit(data, size);
31     failurePos = xmlFuzzReadInt(4) % (size * 8 + 100);
32     str1 = xmlFuzzReadString(NULL);
33     str2 = xmlFuzzReadString(NULL);
34 
35     xmlFuzzInjectFailure(failurePos);
36 
37     xmlFuzzResetFailure();
38     intRes = xmlParseURISafe(str1, &uri);
39     xmlFuzzCheckFailureReport("xmlParseURISafe", intRes == -1, 0);
40 
41     if (uri != NULL) {
42         xmlFuzzResetFailure();
43         strRes = xmlSaveUri(uri);
44         xmlFuzzCheckFailureReport("xmlSaveURI", strRes == NULL, 0);
45         xmlFree(strRes);
46         xmlFreeURI(uri);
47     }
48 
49     xmlFreeURI(xmlParseURI(str1));
50 
51     uri = xmlParseURIRaw(str1, 1);
52     xmlFree(xmlSaveUri(uri));
53     xmlFreeURI(uri);
54 
55     xmlFuzzResetFailure();
56     strRes = BAD_CAST xmlURIUnescapeString(str1, -1, NULL);
57     xmlFuzzCheckFailureReport("xmlURIUnescapeString",
58                               str1 != NULL && strRes == NULL, 0);
59     xmlFree(strRes);
60 
61     xmlFree(xmlURIEscape(BAD_CAST str1));
62 
63     xmlFuzzResetFailure();
64     strRes = xmlCanonicPath(BAD_CAST str1);
65     xmlFuzzCheckFailureReport("xmlCanonicPath",
66                               str1 != NULL && strRes == NULL, 0);
67     xmlFree(strRes);
68 
69     xmlFuzzResetFailure();
70     strRes = xmlPathToURI(BAD_CAST str1);
71     xmlFuzzCheckFailureReport("xmlPathToURI",
72                               str1 != NULL && strRes == NULL, 0);
73     xmlFree(strRes);
74 
75     xmlFuzzResetFailure();
76     intRes = xmlBuildURISafe(BAD_CAST str2, BAD_CAST str1, &strRes);
77     xmlFuzzCheckFailureReport("xmlBuildURISafe", intRes == -1, 0);
78     xmlFree(strRes);
79 
80     xmlFree(xmlBuildURI(BAD_CAST str2, BAD_CAST str1));
81 
82     xmlFuzzResetFailure();
83     intRes = xmlBuildRelativeURISafe(BAD_CAST str2, BAD_CAST str1, &strRes);
84     xmlFuzzCheckFailureReport("xmlBuildRelativeURISafe", intRes == -1, 0);
85     xmlFree(strRes);
86 
87     xmlFree(xmlBuildRelativeURI(BAD_CAST str2, BAD_CAST str1));
88 
89     xmlFuzzResetFailure();
90     strRes = xmlURIEscapeStr(BAD_CAST str1, BAD_CAST str2);
91     xmlFuzzCheckFailureReport("xmlURIEscapeStr",
92                               str1 != NULL && strRes == NULL, 0);
93     xmlFree(strRes);
94 
95     copy = (char *) xmlCharStrdup(str1);
96     xmlNormalizeURIPath(copy);
97     xmlFree(copy);
98 
99     xmlFuzzInjectFailure(0);
100     xmlFuzzDataCleanup();
101 
102     return 0;
103 }
104 
105