fuzz: Add fuzzer for XML reader API

GNOME · Apr 22, 2024 · b62ccf7 · b62ccf7
1 parent 087a346
commit b62ccf7
Show file tree

Hide file tree

Showing 6 changed files with 599 additions and 1 deletion.
diff --git a/fuzz/.gitignore b/fuzz/.gitignore
@@ -2,6 +2,7 @@ api
 corpus/
 genSeed
 html
+reader
 regexp
 schema
 seed/

diff --git a/fuzz/Makefile.am b/fuzz/Makefile.am
@@ -1,5 +1,6 @@
 AUTOMAKE_OPTIONS = -Wno-syntax
-EXTRA_PROGRAMS = api genSeed html regexp schema uri valid xinclude xml xpath
+EXTRA_PROGRAMS = genSeed \
+		 api html reader regexp schema uri valid xinclude xml xpath
 check_PROGRAMS = testFuzzer
 EXTRA_DIST = html.dict regexp.dict schema.dict xml.dict xpath.dict \
 	     static_seed/uri static_seed/regexp fuzz.h
@@ -115,6 +116,26 @@ fuzz-html: html$(EXEEXT) seed/html.stamp
 	    $$XML_FUZZ_OPTIONS \
 	    corpus/html seed/html
 
+# Reader fuzzer
+
+seed/reader.stamp: genSeed$(EXEEXT)
+	@mkdir -p seed/reader
+	./genSeed$(EXEEXT) reader \
+	    $(XML_SEED_CORPUS_SRC) \
+	    '$(top_srcdir)/test/XInclude/docs/*'
+	@touch seed/reader.stamp
+
+reader_SOURCES = reader.c fuzz.c
+reader_LDFLAGS = $(AM_LDFLAGS) -fsanitize=fuzzer
+
+fuzz-reader: reader$(EXEEXT) seed/reader.stamp
+	@mkdir -p corpus/reader
+	./reader$(EXEEXT) \
+	    -dict=xml.dict \
+	    -max_len=$(XML_MAX_LEN) \
+	    $$XML_FUZZ_OPTIONS \
+	    corpus/reader seed/reader
+
 # API fuzzer
 
 api_SOURCES = api.c fuzz.c

diff --git a/fuzz/fuzz.h b/fuzz/fuzz.h
@@ -18,6 +18,9 @@ extern "C" {
 #if defined(LIBXML_HTML_ENABLED)
   #define HAVE_HTML_FUZZER
 #endif
+#if defined(LIBXML_READER_ENABLED)
+  #define HAVE_READER_FUZZER
+#endif
 #if defined(LIBXML_REGEXP_ENABLED)
   #define HAVE_REGEXP_FUZZER
 #endif

diff --git a/fuzz/genSeed.c b/fuzz/genSeed.c
@@ -27,6 +27,8 @@
 #define SEED_BUF_SIZE 16384
 #define EXPR_SIZE 4500
 
+#define FLAG_READER (1 << 0)
+
 typedef int
 (*fileFunc)(const char *base, FILE *out);
 
@@ -41,6 +43,7 @@ static struct {
     const char *fuzzer;
     int counter;
     char cwd[PATH_SIZE];
+    int flags;
 } globalData;
 
 #if defined(HAVE_SCHEMA_FUZZER) || \
@@ -117,6 +120,11 @@ processXml(const char *docFile, FILE *out) {
     /* Max allocations. */
     xmlFuzzWriteInt(out, 0, 4);
 
+    if (globalData.flags & FLAG_READER) {
+        /* Initial reader program with a couple of OP_READs */
+        xmlFuzzWriteString(out, "\x01\x01\x01\x01\x01\x01\x01\x01");
+    }
+
     fuzzRecorderInit(out);
 
     doc = xmlReadFile(docFile, NULL, opts);
@@ -415,6 +423,12 @@ main(int argc, const char **argv) {
 #ifdef HAVE_HTML_FUZZER
         processArg = processPattern;
         globalData.processFile = processHtml;
+#endif
+    } else if (strcmp(fuzzer, "reader") == 0) {
+#ifdef HAVE_READER_FUZZER
+        processArg = processPattern;
+        globalData.flags |= FLAG_READER;
+        globalData.processFile = processXml;
 #endif
     } else if (strcmp(fuzzer, "schema") == 0) {
 #ifdef HAVE_SCHEMA_FUZZER
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,6 +2,7 @@ api @@
     corpus/
     genSeed
     html
+    reader
     regexp
     schema
     seed/
@@ Expand Down @@