libxml2/fuzz/regexp.c

/*
 * regexp.c: a libFuzzer target to test the regexp module.
 *
 * See Copyright for the status of this software.
 */

#include <stdio.h>
#include <stdlib.h>
#include <libxml/xmlregexp.h>
#include "fuzz.h"

int
LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
                     char ***argv ATTRIBUTE_UNUSED) {
    xmlFuzzMemSetup();

    return 0;
}

int
LLVMFuzzerTestOneInput(const char *data, size_t size) {
    xmlRegexpPtr regexp;
    size_t failurePos;
    const char *str1;

    if (size > 200)
        return(0);

    xmlFuzzDataInit(data, size);
    failurePos = xmlFuzzReadInt(4) % (size * 8 + 100);
    str1 = xmlFuzzReadString(NULL);

    xmlFuzzInjectFailure(failurePos);
    regexp = xmlRegexpCompile(BAD_CAST str1);
    if (xmlFuzzMallocFailed() && regexp != NULL) {
        fprintf(stderr, "malloc failure not reported\n");
        abort();
    }
    /* xmlRegexpExec has pathological performance in too many cases. */
#if 0
    xmlRegexpExec(regexp, BAD_CAST str2);
#endif
    xmlRegFreeRegexp(regexp);

    xmlFuzzInjectFailure(0);
    xmlFuzzDataCleanup();
    xmlResetLastError();

    return 0;
}

size_t
LLVMFuzzerCustomMutator(char *data, size_t size, size_t maxSize,
                        unsigned seed) {
    static const xmlFuzzChunkDesc chunks[] = {
        { 4, XML_FUZZ_PROB_ONE / 10 }, /* failurePos */
        { 0, 0 }
    };

    return xmlFuzzMutateChunks(chunks, data, size, maxSize, seed,
                               LLVMFuzzerMutate);
}
Add a couple of libFuzzer targets - XML fuzzer Currently tests the pull parser, push parser and reader, as well as serialization. Supports splitting fuzz data into multiple documents for things like external DTDs or entities. The seed corpus is built from parts of the test suite. - Regexp fuzzer Seed corpus was statically generated from test suite. - URI fuzzer Tests parsing and most other functions from uri.c. 2020-06-05 12:49:25 +02:00			`/*`
			`* regexp.c: a libFuzzer target to test the regexp module.`
			`*`
			`* See Copyright for the status of this software.`
			`*/`

malloc-fail: Report malloc failure in xmlRegEpxFromParse Also check whether malloc failures are reported when fuzzing. 2023-09-22 17:03:56 +02:00			`#include <stdio.h>`
			`#include <stdlib.h>`
Add a couple of libFuzzer targets - XML fuzzer Currently tests the pull parser, push parser and reader, as well as serialization. Supports splitting fuzz data into multiple documents for things like external DTDs or entities. The seed corpus is built from parts of the test suite. - Regexp fuzzer Seed corpus was statically generated from test suite. - URI fuzzer Tests parsing and most other functions from uri.c. 2020-06-05 12:49:25 +02:00			`#include <libxml/xmlregexp.h>`
			`#include "fuzz.h"`

			`int`
			`LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,`
			`char ***argv ATTRIBUTE_UNUSED) {`
fuzz: Inject random malloc failures Fixes #344. 2023-03-08 13:59:03 +01:00			`xmlFuzzMemSetup();`
Add a couple of libFuzzer targets - XML fuzzer Currently tests the pull parser, push parser and reader, as well as serialization. Supports splitting fuzz data into multiple documents for things like external DTDs or entities. The seed corpus is built from parts of the test suite. - Regexp fuzzer Seed corpus was statically generated from test suite. - URI fuzzer Tests parsing and most other functions from uri.c. 2020-06-05 12:49:25 +02:00
			`return 0;`
			`}`

			`int`
			`LLVMFuzzerTestOneInput(const char *data, size_t size) {`
			`xmlRegexpPtr regexp;`
fuzz: Inject IO failures We use the same counter for injecting malloc and IO failures. This mostly renames several functions and variables. 2024-11-25 19:41:33 +01:00			`size_t failurePos;`
fuzz: Inject random malloc failures Fixes #344. 2023-03-08 13:59:03 +01:00			`const char *str1;`
Add a couple of libFuzzer targets - XML fuzzer Currently tests the pull parser, push parser and reader, as well as serialization. Supports splitting fuzz data into multiple documents for things like external DTDs or entities. The seed corpus is built from parts of the test suite. - Regexp fuzzer Seed corpus was statically generated from test suite. - URI fuzzer Tests parsing and most other functions from uri.c. 2020-06-05 12:49:25 +02:00
Enforce maximum length of fuzz input Remove the libfuzzer max_len option which doesn't apply to other fuzzing engines. Enforce the maximum length directly in the fuzz targets. For the xml target, lower the maximum when expanding entities to avoid timeout and OOM errors. 2020-12-16 15:41:52 +01:00			`if (size > 200)`
			`return(0);`

fuzz: Inject random malloc failures Fixes #344. 2023-03-08 13:59:03 +01:00			`xmlFuzzDataInit(data, size);`
fuzz: Inject IO failures We use the same counter for injecting malloc and IO failures. This mostly renames several functions and variables. 2024-11-25 19:41:33 +01:00			`failurePos = xmlFuzzReadInt(4) % (size * 8 + 100);`
fuzz: Inject random malloc failures Fixes #344. 2023-03-08 13:59:03 +01:00			`str1 = xmlFuzzReadString(NULL);`
Add a couple of libFuzzer targets - XML fuzzer Currently tests the pull parser, push parser and reader, as well as serialization. Supports splitting fuzz data into multiple documents for things like external DTDs or entities. The seed corpus is built from parts of the test suite. - Regexp fuzzer Seed corpus was statically generated from test suite. - URI fuzzer Tests parsing and most other functions from uri.c. 2020-06-05 12:49:25 +02:00
fuzz: Inject IO failures We use the same counter for injecting malloc and IO failures. This mostly renames several functions and variables. 2024-11-25 19:41:33 +01:00			`xmlFuzzInjectFailure(failurePos);`
regexp: Fix status codes and handle invalid UTF-8 Fixes #561. 2023-09-22 15:25:40 +02:00			`regexp = xmlRegexpCompile(BAD_CAST str1);`
malloc-fail: Report malloc failure in xmlRegEpxFromParse Also check whether malloc failures are reported when fuzzing. 2023-09-22 17:03:56 +02:00			`if (xmlFuzzMallocFailed() && regexp != NULL) {`
			`fprintf(stderr, "malloc failure not reported\n");`
			`abort();`
			`}`
regexp: Fix status codes and handle invalid UTF-8 Fixes #561. 2023-09-22 15:25:40 +02:00			`/* xmlRegexpExec has pathological performance in too many cases. */`
Add a couple of libFuzzer targets - XML fuzzer Currently tests the pull parser, push parser and reader, as well as serialization. Supports splitting fuzz data into multiple documents for things like external DTDs or entities. The seed corpus is built from parts of the test suite. - Regexp fuzzer Seed corpus was statically generated from test suite. - URI fuzzer Tests parsing and most other functions from uri.c. 2020-06-05 12:49:25 +02:00			`#if 0`
regexp: Fix status codes and handle invalid UTF-8 Fixes #561. 2023-09-22 15:25:40 +02:00			`xmlRegexpExec(regexp, BAD_CAST str2);`
Add a couple of libFuzzer targets - XML fuzzer Currently tests the pull parser, push parser and reader, as well as serialization. Supports splitting fuzz data into multiple documents for things like external DTDs or entities. The seed corpus is built from parts of the test suite. - Regexp fuzzer Seed corpus was statically generated from test suite. - URI fuzzer Tests parsing and most other functions from uri.c. 2020-06-05 12:49:25 +02:00			`#endif`
regexp: Fix status codes and handle invalid UTF-8 Fixes #561. 2023-09-22 15:25:40 +02:00			`xmlRegFreeRegexp(regexp);`
Add a couple of libFuzzer targets - XML fuzzer Currently tests the pull parser, push parser and reader, as well as serialization. Supports splitting fuzz data into multiple documents for things like external DTDs or entities. The seed corpus is built from parts of the test suite. - Regexp fuzzer Seed corpus was statically generated from test suite. - URI fuzzer Tests parsing and most other functions from uri.c. 2020-06-05 12:49:25 +02:00
fuzz: Inject IO failures We use the same counter for injecting malloc and IO failures. This mostly renames several functions and variables. 2024-11-25 19:41:33 +01:00			`xmlFuzzInjectFailure(0);`
fuzz: Inject random malloc failures Fixes #344. 2023-03-08 13:59:03 +01:00			`xmlFuzzDataCleanup();`
Improve fuzzer stability - Add more calls to xmlInitializeCatalog. - Call xmlResetLastError after fuzzing each input. 2021-02-22 21:28:21 +01:00			`xmlResetLastError();`
Add a couple of libFuzzer targets - XML fuzzer Currently tests the pull parser, push parser and reader, as well as serialization. Supports splitting fuzz data into multiple documents for things like external DTDs or entities. The seed corpus is built from parts of the test suite. - Regexp fuzzer Seed corpus was statically generated from test suite. - URI fuzzer Tests parsing and most other functions from uri.c. 2020-06-05 12:49:25 +02:00
			`return 0;`
			`}`

fuzz: Mutate fuzz data chunks separately Implement a custom mutator that takes a list of fixed-size chunks which are mutated with a given probability. This makes sure that values like parser options or failure position are mutated regularly even as the fuzz data grows large. Values can also be adjusted temporarily to make the fuzzer focus on failure injection, for example. Thanks to David Kilzer for the idea. 2024-12-11 16:24:23 +01:00			`size_t`
			`LLVMFuzzerCustomMutator(char *data, size_t size, size_t maxSize,`
			`unsigned seed) {`
			`static const xmlFuzzChunkDesc chunks[] = {`
			`{ 4, XML_FUZZ_PROB_ONE / 10 }, /* failurePos */`
			`{ 0, 0 }`
			`};`

			`return xmlFuzzMutateChunks(chunks, data, size, maxSize, seed,`
			`LLVMFuzzerMutate);`
			`}`