| 1 | /*
|
|---|
| 2 | * html.c: a libFuzzer target to test several HTML parser interfaces.
|
|---|
| 3 | *
|
|---|
| 4 | * See Copyright for the status of this software.
|
|---|
| 5 | */
|
|---|
| 6 |
|
|---|
| 7 | #include <libxml/HTMLparser.h>
|
|---|
| 8 | #include <libxml/HTMLtree.h>
|
|---|
| 9 | #include <libxml/catalog.h>
|
|---|
| 10 | #include "fuzz.h"
|
|---|
| 11 |
|
|---|
| 12 | int
|
|---|
| 13 | LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
|
|---|
| 14 | char ***argv ATTRIBUTE_UNUSED) {
|
|---|
| 15 | xmlFuzzMemSetup();
|
|---|
| 16 | xmlInitParser();
|
|---|
| 17 | #ifdef LIBXML_CATALOG_ENABLED
|
|---|
| 18 | xmlInitializeCatalog();
|
|---|
| 19 | #endif
|
|---|
| 20 | xmlSetGenericErrorFunc(NULL, xmlFuzzErrorFunc);
|
|---|
| 21 |
|
|---|
| 22 | return 0;
|
|---|
| 23 | }
|
|---|
| 24 |
|
|---|
| 25 | int
|
|---|
| 26 | LLVMFuzzerTestOneInput(const char *data, size_t size) {
|
|---|
| 27 | htmlDocPtr doc;
|
|---|
| 28 | const char *docBuffer;
|
|---|
| 29 | size_t maxAlloc, docSize;
|
|---|
| 30 | int opts;
|
|---|
| 31 |
|
|---|
| 32 | xmlFuzzDataInit(data, size);
|
|---|
| 33 | opts = (int) xmlFuzzReadInt(4);
|
|---|
| 34 | maxAlloc = xmlFuzzReadInt(4) % (size + 1);
|
|---|
| 35 |
|
|---|
| 36 | docBuffer = xmlFuzzReadRemaining(&docSize);
|
|---|
| 37 | if (docBuffer == NULL) {
|
|---|
| 38 | xmlFuzzDataCleanup();
|
|---|
| 39 | return(0);
|
|---|
| 40 | }
|
|---|
| 41 |
|
|---|
| 42 | /* Pull parser */
|
|---|
| 43 |
|
|---|
| 44 | xmlFuzzMemSetLimit(maxAlloc);
|
|---|
| 45 | doc = htmlReadMemory(docBuffer, docSize, NULL, NULL, opts);
|
|---|
| 46 |
|
|---|
| 47 | #ifdef LIBXML_OUTPUT_ENABLED
|
|---|
| 48 | {
|
|---|
| 49 | xmlOutputBufferPtr out;
|
|---|
| 50 |
|
|---|
| 51 | /*
|
|---|
| 52 | * Also test the serializer. Call htmlDocContentDumpOutput with our
|
|---|
| 53 | * own buffer to avoid encoding the output. The HTML encoding is
|
|---|
| 54 | * excruciatingly slow (see htmlEntityValueLookup).
|
|---|
| 55 | */
|
|---|
| 56 | out = xmlAllocOutputBuffer(NULL);
|
|---|
| 57 | htmlDocContentDumpOutput(out, doc, NULL);
|
|---|
| 58 | xmlOutputBufferClose(out);
|
|---|
| 59 | }
|
|---|
| 60 | #endif
|
|---|
| 61 |
|
|---|
| 62 | xmlFreeDoc(doc);
|
|---|
| 63 |
|
|---|
| 64 | /* Push parser */
|
|---|
| 65 |
|
|---|
| 66 | #ifdef LIBXML_PUSH_ENABLED
|
|---|
| 67 | {
|
|---|
| 68 | static const size_t maxChunkSize = 128;
|
|---|
| 69 | xmlParserCtxtPtr ctxt;
|
|---|
| 70 | size_t consumed, chunkSize;
|
|---|
| 71 |
|
|---|
| 72 | xmlFuzzMemSetLimit(maxAlloc);
|
|---|
| 73 | ctxt = htmlCreatePushParserCtxt(NULL, NULL, NULL, 0, NULL,
|
|---|
| 74 | XML_CHAR_ENCODING_NONE);
|
|---|
| 75 |
|
|---|
| 76 | if (ctxt != NULL) {
|
|---|
| 77 | htmlCtxtUseOptions(ctxt, opts);
|
|---|
| 78 |
|
|---|
| 79 | for (consumed = 0; consumed < docSize; consumed += chunkSize) {
|
|---|
| 80 | chunkSize = docSize - consumed;
|
|---|
| 81 | if (chunkSize > maxChunkSize)
|
|---|
| 82 | chunkSize = maxChunkSize;
|
|---|
| 83 | htmlParseChunk(ctxt, docBuffer + consumed, chunkSize, 0);
|
|---|
| 84 | }
|
|---|
| 85 |
|
|---|
| 86 | htmlParseChunk(ctxt, NULL, 0, 1);
|
|---|
| 87 | xmlFreeDoc(ctxt->myDoc);
|
|---|
| 88 | htmlFreeParserCtxt(ctxt);
|
|---|
| 89 | }
|
|---|
| 90 | }
|
|---|
| 91 | #endif
|
|---|
| 92 |
|
|---|
| 93 | /* Cleanup */
|
|---|
| 94 |
|
|---|
| 95 | xmlFuzzMemSetLimit(0);
|
|---|
| 96 | xmlFuzzDataCleanup();
|
|---|
| 97 | xmlResetLastError();
|
|---|
| 98 |
|
|---|
| 99 | return(0);
|
|---|
| 100 | }
|
|---|
| 101 |
|
|---|
