Rooba
/
oss-fuzz
mirror of https://github.com/google/oss-fuzz.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[libxml2] Use FuzzedDataProvider isntead of byte_stream. (#2809)

This commit is contained in:
Max Moroz 2019-09-06 09:56:42 -07:00 committed by GitHub
parent 227ee9f107
commit 16125ac2bc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 9 additions and 150 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

142
projects/libxml2/byte_stream.h
View File

@ -1,142 +0,0 @@
// Copyright 2018 Google Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef BYTE_STREAM_H_
#define BYTE_STREAM_H_
#include <algorithm>
#include <cstddef>
#include <cstdint>
#include <limits>
#include <string>
// Wrapper for fuzzer input strings that helps consume and interpret the data
// as a sequence of values, such as strings and PODs.
class ByteStream {
public:
// Does not take ownership of data.
ByteStream(const uint8_t* data, size_t size)
: data_(data), size_(size), position_(0) {}
ByteStream(const ByteStream&) = delete;
ByteStream& operator=(const ByteStream&) = delete;
// Returns a pointer to the chunk of data of |size| bytes, where |size| is
// either a requested value or all the bytes that are available. If the
// requested |size| is 0, return all the bytes that are available.
const uint8_t* GetNextChunk(size_t* size);
// Returns a string. Strings are obtained from the byte stream by reading a
// size_t N followed by N char elements. If there are fewer than N bytes left
// in the stream, this returns as many bytes as are available.
std::string GetNextString();
// The following GetNext{integer type} functions all return the next
// sizeof(integer type) bytes in the stream or 0 if there is insufficient
// capacity.
size_t GetNextSizeT() { return ConsumeCopyOrDefault<size_t>(0); }
int GetNextInt() { return ConsumeCopyOrDefault<int>(0); }
uint8_t GetNextUint8() { return ConsumeCopyOrDefault<uint8_t>(0); }
int64_t GetNextInt64() { return ConsumeCopyOrDefault<int64_t>(0); }
// Returns an integer in the range [0,n) for n > 0 and consumes up to
// sizeof(int) bytes. For n<=0, returns 0 and consumes 0 bytes.
int GetNextInt(int n);
private:
// The remaining capacity of the ByteStream.
size_t capacity() const { return size_ - position_; }
// Returns data_ + position_ and then advances position_ by requested bytes.
//
// This is the canonical way for the class to request regions of memory
// or to advance the position by requested bytes. This operation is unchecked
// for maintaining that position_ <= size_. Requesting 0 bytes always
// succeeds.
const uint8_t* UncheckedConsume(size_t requested) {
const uint8_t* region = data_ + position_;
position_ += requested;
return region;
}
// Directly initialize T by copying sizeof(T) bytes into results if there is
// sufficient capacity in the stream. If there is not sufficient capacity
// result is unmodified.
template <class T>
void ConsumeBytesByCopy(T* result) {
constexpr size_t type_size = sizeof(T);
if (type_size <= capacity()) {
const uint8_t* region = UncheckedConsume(type_size);
memcpy(static_cast<void*>(result), region, type_size);
} else {
// Consume the remainder of data_.
UncheckedConsume(capacity());
}
}
// A helper function for using ConsumeBytesByCopy and returning a default
// value `t` if there is insufficient capacity to read a full `T`. T should
// probably be a primitive type.
template <class T>
T ConsumeCopyOrDefault(T t) {
ConsumeBytesByCopy(&t);
return t;
}
const uint8_t* data_;
const size_t size_;
size_t position_;
};
inline const uint8_t* ByteStream::GetNextChunk(size_t* size) {
if (*size)
*size = std::min(*size, capacity());
else
*size = capacity();
return UncheckedConsume(*size);
}
inline std::string ByteStream::GetNextString() {
const size_t requested_size = GetNextSizeT();
const size_t consumed_size = std::min(requested_size, capacity());
const uint8_t* selection = UncheckedConsume(consumed_size);
return std::string(reinterpret_cast<const char*>(selection), consumed_size);
}
inline int ByteStream::GetNextInt(int n) {
if (n <= 0) {
return 0;
}
// We grab as few bytes as possible as n will often be fixed.
int selection = 0;
if (n <= std::numeric_limits<uint8_t>::max()) {
selection = static_cast<int>(GetNextUint8());
} else if (n <= std::numeric_limits<uint16_t>::max()) {
selection = ConsumeCopyOrDefault<uint16_t>(0);
} else {
selection = GetNextInt();
}
// Take the absolute value of selection w/o undefined behavior.
// If selection is INT_MIN, return 0.
if (selection == std::numeric_limits<int>::min()) {
selection = 0;
} else if (selection < 0) {
selection = -selection;
}
return selection % n;
}
#endif // BYTE_STREAM_H_

17
projects/libxml2/libxml2_xml_reader_for_file_fuzzer.cc
View File

@ -12,11 +12,12 @@
// See the License for the specific language governing permissions and // See the License for the specific language governing permissions and
// limitations under the License. // limitations under the License.
#include <fuzzer/FuzzedDataProvider.h>
#include <cstddef> #include <cstddef>
#include <cstdint> #include <cstdint>
#include <string> #include <string>
#include "byte_stream.h"
#include "fuzzer_temp_file.h" #include "fuzzer_temp_file.h"
#include "libxml/xmlreader.h" #include "libxml/xmlreader.h"
@ -28,14 +29,14 @@ void ignore (void* ctx, const char* msg, ...) {
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
xmlSetGenericErrorFunc(NULL, &ignore); xmlSetGenericErrorFunc(NULL, &ignore);
ByteStream stream(data, size); FuzzedDataProvider provider(data, size);
const int options = stream.GetNextInt(); const int options = provider.ConsumeIntegral<int>();
const std::string encoding = stream.GetNextString();
size_t file_contents_size = 0;
const uint8_t* file_contents = stream.GetNextChunk(&file_contents_size);
// Intentionally pass raw data as the API does not require trailing \0. // libxml does not expect more than 100 characters, let's go beyond that.
FuzzerTemporaryFile file(file_contents, file_contents_size); const std::string encoding = provider.ConsumeRandomLengthString(128);
auto file_contents = provider.ConsumeRemainingBytes<uint8_t>();
FuzzerTemporaryFile file(file_contents.data(), file_contents.size());
xmlTextReaderPtr xmlReader = xmlTextReaderPtr xmlReader =
xmlReaderForFile(file.filename(), encoding.c_str(), options); xmlReaderForFile(file.filename(), encoding.c_str(), options);