diff --git a/projects/libxml2/byte_stream.h b/projects/libxml2/byte_stream.h index 6a4257891..da72d5573 100644 --- a/projects/libxml2/byte_stream.h +++ b/projects/libxml2/byte_stream.h @@ -32,6 +32,11 @@ class ByteStream { ByteStream(const ByteStream&) = delete; ByteStream& operator=(const ByteStream&) = delete; + // Returns a pointer to the chunk of data of |size| bytes, where |size| is + // either a requested value or all the bytes that are available. If the + // requested |size| is 0, return all the bytes that are available. + const uint8_t* GetNextChunk(size_t* size); + // Returns a string. Strings are obtained from the byte stream by reading a // size_t N followed by N char elements. If there are fewer than N bytes left // in the stream, this returns as many bytes as are available. @@ -94,6 +99,15 @@ class ByteStream { size_t position_; }; +inline const uint8_t* ByteStream::GetNextChunk(size_t* size) { + if (*size) + *size = std::min(*size, capacity()); + else + *size = capacity(); + + return UncheckedConsume(*size); +} + inline std::string ByteStream::GetNextString() { const size_t requested_size = GetNextSizeT(); const size_t consumed_size = std::min(requested_size, capacity()); diff --git a/projects/libxml2/libxml2_xml_read_memory_fuzzer.cc b/projects/libxml2/libxml2_xml_read_memory_fuzzer.cc index db2707b91..6f1d54982 100644 --- a/projects/libxml2/libxml2_xml_read_memory_fuzzer.cc +++ b/projects/libxml2/libxml2_xml_read_memory_fuzzer.cc @@ -31,7 +31,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { const int options[] = {0, random_option_value}; for (const auto option_value : options) { - if (auto doc = xmlReadMemory(data_string.c_str(), data_string.length(), + // Intentionally pass raw data as the API does not require trailing \0. + if (auto doc = xmlReadMemory(reinterpret_cast(data), size, "noname.xml", NULL, option_value)) { auto buf = xmlBufferCreate(); assert(buf); diff --git a/projects/libxml2/libxml2_xml_reader_for_file_fuzzer.cc b/projects/libxml2/libxml2_xml_reader_for_file_fuzzer.cc index 4f4cf6c35..ab296d834 100644 --- a/projects/libxml2/libxml2_xml_reader_for_file_fuzzer.cc +++ b/projects/libxml2/libxml2_xml_reader_for_file_fuzzer.cc @@ -31,10 +31,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { ByteStream stream(data, size); const int options = stream.GetNextInt(); const std::string encoding = stream.GetNextString(); - const std::string file_contents = stream.GetNextString(); - FuzzerTemporaryFile file( - reinterpret_cast(file_contents.c_str()), - file_contents.size()); + size_t file_contents_size = 0; + const uint8_t* file_contents = stream.GetNextChunk(&file_contents_size); + + // Intentionally pass raw data as the API does not require trailing \0. + FuzzerTemporaryFile file(file_contents, file_contents_size); xmlTextReaderPtr xmlReader = xmlReaderForFile(file.filename(), encoding.c_str(), options);