1  /*
       2   * xpath.c: a libFuzzer target to test XPath and XPointer expressions.
       3   *
       4   * See Copyright for the status of this software.
       5   */
       6  
       7  #include <libxml/parser.h>
       8  #include <libxml/xpointer.h>
       9  #include "fuzz.h"
      10  
      11  int
      12  LLVMFuzzerInitialize(int *argc ATTRIBUTE_UNUSED,
      13                       char ***argv ATTRIBUTE_UNUSED) {
      14      xmlFuzzMemSetup();
      15      xmlInitParser();
      16      xmlSetGenericErrorFunc(NULL, xmlFuzzErrorFunc);
      17  
      18      return 0;
      19  }
      20  
      21  int
      22  LLVMFuzzerTestOneInput(const char *data, size_t size) {
      23      xmlDocPtr doc;
      24      const char *expr, *xml;
      25      size_t maxAlloc, exprSize, xmlSize;
      26  
      27      if (size > 10000)
      28          return(0);
      29  
      30      xmlFuzzDataInit(data, size);
      31  
      32      maxAlloc = xmlFuzzReadInt(4) % (size + 1);
      33      expr = xmlFuzzReadString(&exprSize);
      34      xml = xmlFuzzReadString(&xmlSize);
      35  
      36      /* Recovery mode allows more input to be fuzzed. */
      37      doc = xmlReadMemory(xml, xmlSize, NULL, NULL, XML_PARSE_RECOVER);
      38      if (doc != NULL) {
      39          xmlXPathContextPtr xpctxt;
      40  
      41          xmlFuzzMemSetLimit(maxAlloc);
      42  
      43          xpctxt = xmlXPathNewContext(doc);
      44          if (xpctxt != NULL) {
      45              /* Operation limit to avoid timeout */
      46              xpctxt->opLimit = 500000;
      47  
      48              xmlXPathFreeObject(xmlXPtrEval(BAD_CAST expr, xpctxt));
      49              xmlXPathFreeContext(xpctxt);
      50          }
      51  
      52          xmlFuzzMemSetLimit(0);
      53          xmlFreeDoc(doc);
      54      }
      55  
      56      xmlFuzzDataCleanup();
      57      xmlResetLastError();
      58  
      59      return(0);
      60  }
      61