diff options
author | Max Moroz <mmoroz@chromium.org> | 2018-12-28 14:25:13 -0800 |
---|---|---|
committer | Max Moroz <mmoroz@chromium.org> | 2018-12-28 14:25:13 -0800 |
commit | 3df3b90ebb1fa86c1fe1fe2968824f5751b254b9 (patch) | |
tree | 0d0927d19a37a17edda888804953c853e7e73afb /projects/libxml2 | |
parent | 9316b4180e0ba54a0c069d6434065b0ee0179b3a (diff) | |
download | oss-fuzz-3df3b90ebb1fa86c1fe1fe2968824f5751b254b9.tar.gz |
[libxml2] Fix std::string use in the fuzz targets: avoid it when possible.
Diffstat (limited to 'projects/libxml2')
-rw-r--r-- | projects/libxml2/byte_stream.h | 14 | ||||
-rw-r--r-- | projects/libxml2/libxml2_xml_read_memory_fuzzer.cc | 3 | ||||
-rw-r--r-- | projects/libxml2/libxml2_xml_reader_for_file_fuzzer.cc | 9 |
3 files changed, 21 insertions, 5 deletions
diff --git a/projects/libxml2/byte_stream.h b/projects/libxml2/byte_stream.h index 6a4257891..da72d5573 100644 --- a/projects/libxml2/byte_stream.h +++ b/projects/libxml2/byte_stream.h @@ -32,6 +32,11 @@ class ByteStream { ByteStream(const ByteStream&) = delete; ByteStream& operator=(const ByteStream&) = delete; + // Returns a pointer to the chunk of data of |size| bytes, where |size| is + // either a requested value or all the bytes that are available. If the + // requested |size| is 0, return all the bytes that are available. + const uint8_t* GetNextChunk(size_t* size); + // Returns a string. Strings are obtained from the byte stream by reading a // size_t N followed by N char elements. If there are fewer than N bytes left // in the stream, this returns as many bytes as are available. @@ -94,6 +99,15 @@ class ByteStream { size_t position_; }; +inline const uint8_t* ByteStream::GetNextChunk(size_t* size) { + if (*size) + *size = std::min(*size, capacity()); + else + *size = capacity(); + + return UncheckedConsume(*size); +} + inline std::string ByteStream::GetNextString() { const size_t requested_size = GetNextSizeT(); const size_t consumed_size = std::min(requested_size, capacity()); diff --git a/projects/libxml2/libxml2_xml_read_memory_fuzzer.cc b/projects/libxml2/libxml2_xml_read_memory_fuzzer.cc index db2707b91..6f1d54982 100644 --- a/projects/libxml2/libxml2_xml_read_memory_fuzzer.cc +++ b/projects/libxml2/libxml2_xml_read_memory_fuzzer.cc @@ -31,7 +31,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { const int options[] = {0, random_option_value}; for (const auto option_value : options) { - if (auto doc = xmlReadMemory(data_string.c_str(), data_string.length(), + // Intentionally pass raw data as the API does not require trailing \0. + if (auto doc = xmlReadMemory(reinterpret_cast<const char*>(data), size, "noname.xml", NULL, option_value)) { auto buf = xmlBufferCreate(); assert(buf); diff --git a/projects/libxml2/libxml2_xml_reader_for_file_fuzzer.cc b/projects/libxml2/libxml2_xml_reader_for_file_fuzzer.cc index 4f4cf6c35..ab296d834 100644 --- a/projects/libxml2/libxml2_xml_reader_for_file_fuzzer.cc +++ b/projects/libxml2/libxml2_xml_reader_for_file_fuzzer.cc @@ -31,10 +31,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { ByteStream stream(data, size); const int options = stream.GetNextInt(); const std::string encoding = stream.GetNextString(); - const std::string file_contents = stream.GetNextString(); - FuzzerTemporaryFile file( - reinterpret_cast<const uint8_t*>(file_contents.c_str()), - file_contents.size()); + size_t file_contents_size = 0; + const uint8_t* file_contents = stream.GetNextChunk(&file_contents_size); + + // Intentionally pass raw data as the API does not require trailing \0. + FuzzerTemporaryFile file(file_contents, file_contents_size); xmlTextReaderPtr xmlReader = xmlReaderForFile(file.filename(), encoding.c_str(), options); |