diff options
author | Nick Wellnhofer <wellnhofer@aevum.de> | 2020-06-05 16:36:17 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-06-05 07:36:17 -0700 |
commit | c4eefbf432e6674271c4fe7afa0915cd3b5c8501 (patch) | |
tree | 6bb9b1b676ece5b9562c92f0a366187649259cf5 /projects/libxml2 | |
parent | c12687bad00231e7f5a6a1de6ca4564c9d1900b2 (diff) | |
download | oss-fuzz-c4eefbf432e6674271c4fe7afa0915cd3b5c8501.tar.gz |
[libxml2] Initial integration (#3934)
* [libxml2] Initial integration
Fuzz targets are now maintained in the libxml2 repo.
* [libxml2] Install i386 versions of dependencies
* [libxml2] dpkg --add-architecture i386
* [libxml2] Link dependencies statically
Diffstat (limited to 'projects/libxml2')
-rw-r--r-- | projects/libxml2/Dockerfile | 10 | ||||
-rwxr-xr-x | projects/libxml2/build.sh | 34 | ||||
-rw-r--r-- | projects/libxml2/fuzzer_temp_file.h | 81 | ||||
-rw-r--r-- | projects/libxml2/libxml2_xml_read_memory_fuzzer.cc | 48 | ||||
-rw-r--r-- | projects/libxml2/libxml2_xml_reader_for_file_fuzzer.cc | 52 | ||||
-rw-r--r-- | projects/libxml2/project.yaml | 3 | ||||
-rw-r--r-- | projects/libxml2/xml.dict | 87 |
7 files changed, 28 insertions, 287 deletions
diff --git a/projects/libxml2/Dockerfile b/projects/libxml2/Dockerfile index fc821c806..949ff5ada 100644 --- a/projects/libxml2/Dockerfile +++ b/projects/libxml2/Dockerfile @@ -15,11 +15,13 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -MAINTAINER ochang@chromium.org -RUN apt-get update && apt-get install -y make autoconf automake libtool pkg-config +MAINTAINER wellnhofer@aevum.de +RUN dpkg --add-architecture i386 && \ + apt-get update && \ + apt-get install -y --no-install-recommends \ + make autoconf automake libtool pkg-config \ + zlib1g-dev zlib1g-dev:i386 liblzma-dev liblzma-dev:i386 RUN git clone --depth 1 https://gitlab.gnome.org/GNOME/libxml2.git WORKDIR libxml2 - COPY build.sh $SRC/ -COPY *.cc *.h *.options *.dict $SRC/ diff --git a/projects/libxml2/build.sh b/projects/libxml2/build.sh index 418792b1e..a3e6e8ce9 100755 --- a/projects/libxml2/build.sh +++ b/projects/libxml2/build.sh @@ -16,19 +16,29 @@ # ################################################################################ -./autogen.sh -./configure --with-http=no -make -j$(nproc) clean -make -j$(nproc) all +if [ "$SANITIZER" = undefined ]; then + export CFLAGS="$CFLAGS -fsanitize=unsigned-integer-overflow -fno-sanitize-recover=unsigned-integer-overflow" + export CXXFLAGS="$CXXFLAGS -fsanitize=unsigned-integer-overflow -fno-sanitize-recover=unsigned-integer-overflow" +fi -seed_corpus_temp_file="$OUT/xml_seed_corpus.zip" -zip -r $seed_corpus_temp_file $SRC/libxml2/test +./autogen.sh \ + --disable-shared \ + --without-ftp \ + --without-http \ + --without-legacy \ + --without-python +make -j$(nproc) V=1 +make -C fuzz V=1 seed/xml.stamp fuzz.o xml.o -for fuzzer in libxml2_xml_read_memory_fuzzer libxml2_xml_reader_for_file_fuzzer; do - $CXX $CXXFLAGS -std=c++11 -Iinclude/ \ - $SRC/$fuzzer.cc -o $OUT/$fuzzer \ - $LIB_FUZZING_ENGINE .libs/libxml2.a +for fuzzer in xml; do + # Link with $CXX + $CXX $CXXFLAGS \ + fuzz/$fuzzer.o fuzz/fuzz.o \ + -o $OUT/$fuzzer \ + $LIB_FUZZING_ENGINE \ + .libs/libxml2.a -Wl,-Bstatic -lz -llzma -Wl,-Bdynamic - cp $SRC/*.dict $OUT/$fuzzer.dict - cp $seed_corpus_temp_file $OUT/${fuzzer}_seed_corpus.zip + zip -j $OUT/${fuzzer}_seed_corpus.zip fuzz/seed/$fuzzer/* done + +cp fuzz/*.dict $OUT/ diff --git a/projects/libxml2/fuzzer_temp_file.h b/projects/libxml2/fuzzer_temp_file.h deleted file mode 100644 index fe25cabae..000000000 --- a/projects/libxml2/fuzzer_temp_file.h +++ /dev/null @@ -1,81 +0,0 @@ -// Copyright 2018 Google Inc. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// Adapter utility from fuzzer input to a temporary file, for fuzzing APIs that -// require a file instead of an input buffer. - -#ifndef FUZZER_TEMP_FILE_H_ -#define FUZZER_TEMP_FILE_H_ - -#include <stdint.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <unistd.h> - -// Pure-C interface for creating and cleaning up temporary files. - -static char* fuzzer_get_tmpfile(const uint8_t* data, size_t size) { - char* filename_buffer = strdup("/tmp/generate_temporary_file.XXXXXX"); - if (!filename_buffer) { - perror("Failed to allocate file name buffer."); - abort(); - } - const int file_descriptor = mkstemp(filename_buffer); - if (file_descriptor < 0) { - perror("Failed to make temporary file."); - abort(); - } - FILE* file = fdopen(file_descriptor, "wb"); - if (!file) { - perror("Failed to open file descriptor."); - close(file_descriptor); - abort(); - } - const size_t bytes_written = fwrite(data, sizeof(uint8_t), size, file); - if (bytes_written < size) { - close(file_descriptor); - fprintf(stderr, "Failed to write all bytes to file (%zu out of %zu)", - bytes_written, size); - abort(); - } - fclose(file); - return filename_buffer; -} - -static void fuzzer_release_tmpfile(char* filename) { - if (unlink(filename) != 0) { - perror("WARNING: Failed to delete temporary file."); - } - free(filename); -} - -// C++ RAII object for creating temporary files. - -#ifdef __cplusplus -class FuzzerTemporaryFile { - public: - FuzzerTemporaryFile(const uint8_t* data, size_t size) - : filename_(fuzzer_get_tmpfile(data, size)) {} - - ~FuzzerTemporaryFile() { fuzzer_release_tmpfile(filename_); } - - const char* filename() const { return filename_; } - - private: - char* filename_; -}; -#endif - -#endif // FUZZER_TEMP_FILE_H_ diff --git a/projects/libxml2/libxml2_xml_read_memory_fuzzer.cc b/projects/libxml2/libxml2_xml_read_memory_fuzzer.cc deleted file mode 100644 index 6f1d54982..000000000 --- a/projects/libxml2/libxml2_xml_read_memory_fuzzer.cc +++ /dev/null @@ -1,48 +0,0 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include <cassert> -#include <cstddef> -#include <cstdint> - -#include <functional> -#include <limits> -#include <string> - -#include "libxml/parser.h" -#include "libxml/xmlsave.h" - -void ignore (void* ctx, const char* msg, ...) { - // Error handler to avoid spam of error messages from libxml parser. -} - -extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { - xmlSetGenericErrorFunc(NULL, &ignore); - - // Test default empty options value and some random combination. - std::string data_string(reinterpret_cast<const char*>(data), size); - const std::size_t data_hash = std::hash<std::string>()(data_string); - const int max_option_value = std::numeric_limits<int>::max(); - int random_option_value = data_hash % max_option_value; - - // Disable XML_PARSE_HUGE to avoid stack overflow. - random_option_value &= ~XML_PARSE_HUGE; - const int options[] = {0, random_option_value}; - - for (const auto option_value : options) { - // Intentionally pass raw data as the API does not require trailing \0. - if (auto doc = xmlReadMemory(reinterpret_cast<const char*>(data), size, - "noname.xml", NULL, option_value)) { - auto buf = xmlBufferCreate(); - assert(buf); - auto ctxt = xmlSaveToBuffer(buf, NULL, 0); - xmlSaveDoc(ctxt, doc); - xmlSaveClose(ctxt); - xmlFreeDoc(doc); - xmlBufferFree(buf); - } - } - - return 0; -} diff --git a/projects/libxml2/libxml2_xml_reader_for_file_fuzzer.cc b/projects/libxml2/libxml2_xml_reader_for_file_fuzzer.cc deleted file mode 100644 index 4a71aa5a9..000000000 --- a/projects/libxml2/libxml2_xml_reader_for_file_fuzzer.cc +++ /dev/null @@ -1,52 +0,0 @@ -// Copyright 2018 Google Inc. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#include <fuzzer/FuzzedDataProvider.h> - -#include <cstddef> -#include <cstdint> -#include <string> - -#include "fuzzer_temp_file.h" - -#include "libxml/xmlreader.h" - -void ignore (void* ctx, const char* msg, ...) { - // Error handler to avoid spam of error messages from libxml parser. -} - -extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { - xmlSetGenericErrorFunc(NULL, &ignore); - - FuzzedDataProvider provider(data, size); - const int options = provider.ConsumeIntegral<int>(); - - // libxml does not expect more than 100 characters, let's go beyond that. - const std::string encoding = provider.ConsumeRandomLengthString(128); - auto file_contents = provider.ConsumeRemainingBytes<uint8_t>(); - - FuzzerTemporaryFile file(file_contents.data(), file_contents.size()); - - xmlTextReaderPtr xmlReader = - xmlReaderForFile(file.filename(), encoding.c_str(), options); - - constexpr int kReadSuccessful = 1; - while (xmlTextReaderRead(xmlReader) == kReadSuccessful) { - xmlTextReaderNodeType(xmlReader); - xmlTextReaderConstValue(xmlReader); - } - - xmlFreeTextReader(xmlReader); - return EXIT_SUCCESS; -} diff --git a/projects/libxml2/project.yaml b/projects/libxml2/project.yaml index 38a5adba4..6f057aaf3 100644 --- a/projects/libxml2/project.yaml +++ b/projects/libxml2/project.yaml @@ -9,9 +9,6 @@ sanitizers: - address - memory - undefined -labels: - libxml2_xml_reader_for_file_fuzzer: - - sundew architectures: - x86_64 - i386 diff --git a/projects/libxml2/xml.dict b/projects/libxml2/xml.dict deleted file mode 100644 index 4ffa6c80b..000000000 --- a/projects/libxml2/xml.dict +++ /dev/null @@ -1,87 +0,0 @@ -# Copyright 2016 Google Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -################################################################################ -# -# AFL dictionary for XML -# ---------------------- -# -# Several basic syntax elements and attributes, modeled on libxml2. -# -# Created by Michal Zalewski <lcamtuf@google.com> -# - -attr_encoding=" encoding=\"1\"" -attr_generic=" a=\"1\"" -attr_href=" href=\"1\"" -attr_standalone=" standalone=\"no\"" -attr_version=" version=\"1\"" -attr_xml_base=" xml:base=\"1\"" -attr_xml_id=" xml:id=\"1\"" -attr_xml_lang=" xml:lang=\"1\"" -attr_xml_space=" xml:space=\"1\"" -attr_xmlns=" xmlns=\"1\"" - -entity_builtin="<" -entity_decimal="" -entity_external="&a;" -entity_hex="" - -string_any="ANY" -string_brackets="[]" -string_cdata="CDATA" -string_col_fallback=":fallback" -string_col_generic=":a" -string_col_include=":include" -string_dashes="--" -string_empty="EMPTY" -string_empty_dblquotes="\"\"" -string_empty_quotes="''" -string_entities="ENTITIES" -string_entity="ENTITY" -string_fixed="#FIXED" -string_id="ID" -string_idref="IDREF" -string_idrefs="IDREFS" -string_implied="#IMPLIED" -string_nmtoken="NMTOKEN" -string_nmtokens="NMTOKENS" -string_notation="NOTATION" -string_parentheses="()" -string_pcdata="#PCDATA" -string_percent="%a" -string_public="PUBLIC" -string_required="#REQUIRED" -string_schema=":schema" -string_system="SYSTEM" -string_ucs4="UCS-4" -string_utf16="UTF-16" -string_utf8="UTF-8" -string_xmlns="xmlns:" - -tag_attlist="<!ATTLIST" -tag_cdata="<![CDATA[" -tag_close="</a>" -tag_doctype="<!DOCTYPE" -tag_element="<!ELEMENT" -tag_entity="<!ENTITY" -tag_ignore="<![IGNORE[" -tag_include="<![INCLUDE[" -tag_notation="<!NOTATION" -tag_open="<a>" -tag_open_close="<a />" -tag_open_exclamation="<!" -tag_open_q="<?" -tag_sq2_close="]]>" -tag_xml_q="<?xml?>" |