[libxml2] Initial integration (#3934)

* [libxml2] Initial integration

Fuzz targets are now maintained in the libxml2 repo.

* [libxml2] Install i386 versions of dependencies

* [libxml2] dpkg --add-architecture i386

* [libxml2] Link dependencies statically

7 files changed, 28 insertions, 287 deletions

diff --git a/projects/libxml2/Dockerfile b/projects/libxml2/Dockerfile
index fc821c806..949ff5ada 100644
--- a/projects/libxml2/Dockerfile
+++ b/projects/libxml2/Dockerfile
@@ -15,11 +15,13 @@
 ################################################################################
 
 FROM gcr.io/oss-fuzz-base/base-builder
-MAINTAINER ochang@chromium.org
-RUN apt-get update && apt-get install -y make autoconf automake libtool pkg-config
+MAINTAINER wellnhofer@aevum.de
 
+RUN dpkg --add-architecture i386 && \
+    apt-get update && \
+    apt-get install -y --no-install-recommends \
+        make autoconf automake libtool pkg-config \
+        zlib1g-dev zlib1g-dev:i386 liblzma-dev liblzma-dev:i386
 RUN git clone --depth 1 https://gitlab.gnome.org/GNOME/libxml2.git
 WORKDIR libxml2
-
 COPY build.sh $SRC/
-COPY *.cc *.h *.options *.dict $SRC/
diff --git a/projects/libxml2/build.sh b/projects/libxml2/build.sh
index 418792b1e..a3e6e8ce9 100755
--- a/projects/libxml2/build.sh
+++ b/projects/libxml2/build.sh
@@ -16,19 +16,29 @@
 #
 ################################################################################
 
-./autogen.sh
-./configure --with-http=no
-make -j$(nproc) clean
-make -j$(nproc) all
+if [ "$SANITIZER" = undefined ]; then
+    export CFLAGS="$CFLAGS -fsanitize=unsigned-integer-overflow -fno-sanitize-recover=unsigned-integer-overflow"
+    export CXXFLAGS="$CXXFLAGS -fsanitize=unsigned-integer-overflow -fno-sanitize-recover=unsigned-integer-overflow"
+fi
 
-seed_corpus_temp_file="$OUT/xml_seed_corpus.zip"
-zip -r $seed_corpus_temp_file $SRC/libxml2/test
+./autogen.sh \
+    --disable-shared \
+    --without-ftp \
+    --without-http \
+    --without-legacy \
+    --without-python
+make -j$(nproc) V=1
+make -C fuzz V=1 seed/xml.stamp fuzz.o xml.o
 
-for fuzzer in libxml2_xml_read_memory_fuzzer libxml2_xml_reader_for_file_fuzzer; do
-  $CXX $CXXFLAGS -std=c++11 -Iinclude/ \
-      $SRC/$fuzzer.cc -o $OUT/$fuzzer \
-      $LIB_FUZZING_ENGINE .libs/libxml2.a
+for fuzzer in xml; do
+    # Link with $CXX
+    $CXX $CXXFLAGS \
+        fuzz/$fuzzer.o fuzz/fuzz.o \
+        -o $OUT/$fuzzer \
+        $LIB_FUZZING_ENGINE \
+        .libs/libxml2.a -Wl,-Bstatic -lz -llzma -Wl,-Bdynamic
 
-  cp $SRC/*.dict $OUT/$fuzzer.dict
-  cp $seed_corpus_temp_file $OUT/${fuzzer}_seed_corpus.zip
+    zip -j $OUT/${fuzzer}_seed_corpus.zip fuzz/seed/$fuzzer/*
 done
+
+cp fuzz/*.dict $OUT/
diff --git a/projects/libxml2/fuzzer_temp_file.h b/projects/libxml2/fuzzer_temp_file.h
deleted file mode 100644
index fe25cabae..000000000
--- a/projects/libxml2/fuzzer_temp_file.h
+++ /dev/null
@@ -1,81 +0,0 @@
-// Copyright 2018 Google Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// Adapter utility from fuzzer input to a temporary file, for fuzzing APIs that
-// require a file instead of an input buffer.
-
-#ifndef FUZZER_TEMP_FILE_H_
-#define FUZZER_TEMP_FILE_H_
-
-#include <stdint.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-// Pure-C interface for creating and cleaning up temporary files.
-
-static char* fuzzer_get_tmpfile(const uint8_t* data, size_t size) {
-  char* filename_buffer = strdup("/tmp/generate_temporary_file.XXXXXX");
-  if (!filename_buffer) {
-    perror("Failed to allocate file name buffer.");
-    abort();
-  }
-  const int file_descriptor = mkstemp(filename_buffer);
-  if (file_descriptor < 0) {
-    perror("Failed to make temporary file.");
-    abort();
-  }
-  FILE* file = fdopen(file_descriptor, "wb");
-  if (!file) {
-    perror("Failed to open file descriptor.");
-    close(file_descriptor);
-    abort();
-  }
-  const size_t bytes_written = fwrite(data, sizeof(uint8_t), size, file);
-  if (bytes_written < size) {
-    close(file_descriptor);
-    fprintf(stderr, "Failed to write all bytes to file (%zu out of %zu)",
-            bytes_written, size);
-    abort();
-  }
-  fclose(file);
-  return filename_buffer;
-}
-
-static void fuzzer_release_tmpfile(char* filename) {
-  if (unlink(filename) != 0) {
-    perror("WARNING: Failed to delete temporary file.");
-  }
-  free(filename);
-}
-
-// C++ RAII object for creating temporary files.
-
-#ifdef __cplusplus
-class FuzzerTemporaryFile {
- public:
-  FuzzerTemporaryFile(const uint8_t* data, size_t size)
-      : filename_(fuzzer_get_tmpfile(data, size)) {}
-
-  ~FuzzerTemporaryFile() { fuzzer_release_tmpfile(filename_); }
-
-  const char* filename() const { return filename_; }
-
- private:
-  char* filename_;
-};
-#endif
-
-#endif  // FUZZER_TEMP_FILE_H_
diff --git a/projects/libxml2/libxml2_xml_read_memory_fuzzer.cc b/projects/libxml2/libxml2_xml_read_memory_fuzzer.cc
deleted file mode 100644
index 6f1d54982..000000000
--- a/projects/libxml2/libxml2_xml_read_memory_fuzzer.cc
+++ /dev/null
@@ -1,48 +0,0 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <cassert>
-#include <cstddef>
-#include <cstdint>
-
-#include <functional>
-#include <limits>
-#include <string>
-
-#include "libxml/parser.h"
-#include "libxml/xmlsave.h"
-
-void ignore (void* ctx, const char* msg, ...) {
-  // Error handler to avoid spam of error messages from libxml parser.
-}
-
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
-  xmlSetGenericErrorFunc(NULL, &ignore);
-
-  // Test default empty options value and some random combination.
-  std::string data_string(reinterpret_cast<const char*>(data), size);
-  const std::size_t data_hash = std::hash<std::string>()(data_string);
-  const int max_option_value = std::numeric_limits<int>::max();
-  int random_option_value = data_hash % max_option_value;
-
-  // Disable XML_PARSE_HUGE to avoid stack overflow.
-  random_option_value &= ~XML_PARSE_HUGE;
-  const int options[] = {0, random_option_value};
-
-  for (const auto option_value : options) {
-    // Intentionally pass raw data as the API does not require trailing \0.
-    if (auto doc = xmlReadMemory(reinterpret_cast<const char*>(data), size,
-                                 "noname.xml", NULL, option_value)) {
-      auto buf = xmlBufferCreate();
-      assert(buf);
-      auto ctxt = xmlSaveToBuffer(buf, NULL, 0);
-      xmlSaveDoc(ctxt, doc);
-      xmlSaveClose(ctxt);
-      xmlFreeDoc(doc);
-      xmlBufferFree(buf);
-    }
-  }
-
-  return 0;
-}
diff --git a/projects/libxml2/libxml2_xml_reader_for_file_fuzzer.cc b/projects/libxml2/libxml2_xml_reader_for_file_fuzzer.cc
deleted file mode 100644
index 4a71aa5a9..000000000
--- a/projects/libxml2/libxml2_xml_reader_for_file_fuzzer.cc
+++ /dev/null
@@ -1,52 +0,0 @@
-// Copyright 2018 Google Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include <fuzzer/FuzzedDataProvider.h>
-
-#include <cstddef>
-#include <cstdint>
-#include <string>
-
-#include "fuzzer_temp_file.h"
-
-#include "libxml/xmlreader.h"
-
-void ignore (void* ctx, const char* msg, ...) {
-  // Error handler to avoid spam of error messages from libxml parser.
-}
-
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
-  xmlSetGenericErrorFunc(NULL, &ignore);
-
-  FuzzedDataProvider provider(data, size);
-  const int options = provider.ConsumeIntegral<int>();
-
-  // libxml does not expect more than 100 characters, let's go beyond that.
-  const std::string encoding = provider.ConsumeRandomLengthString(128);
-  auto file_contents = provider.ConsumeRemainingBytes<uint8_t>();
-
-  FuzzerTemporaryFile file(file_contents.data(), file_contents.size());
-
-  xmlTextReaderPtr xmlReader =
-      xmlReaderForFile(file.filename(), encoding.c_str(), options);
-
-  constexpr int kReadSuccessful = 1;
-  while (xmlTextReaderRead(xmlReader) == kReadSuccessful) {
-    xmlTextReaderNodeType(xmlReader);
-    xmlTextReaderConstValue(xmlReader);
-  }
-
-  xmlFreeTextReader(xmlReader);
-  return EXIT_SUCCESS;
-}
diff --git a/projects/libxml2/project.yaml b/projects/libxml2/project.yaml
index 38a5adba4..6f057aaf3 100644
--- a/projects/libxml2/project.yaml
+++ b/projects/libxml2/project.yaml
@@ -9,9 +9,6 @@ sanitizers:
   - address
   - memory
   - undefined
-labels:
-  libxml2_xml_reader_for_file_fuzzer:
-    - sundew
 architectures:
   - x86_64
   - i386
diff --git a/projects/libxml2/xml.dict b/projects/libxml2/xml.dict
deleted file mode 100644
index 4ffa6c80b..000000000
--- a/projects/libxml2/xml.dict
+++ /dev/null
@@ -1,87 +0,0 @@
-# Copyright 2016 Google Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-################################################################################
-#
-# AFL dictionary for XML
-# ----------------------
-#
-# Several basic syntax elements and attributes, modeled on libxml2.
-#
-# Created by Michal Zalewski <lcamtuf@google.com>
-#
-
-attr_encoding=" encoding=\"1\""
-attr_generic=" a=\"1\""
-attr_href=" href=\"1\""
-attr_standalone=" standalone=\"no\""
-attr_version=" version=\"1\""
-attr_xml_base=" xml:base=\"1\""
-attr_xml_id=" xml:id=\"1\""
-attr_xml_lang=" xml:lang=\"1\""
-attr_xml_space=" xml:space=\"1\""
-attr_xmlns=" xmlns=\"1\""
-
-entity_builtin="&lt;"
-entity_decimal="&#1;"
-entity_external="&a;"
-entity_hex="&#x1;"
-
-string_any="ANY"
-string_brackets="[]"
-string_cdata="CDATA"
-string_col_fallback=":fallback"
-string_col_generic=":a"
-string_col_include=":include"
-string_dashes="--"
-string_empty="EMPTY"
-string_empty_dblquotes="\"\""
-string_empty_quotes="''"
-string_entities="ENTITIES"
-string_entity="ENTITY"
-string_fixed="#FIXED"
-string_id="ID"
-string_idref="IDREF"
-string_idrefs="IDREFS"
-string_implied="#IMPLIED"
-string_nmtoken="NMTOKEN"
-string_nmtokens="NMTOKENS"
-string_notation="NOTATION"
-string_parentheses="()"
-string_pcdata="#PCDATA"
-string_percent="%a"
-string_public="PUBLIC"
-string_required="#REQUIRED"
-string_schema=":schema"
-string_system="SYSTEM"
-string_ucs4="UCS-4"
-string_utf16="UTF-16"
-string_utf8="UTF-8"
-string_xmlns="xmlns:"
-
-tag_attlist="<!ATTLIST"
-tag_cdata="<![CDATA["
-tag_close="</a>"
-tag_doctype="<!DOCTYPE"
-tag_element="<!ELEMENT"
-tag_entity="<!ENTITY"
-tag_ignore="<![IGNORE["
-tag_include="<![INCLUDE["
-tag_notation="<!NOTATION"
-tag_open="<a>"
-tag_open_close="<a />"
-tag_open_exclamation="<!"
-tag_open_q="<?"
-tag_sq2_close="]]>"
-tag_xml_q="<?xml?>"