[libxml2] Enforce maximum length of fuzz input
- From: Nick Wellnhofer <nwellnhof src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [libxml2] Enforce maximum length of fuzz input
- Date: Wed, 16 Dec 2020 15:51:04 +0000 (UTC)
commit 9086988ffa8da62c25c764a146a84603629734aa
Author: Nick Wellnhofer <wellnhofer aevum de>
Date: Wed Dec 16 15:41:52 2020 +0100
Enforce maximum length of fuzz input
Remove the libfuzzer max_len option which doesn't apply to other
fuzzing engines. Enforce the maximum length directly in the fuzz
targets. For the xml target, lower the maximum when expanding entities
to avoid timeout and OOM errors.
fuzz/html.options | 1 -
fuzz/regexp.c | 3 +++
fuzz/regexp.options | 1 -
fuzz/schema.c | 3 +++
fuzz/schema.options | 1 -
fuzz/uri.c | 3 +++
fuzz/uri.options | 1 -
fuzz/xml.c | 11 ++++++++---
fuzz/xml.options | 1 -
fuzz/xpath.c | 3 +++
fuzz/xpath.options | 1 -
11 files changed, 20 insertions(+), 9 deletions(-)
---
diff --git a/fuzz/html.options b/fuzz/html.options
index a32c583e..e5d3bbee 100644
--- a/fuzz/html.options
+++ b/fuzz/html.options
@@ -1,3 +1,2 @@
[libfuzzer]
-max_len = 1000000
timeout = 20
diff --git a/fuzz/regexp.c b/fuzz/regexp.c
index 3b35671b..cfffedd9 100644
--- a/fuzz/regexp.c
+++ b/fuzz/regexp.c
@@ -21,6 +21,9 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
char *str[2] = { NULL, NULL };
size_t numStrings;
+ if (size > 200)
+ return(0);
+
numStrings = xmlFuzzExtractStrings(data, size, str, 2);
/* CUR_SCHAR doesn't handle invalid UTF-8 and may cause infinite loops. */
diff --git a/fuzz/regexp.options b/fuzz/regexp.options
index 09b9e6f0..ea2a7a23 100644
--- a/fuzz/regexp.options
+++ b/fuzz/regexp.options
@@ -1,3 +1,2 @@
[libfuzzer]
-max_len = 200
timeout = 5
diff --git a/fuzz/schema.c b/fuzz/schema.c
index f1ee9380..7b034eca 100644
--- a/fuzz/schema.c
+++ b/fuzz/schema.c
@@ -21,6 +21,9 @@ int
LLVMFuzzerTestOneInput(const char *data, size_t size) {
xmlSchemaParserCtxtPtr pctxt;
+ if (size > 50000)
+ return(0);
+
xmlFuzzDataInit(data, size);
xmlFuzzReadEntities();
diff --git a/fuzz/schema.options b/fuzz/schema.options
index 195ec544..e5d3bbee 100644
--- a/fuzz/schema.options
+++ b/fuzz/schema.options
@@ -1,3 +1,2 @@
[libfuzzer]
-max_len = 80000
timeout = 20
diff --git a/fuzz/uri.c b/fuzz/uri.c
index 69d0439f..5e4c099c 100644
--- a/fuzz/uri.c
+++ b/fuzz/uri.c
@@ -13,6 +13,9 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
char *str[2] = { NULL, NULL };
size_t numStrings;
+ if (size > 10000)
+ return(0);
+
numStrings = xmlFuzzExtractStrings(data, size, str, 2);
uri = xmlParseURI(str[0]);
diff --git a/fuzz/uri.options b/fuzz/uri.options
index 8c45a722..ea2a7a23 100644
--- a/fuzz/uri.options
+++ b/fuzz/uri.options
@@ -1,3 +1,2 @@
[libfuzzer]
-max_len = 10000
timeout = 5
diff --git a/fuzz/xml.c b/fuzz/xml.c
index 09867cf7..97b40b87 100644
--- a/fuzz/xml.c
+++ b/fuzz/xml.c
@@ -29,13 +29,18 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
xmlTextReaderPtr reader;
xmlChar *out;
const char *docBuffer, *docUrl;
- size_t docSize, consumed, chunkSize;
+ size_t maxSize, docSize, consumed, chunkSize;
int opts, outSize;
xmlFuzzDataInit(data, size);
opts = xmlFuzzReadInt();
- /* XML_PARSE_HUGE still causes timeouts. */
- opts &= ~XML_PARSE_HUGE;
+
+ /* Lower maximum size when processing entities for now. */
+ maxSize = opts & XML_PARSE_NOENT ? 50000 : 500000;
+ if (size > maxSize) {
+ xmlFuzzDataCleanup();
+ return(0);
+ }
xmlFuzzReadEntities();
docBuffer = xmlFuzzMainEntity(&docSize);
diff --git a/fuzz/xml.options b/fuzz/xml.options
index 195ec544..e5d3bbee 100644
--- a/fuzz/xml.options
+++ b/fuzz/xml.options
@@ -1,3 +1,2 @@
[libfuzzer]
-max_len = 80000
timeout = 20
diff --git a/fuzz/xpath.c b/fuzz/xpath.c
index 767acb98..4cb29f67 100644
--- a/fuzz/xpath.c
+++ b/fuzz/xpath.c
@@ -23,6 +23,9 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
const char *expr, *xml;
size_t exprSize, xmlSize;
+ if (size > 10000)
+ return(0);
+
xmlFuzzDataInit(data, size);
expr = xmlFuzzReadString(&exprSize);
diff --git a/fuzz/xpath.options b/fuzz/xpath.options
index 02d5e976..e5d3bbee 100644
--- a/fuzz/xpath.options
+++ b/fuzz/xpath.options
@@ -1,3 +1,2 @@
[libfuzzer]
-max_len = 10000
timeout = 20
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
