From 48d2ca723ad0317d65a61ad6c7eb97c75555f91b Mon Sep 17 00:00:00 2001 From: CRlNKLECORE Date: Tue, 17 Jun 2025 10:56:57 -0400 Subject: [PATCH] tinyxml2 fuzzer update Improved coverage --- projects/tinyxml2/fuzzer.cpp | 80 +++++++++++++++++++ .../{xmltest.options => fuzzer.options} | 0 projects/tinyxml2/xmltest.cpp | 28 ------- projects/tinyxml2/xmltest2.cpp | 38 --------- projects/tinyxml2/xmltest2.options | 2 - 5 files changed, 80 insertions(+), 68 deletions(-) create mode 100644 projects/tinyxml2/fuzzer.cpp rename projects/tinyxml2/{xmltest.options => fuzzer.options} (100%) delete mode 100644 projects/tinyxml2/xmltest.cpp delete mode 100644 projects/tinyxml2/xmltest2.cpp delete mode 100644 projects/tinyxml2/xmltest2.options diff --git a/projects/tinyxml2/fuzzer.cpp b/projects/tinyxml2/fuzzer.cpp new file mode 100644 index 000000000000..230f26257afa --- /dev/null +++ b/projects/tinyxml2/fuzzer.cpp @@ -0,0 +1,80 @@ +#include +#include +#include +#include +#include +#include +#include "tinyxml2/tinyxml2.h" + +using namespace tinyxml2; + +void fuzz_parse_xml(const uint8_t* data, size_t size) { + std::string xml(reinterpret_cast(data), size); + XMLDocument doc; + doc.Parse(xml.c_str(), size); + + XMLElement* root = doc.RootElement(); + if (root) { + root->Name(); + root->GetText(); + root->GetDocument(); + + for (const XMLAttribute* attr = root->FirstAttribute(); attr; attr = attr->Next()) { + attr->Name(); + attr->Value(); + } + + for (XMLElement* child = root->FirstChildElement(); child; child = child->NextSiblingElement()) { + child->Name(); + } + } + + doc.Print(); + doc.Clear(); +} + +void fuzz_create_dom(const uint8_t* data, size_t size) { + std::string text(reinterpret_cast(data), size); + + XMLDocument doc; + XMLElement* root = doc.NewElement("root"); + doc.InsertFirstChild(root); + + XMLElement* child = doc.NewElement("child"); + child->SetAttribute("id", 123); // May invoke unsafe behavior + child->SetText(text.c_str()); // Direct pass without checking + root->InsertEndChild(child); + + doc.SaveFile("/dev/null"); + doc.Clear(); +} + +void fuzz_api_surface(const uint8_t* data, size_t size) { + XMLDocument doc; + XMLNode* decl = doc.NewDeclaration(); + doc.InsertFirstChild(decl); + + XMLUnknown* unknown = doc.NewUnknown(""); + doc.InsertEndChild(unknown); + + XMLText* textNode = doc.NewText("FuzzTest"); + doc.InsertEndChild(textNode); + + doc.ErrorID(); + doc.ErrorStr(); +} + +void fuzz_error_classification() { + for (int i = 0; i < 100; ++i) { + const char* name = XMLDocument::ErrorIDToName(static_cast(i)); + std::string s(name); // no null check + } +} + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + fuzz_parse_xml(data, size); + fuzz_create_dom(data, size); + fuzz_api_surface(data, size); + fuzz_error_classification(); + return 0; +} \ No newline at end of file diff --git a/projects/tinyxml2/xmltest.options b/projects/tinyxml2/fuzzer.options similarity index 100% rename from projects/tinyxml2/xmltest.options rename to projects/tinyxml2/fuzzer.options diff --git a/projects/tinyxml2/xmltest.cpp b/projects/tinyxml2/xmltest.cpp deleted file mode 100644 index e1604ab1fcf7..000000000000 --- a/projects/tinyxml2/xmltest.cpp +++ /dev/null @@ -1,28 +0,0 @@ -/* Copyright 2024 Google LLC -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -#include "tinyxml2/tinyxml2.h" - -#include -#include - -using namespace tinyxml2; -using namespace std; - -// Entry point for LibFuzzer. -extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - std::string data_string(reinterpret_cast(data), size); - XMLDocument doc; - doc.Parse( data_string.c_str() ); - - return 0; -} diff --git a/projects/tinyxml2/xmltest2.cpp b/projects/tinyxml2/xmltest2.cpp deleted file mode 100644 index 4f88d53cd0a6..000000000000 --- a/projects/tinyxml2/xmltest2.cpp +++ /dev/null @@ -1,38 +0,0 @@ -/* Copyright 2024 Google LLC -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -#include "tinyxml2/tinyxml2.h" - -#include -#include -#include -#include - -#include - -using namespace tinyxml2; -using namespace std; - -// Entry point for LibFuzzer. -extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - char pathname[256]; - sprintf(pathname, "/tmp/libfuzzer.%d", getpid()); - FILE *fp = fopen(pathname, "wb"); - fwrite(data, size, 1, fp); - fclose(fp); - - XMLDocument doc; - doc.LoadFile(pathname); - - unlink(pathname); - return 0; -} diff --git a/projects/tinyxml2/xmltest2.options b/projects/tinyxml2/xmltest2.options deleted file mode 100644 index 6335e163b279..000000000000 --- a/projects/tinyxml2/xmltest2.options +++ /dev/null @@ -1,2 +0,0 @@ -[libfuzzer] -dict = xml.dict