[libxslt] Improve fuzzers

From: Nick Wellnhofer <nwellnhof src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxslt] Improve fuzzers
Date: Mon, 20 May 2019 11:20:46 +0000 (UTC)
commit 845ac6bf8240ae260813eb95276b60b39865e1fa
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Mon May 20 13:08:54 2019 +0200

    Improve fuzzers
    
    - Add more test cases to XSLT seed corpus.
    - Improve some test cases in seed corpus.
    - Remove some simple test cases from XSLT corpus.
    - Call xmlStopParser in XML error handler.
    - Improve dictionaries.
    - Remove overlong items from dictionary for AFL.

 tests/fuzz/fuzz.c                            | 18 ++++++++++++++----
 tests/fuzz/seed/xpath/xslt_format_number_neg |  2 +-
 tests/fuzz/seed/xslt/attr_set                |  6 +++++-
 tests/fuzz/seed/xslt/basic                   |  3 ---
 tests/fuzz/seed/xslt/cdata                   |  4 ++++
 tests/fuzz/seed/xslt/decimal_format          | 15 +++++++++++++++
 tests/fuzz/seed/xslt/extension               |  7 +++++++
 tests/fuzz/seed/xslt/html                    |  4 ++++
 tests/fuzz/seed/xslt/identity                |  3 ---
 tests/fuzz/seed/xslt/number                  |  2 +-
 tests/fuzz/seed/xslt/output                  |  4 ++++
 tests/fuzz/seed/xslt/sort                    |  4 ++--
 tests/fuzz/seed/xslt/strip_space             |  6 ++++++
 tests/fuzz/seed/xslt/text                    |  4 ++++
 tests/fuzz/seed/xslt/value-of                |  3 ---
 tests/fuzz/seed/xslt/xhtml                   |  4 ++++
 tests/fuzz/testTargets.c                     |  4 ++--
 tests/fuzz/xpath.dict                        |  6 ++++++
 tests/fuzz/xslt.dict                         | 17 +++++++----------
 tests/fuzz/xslt.xml                          |  6 ++++--
 20 files changed, 90 insertions(+), 32 deletions(-)
---
diff --git a/tests/fuzz/fuzz.c b/tests/fuzz/fuzz.c
index 0ef89db5..01c653f4 100644
--- a/tests/fuzz/fuzz.c
+++ b/tests/fuzz/fuzz.c
@@ -35,8 +35,18 @@ static xsltTransformContextPtr tctxt;
 static xmlHashTablePtr saxonExtHash;
 
 static void
-xsltFuzzErrorFunc(void *ctx ATTRIBUTE_UNUSED, const char *msg ATTRIBUTE_UNUSED,
-                  ...) {
+xsltFuzzXmlErrorFunc(void *vctxt, const char *msg ATTRIBUTE_UNUSED, ...) {
+    xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) vctxt;
+    /*
+     * Stopping the parser should be slightly faster and might catch some
+     * issues related to recent libxml2 changes.
+     */
+    xmlStopParser(ctxt);
+}
+
+static void
+xsltFuzzXsltErrorFunc(void *vctxt ATTRIBUTE_UNUSED,
+                      const char *msg ATTRIBUTE_UNUSED, ...) {
 }
 
 static void
@@ -48,8 +58,8 @@ xsltFuzzInit(void) {
     exsltRegisterAll();
 
     /* Suppress error messages */
-    xmlSetGenericErrorFunc(NULL, xsltFuzzErrorFunc);
-    xsltSetGenericErrorFunc(NULL, xsltFuzzErrorFunc);
+    xmlSetGenericErrorFunc(NULL, xsltFuzzXmlErrorFunc);
+    xsltSetGenericErrorFunc(NULL, xsltFuzzXsltErrorFunc);
 
     /* Disallow I/O */
     sec = xsltNewSecurityPrefs();
diff --git a/tests/fuzz/seed/xpath/xslt_format_number_neg b/tests/fuzz/seed/xpath/xslt_format_number_neg
index a7be9492..360c493f 100644
--- a/tests/fuzz/seed/xpath/xslt_format_number_neg
+++ b/tests/fuzz/seed/xpath/xslt_format_number_neg
@@ -1 +1 @@
-format-number(1.0,'#.#E0;-0.0%')
+format-number(1.0,'#.#;-0.0%')
diff --git a/tests/fuzz/seed/xslt/attr_set b/tests/fuzz/seed/xslt/attr_set
index 41c17293..640c92f7 100644
--- a/tests/fuzz/seed/xslt/attr_set
+++ b/tests/fuzz/seed/xslt/attr_set
@@ -1,5 +1,9 @@
 <x:stylesheet xmlns:x="http://www.w3.org/1999/XSL/Transform"; xmlns:a="a" xmlns:b="b" version="1.0">
 <x:attribute-set name="s"><x:attribute name="a:f" namespace="a">v</x:attribute></x:attribute-set>
 <x:attribute-set name="t" use-attribute-sets="s"><x:attribute name="g">w</x:attribute></x:attribute-set>
-<x:template match="a:*"><x:element name="e" use-attribute-sets="t"/><a:e 
x:use-attribute-sets="t"/></x:template>
+<x:template match="a:*">
+<x:element name="e" use-attribute-sets="t"/>
+<a:e x:use-attribute-sets="t"/>
+<x:copy use-attribute-sets="t"></x:copy>
+</x:template>
 </x:stylesheet>
diff --git a/tests/fuzz/seed/xslt/cdata b/tests/fuzz/seed/xslt/cdata
new file mode 100644
index 00000000..cb03937e
--- /dev/null
+++ b/tests/fuzz/seed/xslt/cdata
@@ -0,0 +1,4 @@
+<x:stylesheet version="1.0" xmlns:x="http://www.w3.org/1999/XSL/Transform"; xmlns:a="a" xmlns:b="b">
+<x:output cdata-section-elements="b a:c"/>
+<x:template match="*"><x:copy><x:apply-templates select="node()"/></x:copy></x:template>
+</x:stylesheet>
diff --git a/tests/fuzz/seed/xslt/decimal_format b/tests/fuzz/seed/xslt/decimal_format
new file mode 100644
index 00000000..1a9332e2
--- /dev/null
+++ b/tests/fuzz/seed/xslt/decimal_format
@@ -0,0 +1,15 @@
+<x:stylesheet xmlns:x="http://www.w3.org/1999/XSL/Transform"; version="1.0">
+<x:decimal-format name="f"
+decimal-separator="•" grouping-separator="`"
+infinity="∞" minus-sign="–" NaN="🀀"
+percent="⁄" per-mille="*"
+zero-digit="0" digit="÷"
+pattern-separator="|"/>
+<x:template match="*">
+<n><x:value-of select="format-number(123456789.123456,'_÷÷`÷`00•00÷÷_','f')"/></n>
+<n><x:value-of select="format-number(-1.5,'÷•÷*|–0•0⁄','f')"/></n>
+<n><x:value-of select="format-number(-1 div 0,'0','f')"/></n>
+<n><x:value-of select="format-number(0 div 0,'0','f')"/></n>
+</x:template>
+</x:stylesheet>
+
diff --git a/tests/fuzz/seed/xslt/extension b/tests/fuzz/seed/xslt/extension
new file mode 100644
index 00000000..64e850f2
--- /dev/null
+++ b/tests/fuzz/seed/xslt/extension
@@ -0,0 +1,7 @@
+<x:stylesheet xmlns:x="http://www.w3.org/1999/XSL/Transform"; xmlns:a="a" xmlns:b="b" xmlns:e1="e1" 
xmlns:e2="e2" xmlns:e3="e3" version="1.0" extension-element-prefixes="e1 e2 e3">
+<x:template match="*">
+<e3:e><x:fallback><f3/></x:fallback></e3:e>
+<x:foo><x:fallback><foo/></x:fallback></x:foo>
+<x:apply-templates select="*"/>
+</x:template>
+</x:stylesheet>
diff --git a/tests/fuzz/seed/xslt/html b/tests/fuzz/seed/xslt/html
new file mode 100644
index 00000000..c171a2df
--- /dev/null
+++ b/tests/fuzz/seed/xslt/html
@@ -0,0 +1,4 @@
+<x:stylesheet xmlns:x="http://www.w3.org/1999/XSL/Transform"; version="1.0" xmlns:a="a" xmlns:b="b" 
exclude-result-prefixes="a b">
+<x:output method="html" version="4.0" encoding="iso-8859-1" indent="yes" media-type="t/h"/>
+<x:template match="*"><div><img/><x:apply-templates select="node()"/></div></x:template>
+</x:stylesheet>
diff --git a/tests/fuzz/seed/xslt/number b/tests/fuzz/seed/xslt/number
index ecc499a3..ed38d63c 100644
--- a/tests/fuzz/seed/xslt/number
+++ b/tests/fuzz/seed/xslt/number
@@ -3,7 +3,7 @@
 <x:number level="any" count="*" from="*" format="1.i.I.A.a"/>
 <x:number level="multiple" count="*" format="A.a.I.i.1"/>
 <x:number level="single" from="*"/>
-<x:number value="123456789" format="1" grouping-separator="." grouping-size="3"/>
+<x:number value="123456789" format="1" grouping-separator="’" grouping-size="3"/>
 <x:apply-templates select="*"/>
 </x:template>
 </x:stylesheet>
diff --git a/tests/fuzz/seed/xslt/output b/tests/fuzz/seed/xslt/output
new file mode 100644
index 00000000..b1f0176b
--- /dev/null
+++ b/tests/fuzz/seed/xslt/output
@@ -0,0 +1,4 @@
+<x:stylesheet xmlns:x="http://www.w3.org/1999/XSL/Transform"; version="1.0" 
xmlns="http://www.w3.org/1999/xhtml"; xmlns:a="a" xmlns:b="b" exclude-result-prefixes="a b">
+<x:output method="xml" version="1.0" encoding="iso-8859-1" omit-xml-declaration="yes" standalone="yes" 
doctype-public="p" doctype-system="s" cdata-section-elements="a" indent="yes" media-type="t/x"/>
+<x:template match="@*|node()"><x:copy><x:apply-templates select="@*|node()"/></x:copy></x:template>
+</x:stylesheet>
diff --git a/tests/fuzz/seed/xslt/sort b/tests/fuzz/seed/xslt/sort
index bc7df1ca..2eebe979 100644
--- a/tests/fuzz/seed/xslt/sort
+++ b/tests/fuzz/seed/xslt/sort
@@ -1,6 +1,6 @@
 <x:stylesheet xmlns:x="http://www.w3.org/1999/XSL/Transform"; xmlns:a="a" xmlns:b="b" version="1.0">
 <x:template match="*">
-<x:apply-templates select="*"><x:sort lang="en" select="."/></x:apply-templates>
-<a:a/>
+<x:for-each select="*"><x:sort select="count(.)" data-type="number" order="ascending"/><x:value-of 
select="local-name()"/></x:for-each>
+<x:copy><x:apply-templates select="*"><x:sort select="." order="descending" 
lang="en"/></x:apply-templates></x:copy>
 </x:template>
 </x:stylesheet>
diff --git a/tests/fuzz/seed/xslt/strip_space b/tests/fuzz/seed/xslt/strip_space
new file mode 100644
index 00000000..563a327a
--- /dev/null
+++ b/tests/fuzz/seed/xslt/strip_space
@@ -0,0 +1,6 @@
+<x:stylesheet xmlns:x="http://www.w3.org/1999/XSL/Transform"; xmlns:a="a" xmlns:b="b" version="1.0">
+<x:strip-space elements="a b a:*"/>
+<x:preserve-space elements="a:e"/>
+<x:output indent="yes"/>
+<x:template match="*"><x:copy><x:apply-templates select="node()"/></x:copy></x:template>
+</x:stylesheet>
diff --git a/tests/fuzz/seed/xslt/text b/tests/fuzz/seed/xslt/text
new file mode 100644
index 00000000..242c2691
--- /dev/null
+++ b/tests/fuzz/seed/xslt/text
@@ -0,0 +1,4 @@
+<x:stylesheet xmlns:x="http://www.w3.org/1999/XSL/Transform"; xmlns:a="a" xmlns:b="b" version="1.0">
+<x:output method="text" encoding="iso-8859-1" media-type="t/p"/>
+<x:template match="*"><x:copy><x:apply-templates select="node()"/></x:copy></x:template>
+</x:stylesheet>
diff --git a/tests/fuzz/seed/xslt/xhtml b/tests/fuzz/seed/xslt/xhtml
new file mode 100644
index 00000000..3c521969
--- /dev/null
+++ b/tests/fuzz/seed/xslt/xhtml
@@ -0,0 +1,4 @@
+<x:stylesheet xmlns:x="http://www.w3.org/1999/XSL/Transform"; version="1.0" 
xmlns="http://www.w3.org/1999/xhtml"; xmlns:a="a" xmlns:b="b" exclude-result-prefixes="a b">
+<x:output encoding="iso-8859-1" media-type="t/h" doctype-public="-//W3C//DTD XHTML 1.0 Strict//EN" 
doctype-system="http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"/>
+<x:template match="*"><div><img/><x:apply-templates select="node()"/></div></x:template>
+</x:stylesheet>
diff --git a/tests/fuzz/testTargets.c b/tests/fuzz/testTargets.c
index 114304bd..de17d555 100644
--- a/tests/fuzz/testTargets.c
+++ b/tests/fuzz/testTargets.c
@@ -62,9 +62,9 @@ testXslt(int argc, char **argv) {
     if (result == NULL) {
         fprintf(stderr, "Result is NULL\n");
         ret = 1;
-    } else if (xmlStrcmp(result, BAD_CAST "<r>39</r>\n") != 0) {
+    } else if (xmlStrcmp(result, BAD_CAST "<r>42</r>\n") != 0) {
         fprintf(stderr, "Stylesheet returned\n%sexpected \n%s\n",
-                result, "<r>39</r>");
+                result, "<r>42</r>");
         ret = 1;
     }
 
diff --git a/tests/fuzz/xpath.dict b/tests/fuzz/xpath.dict
index bd25947b..6699fe8d 100644
--- a/tests/fuzz/xpath.dict
+++ b/tests/fuzz/xpath.dict
@@ -62,3 +62,9 @@ var_num="=$f"
 var_bool="=$b"
 var_str="=$s"
 var_node_set="=$n"
+
+# Unicode
+
+utf8_2="\xC3\x84"
+utf8_3="\xE2\x80\x9C"
+utf8_4="\xF0\x9F\x98\x80"
diff --git a/tests/fuzz/xslt.dict b/tests/fuzz/xslt.dict
index 69b9c257..c7b53618 100644
--- a/tests/fuzz/xslt.dict
+++ b/tests/fuzz/xslt.dict
@@ -21,24 +21,15 @@ inst_var_templ="<x:variable name=\"v\"></x:variable>"
 inst_value_of="<x:value-of select=\"*\"/>"
 
 # Move to corpus?
-inst_fallback="<x:foo><x:fallback>f</x:fallback></x:foo>"
 inst_message_no="<x:message terminate=\"no\">m</x:message>"
 inst_message_yes="<x:message terminate=\"yes\">m</x:message>"
 inst_namespace_alias="<x:namespace-alias stylesheet-prefix=\"a\" result-prefix=\"x\"/>"
-inst_number_value="<x:number value=\"1\" format=\"1\" grouping-separator=\",\" grouping-size=\"3\"/>"
-inst_number_any="<x:number level=\"any\" count=\"*\" from=\"*\" format=\"1\" grouping-separator=\",\" 
grouping-size=\"3\"/>"
-inst_number_multiple="<x:number level=\"multiple\" count=\"*\" from=\"*\" format=\"1\" 
grouping-separator=\",\" grouping-size=\"3\"/>"
-inst_number_single="<x:number level=\"single\" count=\"*\" from=\"*\" format=\"1\" grouping-separator=\",\" 
grouping-size=\"3\"/>"
-inst_output_xml="<x:output method=\"xml\" version=\"1.0\" encoding=\"iso-8859-1\" 
omit-xml-declaration=\"yes\" standalone=\"yes\" doctype-public=\"p\" doctype-system=\"s\" 
cdata-section-elements=\"a\" indent=\"yes\" media-type=\"t\"/>"
-inst_output_html="<x:output method=\"html\" version=\"4.0\" encoding=\"iso-8859-1\" doctype-public=\"p\" 
doctype-system=\"s\" indent=\"yes\" media-type=\"t\"/>"
-inst_output_text="<x:output method=\"text\" encoding=\"iso-8859-1\" media-type=\"t\"/>"
-inst_space_preserve="<x:preserve-space elements=\"b:b\"/>"
-inst_space_strip="<x:strip-space elements=\"a:e *\"/>"
 
 # Attributes
 
 attr_mode=" mode=\"m\""
 attr_namespace=" namespace=\"a\""
+attr_priority=" priority=\"-0.1\""
 
 # XPath
 
@@ -84,3 +75,9 @@ pred_last="[last()]"
 pred_current="[current()]"
 
 expr_var="+$v"
+
+# Unicode
+
+utf8_2="\xC3\x84"
+utf8_3="\xE2\x80\x9C"
+utf8_4="\xF0\x9F\x98\x80"
diff --git a/tests/fuzz/xslt.xml b/tests/fuzz/xslt.xml
index 0ab51932..b20eb192 100644
--- a/tests/fuzz/xslt.xml
+++ b/tests/fuzz/xslt.xml
@@ -2,9 +2,11 @@
 <a xmlns:a="a">
     <b xmlns:b="b" a="1" id="b">
         <c b="2">Ärger</c>
-        <b:d b="3">text</b:d>
+        <b:d b="3">text &amp; &lt;&gt;</b:d>
         <!-- comment -->
-        <a:b b="4">ß&#x1f600;</a:b>
+        <a:b b="4">
+            <a:c>ß&#x1f600;</a:c>
+        </a:b>
         <b:c a="4"><![CDATA[text]]></b:c>
     </b>
     <?pi content?>
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]