[libxml2] Limit size of free lists in XML reader when fuzzing

From: Nick Wellnhofer <nwellnhof src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxml2] Limit size of free lists in XML reader when fuzzing
Date: Tue, 25 Aug 2020 22:29:56 +0000 (UTC)

commit f0fd1b67fc883a24cdd039abb3d4fe4696104d72
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Wed Aug 26 00:16:38 2020 +0200

    Limit size of free lists in XML reader when fuzzing
    
    Keeping objects on a free list can hide memory errors. Only allow a
    single node on free lists used by the XML reader when fuzzing. This
    should hide fewer errors while still exercising the free list logic.

 xmlreader.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)
---
diff --git a/xmlreader.c b/xmlreader.c
index 1ab15ba7a..a9b9ef93e 100644
--- a/xmlreader.c
+++ b/xmlreader.c
@@ -48,6 +48,13 @@
 
 #define MAX_ERR_MSG_SIZE 64000
 
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+/* Keeping free objects can hide memory errors. */
+#define MAX_FREE_NODES 1
+#else
+#define MAX_FREE_NODES 100
+#endif
+
 /*
  * The following VA_COPY was coded following an example in
  * the Samba project.  It may not be sufficient for some
@@ -365,7 +372,7 @@ xmlTextReaderFreeProp(xmlTextReaderPtr reader, xmlAttrPtr cur) {
 
     DICT_FREE(cur->name);
     if ((reader != NULL) && (reader->ctxt != NULL) &&
-        (reader->ctxt->freeAttrsNr < 100)) {
+        (reader->ctxt->freeAttrsNr < MAX_FREE_NODES)) {
         cur->next = reader->ctxt->freeAttrs;
        reader->ctxt->freeAttrs = cur;
        reader->ctxt->freeAttrsNr++;
@@ -466,7 +473,7 @@ xmlTextReaderFreeNodeList(xmlTextReaderPtr reader, xmlNodePtr cur) {
            if (((cur->type == XML_ELEMENT_NODE) ||
                 (cur->type == XML_TEXT_NODE)) &&
                (reader != NULL) && (reader->ctxt != NULL) &&
-               (reader->ctxt->freeElemsNr < 100)) {
+               (reader->ctxt->freeElemsNr < MAX_FREE_NODES)) {
                cur->next = reader->ctxt->freeElems;
                reader->ctxt->freeElems = cur;
                reader->ctxt->freeElemsNr++;
@@ -554,7 +561,7 @@ xmlTextReaderFreeNode(xmlTextReaderPtr reader, xmlNodePtr cur) {
     if (((cur->type == XML_ELEMENT_NODE) ||
         (cur->type == XML_TEXT_NODE)) &&
        (reader != NULL) && (reader->ctxt != NULL) &&
-       (reader->ctxt->freeElemsNr < 100)) {
+       (reader->ctxt->freeElemsNr < MAX_FREE_NODES)) {
        cur->next = reader->ctxt->freeElems;
        reader->ctxt->freeElems = cur;
        reader->ctxt->freeElemsNr++;

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]