[libxml2] Handle malloc failures in fuzzing code

From: Nick Wellnhofer <nwellnhof src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxml2] Handle malloc failures in fuzzing code
Date: Fri, 18 Dec 2020 13:33:36 +0000 (UTC)

commit e2b975c317ae9cb672be459a4ff8761aedb3157c
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Fri Dec 18 00:50:34 2020 +0100

    Handle malloc failures in fuzzing code
    
    Avoid misdiagnosis in OOM situations.

 fuzz/fuzz.c |  6 ++++++
 fuzz/xml.c  | 20 +++++++++-----------
 2 files changed, 15 insertions(+), 11 deletions(-)
---
diff --git a/fuzz/fuzz.c b/fuzz/fuzz.c
index b5dfa185..212136ac 100644
--- a/fuzz/fuzz.c
+++ b/fuzz/fuzz.c
@@ -211,6 +211,8 @@ xmlFuzzReadEntities(void) {
 
         if (xmlHashLookup(fuzzData.entities, (xmlChar *)url) == NULL) {
             entityInfo = xmlMalloc(sizeof(xmlFuzzEntityInfo));
+            if (entityInfo == NULL)
+                break;
             entityInfo->data = entity;
             entityInfo->size = entitySize;
 
@@ -271,6 +273,10 @@ xmlFuzzEntityLoader(const char *URL, const char *ID ATTRIBUTE_UNUSED,
     input->filename = NULL;
     input->buf = xmlParserInputBufferCreateMem(entity->data, entity->size,
                                                XML_CHAR_ENCODING_NONE);
+    if (input->buf == NULL) {
+        xmlFreeInputStream(input);
+        return(NULL);
+    }
     input->base = input->cur = xmlBufContent(input->buf->buffer);
     input->end = input->base + entity->size;
 
diff --git a/fuzz/xml.c b/fuzz/xml.c
index 97b40b87..f0dcfcc9 100644
--- a/fuzz/xml.c
+++ b/fuzz/xml.c
@@ -37,18 +37,14 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
 
     /* Lower maximum size when processing entities for now. */
     maxSize = opts & XML_PARSE_NOENT ? 50000 : 500000;
-    if (size > maxSize) {
-        xmlFuzzDataCleanup();
-        return(0);
-    }
+    if (size > maxSize)
+        goto exit;
 
     xmlFuzzReadEntities();
     docBuffer = xmlFuzzMainEntity(&docSize);
     docUrl = xmlFuzzMainUrl();
-    if (docBuffer == NULL) {
-        xmlFuzzDataCleanup();
-        return(0);
-    }
+    if (docBuffer == NULL)
+        goto exit;
 
     /* Pull parser */
 
@@ -63,6 +59,8 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
     /* Push parser */
 
     ctxt = xmlCreatePushParserCtxt(NULL, NULL, NULL, 0, docUrl);
+    if (ctxt == NULL)
+        goto exit;
     xmlCtxtUseOptions(ctxt, opts);
 
     for (consumed = 0; consumed < docSize; consumed += chunkSize) {
@@ -81,6 +79,8 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
     /* Reader */
 
     reader = xmlReaderForMemory(docBuffer, docSize, NULL, NULL, opts);
+    if (reader == NULL)
+        goto exit;
     while (xmlTextReaderRead(reader) == 1) {
         if (xmlTextReaderNodeType(reader) == XML_ELEMENT_NODE) {
             int i, n = xmlTextReaderAttributeCount(reader);
@@ -92,10 +92,8 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
     }
     xmlFreeTextReader(reader);
 
-    /* Cleanup */
-
+exit:
     xmlFuzzDataCleanup();
-
     return(0);
 }

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]