tests: Add support for afl-fuzz

With the current setup it successfully finds the (fixed) DOCTYPE buffer overrun in ~50 minutes (on a single core).
2024-12-26 04:21:01 +08:00 · 2015-03-13 00:18:30 -07:00 · 2015-03-13 00:18:30 -07:00 · 15fba1debc
commit 15fba1debc
parent 0542b1869b
8 changed files with 28 additions and 3 deletions
--- a/11
+++ b/11
@ -3,10 +3,10 @@ defines=standard

 BUILD=build/make-$(CXX)-$(config)-$(defines)

-SOURCES=src/pugixml.cpp $(wildcard tests/*.cpp)
+SOURCES=src/pugixml.cpp tests/main.cpp tests/allocator.cpp tests/test.cpp tests/writer_string.cpp $(wildcard tests/test_*.cpp)
 EXECUTABLE=$(BUILD)/test

-CXXFLAGS=-c -g -Wall -Wextra -Werror -pedantic
+CXXFLAGS=-g -Wall -Wextra -Werror -pedantic
 LDFLAGS=

 ifeq ($(config),release)
@ -39,6 +39,11 @@ test: $(EXECUTABLE)
 	./$(EXECUTABLE)
 endif

+fuzz:
+	@mkdir -p $(BUILD)
+	$(AFL)/afl-clang++ tests/fuzz_parse.cpp tests/allocator.cpp src/pugixml.cpp $(CXXFLAGS) -o $(BUILD)/fuzz_parse
+	$(AFL)/afl-fuzz -i tests/data_fuzz_parse -o $(BUILD)/fuzz_parse_out -x $(AFL)/testcases/_extras/xml/ -- $(BUILD)/fuzz_parse @@
+
 clean:
 	rm -rf $(BUILD)

@ -47,7 +52,7 @@ $(EXECUTABLE): $(OBJECTS)

 $(BUILD)/%.o: %
 	@mkdir -p $(dir $@)
-	$(CXX) $< $(CXXFLAGS) -MMD -MP -o $@
+	$(CXX) $< $(CXXFLAGS) -c -MMD -MP -o $@

 -include $(OBJECTS:.o=.d)

--- a/tests/data_fuzz_parse/basic.xml
+++ b/tests/data_fuzz_parse/basic.xml
@ -0,0 +1 @@
+<node attr="value" />
--- a/tests/data_fuzz_parse/doctype.xml
+++ b/tests/data_fuzz_parse/doctype.xml
@ -0,0 +1 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!DOCTYPE [ <!ELEMENT p (#PCDATA|emph)* > ]>
<!DOCTYPE foo [ <![INCLUDE[<!ATTLIST foo bar CDATA #IMPLIED>]]> <![IGNORE[some junk]]> ]>
<!DOCTYPE root [ <!ELEMENT a EMPTY> <!ATTLIST a attr1 CDATA "&ge1;"> <!--* GE reference in attr default before declaration *--> <!ENTITY ge1 "abcdef"> ]>
<node/>
--- a/tests/data_fuzz_parse/refs.xml
+++ b/tests/data_fuzz_parse/refs.xml
@ -0,0 +1 @@
+<?xml version='1.0'?>
<node enc='&lt; &gt; &amp; &quot; &apos; &#12; &#xAB;'>
	pcdata &lt; &gt; &amp; &quot; &apos; &#12; &#xAB;
	&unknown; %entity;
</node>
--- a/tests/data_fuzz_parse/types.xml
+++ b/tests/data_fuzz_parse/types.xml
@ -0,0 +1 @@
+<?xml version='1.0'?>
<!DOCTYPE html>
<node attr="value">
	<child/>
	pcdata
	<![CDATA[ test ]]>
	<!-- comment - -->
	<?pi value?>
</node>
--- a/tests/data_fuzz_parse/utf16.xml
+++ b/tests/data_fuzz_parse/utf16.xml
--- a/tests/data_fuzz_parse/utf32.xml
+++ b/tests/data_fuzz_parse/utf32.xml
--- a/tests/fuzz_parse.cpp
+++ b/tests/fuzz_parse.cpp
@ -0,0 +1,16 @@
+#include "../src/pugixml.hpp"
+#include "allocator.hpp"
+
+int main(int argc, const char** argv)
+{
+    pugi::set_memory_management_functions(memory_allocate, memory_deallocate);
+
+    pugi::xml_document doc;
+
+    for (int i = 1; i < argc; ++i)
+    {
+	    doc.load_file(argv[i]);
+	    doc.load_file(argv[i], pugi::parse_minimal);
+	    doc.load_file(argv[i], pugi::parse_full);
+	}
+}
				`@ -0,0 +1 @@`
				`<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!DOCTYPE [ <!ELEMENT p (#PCDATA\|emph)* > ]> <!DOCTYPE foo [ <![INCLUDE[<!ATTLIST foo bar CDATA #IMPLIED>]]> <![IGNORE[some junk]]> ]> <!DOCTYPE root [ <!ELEMENT a EMPTY> <!ATTLIST a attr1 CDATA "&ge1;"> <!--* GE reference in attr default before declaration *--> <!ENTITY ge1 "abcdef"> ]> <node/>`
				`@ -0,0 +1 @@`
				`<?xml version='1.0'?> <node enc='< > & " ' «'> pcdata < > & " ' « &unknown; %entity; </node>`
				`@ -0,0 +1 @@`
				`<?xml version='1.0'?> <!DOCTYPE html> <node attr="value"> <child/> pcdata <![CDATA[ test ]]> <!-- comment - --> <?pi value?> </node>`