tests: Add XPath fuzzing

Only fuzz the parser for now.

6 files changed, 31 insertions, 0 deletions

diff --git a/tests/data_fuzz_xpath/basic.xpath b/tests/data_fuzz_xpath/basic.xpath
new file mode 100644
index 0000000..ccbaf23
--- /dev/null
+++ b/tests/data_fuzz_xpath/basic.xpath
@@ -0,0 +1 @@
+a/b/c
\ No newline at end of file
diff --git a/tests/data_fuzz_xpath/functions.xpath b/tests/data_fuzz_xpath/functions.xpath
new file mode 100644
index 0000000..ec24b4f
--- /dev/null
+++ b/tests/data_fuzz_xpath/functions.xpath
@@ -0,0 +1 @@
+sum(nodes) + round(concat(//a[translate(@id, 'abc', '012')]))

diff --git a/tests/data_fuzz_xpath/math.xpath b/tests/data_fuzz_xpath/math.xpath
new file mode 100644
index 0000000..7f6e968
--- /dev/null
+++ b/tests/data_fuzz_xpath/math.xpath
@@ -0,0 +1 @@
+1+2*3 div 4 mod 5-6
\ No newline at end of file
diff --git a/tests/data_fuzz_xpath/path.xpath b/tests/data_fuzz_xpath/path.xpath
new file mode 100644
index 0000000..82cace9
--- /dev/null
+++ b/tests/data_fuzz_xpath/path.xpath
@@ -0,0 +1 @@
+@*/ancestor::*/near-north/*[4]/@*/preceding::text()
\ No newline at end of file
diff --git a/tests/data_fuzz_xpath/predicate.xpath b/tests/data_fuzz_xpath/predicate.xpath
new file mode 100644
index 0000000..7161d55
--- /dev/null
+++ b/tests/data_fuzz_xpath/predicate.xpath
@@ -0,0 +1 @@
+library/nodes[@id=12]/element[@type='translate'][1]
\ No newline at end of file
diff --git a/tests/fuzz_xpath.cpp b/tests/fuzz_xpath.cpp
new file mode 100644
index 0000000..c7ff4cd
--- /dev/null
+++ b/tests/fuzz_xpath.cpp
@@ -0,0 +1,26 @@
+#include "../src/pugixml.hpp"
+
+#include <stdint.h>
+#include <string.h>
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
+{
+	char* text = new char[Size + 1];
+	memcpy(text, Data, Size);
+	text[Size] = 0;
+
+#ifdef PUGIXML_NO_EXCEPTIONS
+	pugi::xpath_query q(text);
+#else
+	try
+	{
+		pugi::xpath_query q(text);
+	}
+	catch (pugi::xpath_exception&)
+	{
+	}
+#endif
+
+	delete[] text;
+	return 0;
+}