diff options
author | Arseny Kapoulkine <arseny.kapoulkine@gmail.com> | 2015-03-13 00:18:30 -0700 |
---|---|---|
committer | Arseny Kapoulkine <arseny.kapoulkine@gmail.com> | 2015-03-13 00:18:30 -0700 |
commit | 15fba1debca5498989048677ffda38758b2df984 (patch) | |
tree | d2891e531717681619f55e79fc5efa81b46822e2 | |
parent | 0542b1869b6970003caa954ebc5f1dea41d48032 (diff) |
tests: Add support for afl-fuzz
With the current setup it successfully finds the (fixed) DOCTYPE buffer overrun
in ~50 minutes (on a single core).
-rw-r--r-- | Makefile | 11 | ||||
-rw-r--r-- | tests/data_fuzz_parse/basic.xml | 1 | ||||
-rw-r--r-- | tests/data_fuzz_parse/doctype.xml | 1 | ||||
-rw-r--r-- | tests/data_fuzz_parse/refs.xml | 1 | ||||
-rw-r--r-- | tests/data_fuzz_parse/types.xml | 1 | ||||
-rw-r--r-- | tests/data_fuzz_parse/utf16.xml | bin | 0 -> 700 bytes | |||
-rw-r--r-- | tests/data_fuzz_parse/utf32.xml | bin | 0 -> 652 bytes | |||
-rw-r--r-- | tests/fuzz_parse.cpp | 16 |
8 files changed, 28 insertions, 3 deletions
@@ -3,10 +3,10 @@ defines=standard BUILD=build/make-$(CXX)-$(config)-$(defines) -SOURCES=src/pugixml.cpp $(wildcard tests/*.cpp) +SOURCES=src/pugixml.cpp tests/main.cpp tests/allocator.cpp tests/test.cpp tests/writer_string.cpp $(wildcard tests/test_*.cpp) EXECUTABLE=$(BUILD)/test -CXXFLAGS=-c -g -Wall -Wextra -Werror -pedantic +CXXFLAGS=-g -Wall -Wextra -Werror -pedantic LDFLAGS= ifeq ($(config),release) @@ -39,6 +39,11 @@ test: $(EXECUTABLE) ./$(EXECUTABLE) endif +fuzz: + @mkdir -p $(BUILD) + $(AFL)/afl-clang++ tests/fuzz_parse.cpp tests/allocator.cpp src/pugixml.cpp $(CXXFLAGS) -o $(BUILD)/fuzz_parse + $(AFL)/afl-fuzz -i tests/data_fuzz_parse -o $(BUILD)/fuzz_parse_out -x $(AFL)/testcases/_extras/xml/ -- $(BUILD)/fuzz_parse @@ + clean: rm -rf $(BUILD) @@ -47,7 +52,7 @@ $(EXECUTABLE): $(OBJECTS) $(BUILD)/%.o: % @mkdir -p $(dir $@) - $(CXX) $< $(CXXFLAGS) -MMD -MP -o $@ + $(CXX) $< $(CXXFLAGS) -c -MMD -MP -o $@ -include $(OBJECTS:.o=.d) diff --git a/tests/data_fuzz_parse/basic.xml b/tests/data_fuzz_parse/basic.xml new file mode 100644 index 0000000..a8eaa09 --- /dev/null +++ b/tests/data_fuzz_parse/basic.xml @@ -0,0 +1 @@ +<node attr="value" />
\ No newline at end of file diff --git a/tests/data_fuzz_parse/doctype.xml b/tests/data_fuzz_parse/doctype.xml new file mode 100644 index 0000000..dd1831d --- /dev/null +++ b/tests/data_fuzz_parse/doctype.xml @@ -0,0 +1 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!DOCTYPE [ <!ELEMENT p (#PCDATA|emph)* > ]>
<!DOCTYPE foo [ <![INCLUDE[<!ATTLIST foo bar CDATA #IMPLIED>]]> <![IGNORE[some junk]]> ]>
<!DOCTYPE root [ <!ELEMENT a EMPTY> <!ATTLIST a attr1 CDATA "&ge1;"> <!--* GE reference in attr default before declaration *--> <!ENTITY ge1 "abcdef"> ]>
<node/>
\ No newline at end of file diff --git a/tests/data_fuzz_parse/refs.xml b/tests/data_fuzz_parse/refs.xml new file mode 100644 index 0000000..e42df5f --- /dev/null +++ b/tests/data_fuzz_parse/refs.xml @@ -0,0 +1 @@ +<?xml version='1.0'?>
<node enc='< > & " '  «'>
pcdata < > & " '  «
&unknown; %entity;
</node>
\ No newline at end of file diff --git a/tests/data_fuzz_parse/types.xml b/tests/data_fuzz_parse/types.xml new file mode 100644 index 0000000..dc6369a --- /dev/null +++ b/tests/data_fuzz_parse/types.xml @@ -0,0 +1 @@ +<?xml version='1.0'?>
<!DOCTYPE html>
<node attr="value">
<child/>
pcdata
<![CDATA[ test ]]>
<!-- comment - -->
<?pi value?>
</node>
\ No newline at end of file diff --git a/tests/data_fuzz_parse/utf16.xml b/tests/data_fuzz_parse/utf16.xml Binary files differnew file mode 100644 index 0000000..3847a93 --- /dev/null +++ b/tests/data_fuzz_parse/utf16.xml diff --git a/tests/data_fuzz_parse/utf32.xml b/tests/data_fuzz_parse/utf32.xml Binary files differnew file mode 100644 index 0000000..51b8a89 --- /dev/null +++ b/tests/data_fuzz_parse/utf32.xml diff --git a/tests/fuzz_parse.cpp b/tests/fuzz_parse.cpp new file mode 100644 index 0000000..e758196 --- /dev/null +++ b/tests/fuzz_parse.cpp @@ -0,0 +1,16 @@ +#include "../src/pugixml.hpp" +#include "allocator.hpp" + +int main(int argc, const char** argv) +{ + pugi::set_memory_management_functions(memory_allocate, memory_deallocate); + + pugi::xml_document doc; + + for (int i = 1; i < argc; ++i) + { + doc.load_file(argv[i]); + doc.load_file(argv[i], pugi::parse_minimal); + doc.load_file(argv[i], pugi::parse_full); + } +} |