From 15fba1debca5498989048677ffda38758b2df984 Mon Sep 17 00:00:00 2001
From: Arseny Kapoulkine <arseny.kapoulkine@gmail.com>
Date: Fri, 13 Mar 2015 00:18:30 -0700
Subject: tests: Add support for afl-fuzz

With the current setup it successfully finds the (fixed) DOCTYPE buffer overrun
in ~50 minutes (on a single core).
---
 tests/data_fuzz_parse/basic.xml   |   1 +
 tests/data_fuzz_parse/doctype.xml |   1 +
 tests/data_fuzz_parse/refs.xml    |   1 +
 tests/data_fuzz_parse/types.xml   |   1 +
 tests/data_fuzz_parse/utf16.xml   | Bin 0 -> 700 bytes
 tests/data_fuzz_parse/utf32.xml   | Bin 0 -> 652 bytes
 tests/fuzz_parse.cpp              |  16 ++++++++++++++++
 7 files changed, 20 insertions(+)
 create mode 100644 tests/data_fuzz_parse/basic.xml
 create mode 100644 tests/data_fuzz_parse/doctype.xml
 create mode 100644 tests/data_fuzz_parse/refs.xml
 create mode 100644 tests/data_fuzz_parse/types.xml
 create mode 100644 tests/data_fuzz_parse/utf16.xml
 create mode 100644 tests/data_fuzz_parse/utf32.xml
 create mode 100644 tests/fuzz_parse.cpp

(limited to 'tests')
diff --git a/tests/data_fuzz_parse/basic.xml b/tests/data_fuzz_parse/basic.xml
new file mode 100644
index 0000000..a8eaa09
--- /dev/null
+++ b/tests/data_fuzz_parse/basic.xml
@@ -0,0 +1 @@
+<node attr="value" />
\ No newline at end of file
diff --git a/tests/data_fuzz_parse/doctype.xml b/tests/data_fuzz_parse/doctype.xml
new file mode 100644
index 0000000..dd1831d
--- /dev/null
+++ b/tests/data_fuzz_parse/doctype.xml
@@ -0,0 +1 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><!DOCTYPE [ <!ELEMENT p (#PCDATA|emph)* > ]><!DOCTYPE foo [ <![INCLUDE[<!ATTLIST foo bar CDATA #IMPLIED>]]> <![IGNORE[some junk]]> ]><!DOCTYPE root [ <!ELEMENT a EMPTY> <!ATTLIST a attr1 CDATA "&ge1;"> <!--* GE reference in attr default before declaration *--> <!ENTITY ge1 "abcdef"> ]><node/>
\ No newline at end of file
diff --git a/tests/data_fuzz_parse/refs.xml b/tests/data_fuzz_parse/refs.xml
new file mode 100644
index 0000000..e42df5f
--- /dev/null
+++ b/tests/data_fuzz_parse/refs.xml
@@ -0,0 +1 @@
+<?xml version='1.0'?><node enc='&lt; &gt; &amp; &quot; &apos; &#12; &#xAB;'>	pcdata &lt; &gt; &amp; &quot; &apos; &#12; &#xAB;	&unknown; %entity;</node>
\ No newline at end of file
diff --git a/tests/data_fuzz_parse/types.xml b/tests/data_fuzz_parse/types.xml
new file mode 100644
index 0000000..dc6369a
--- /dev/null
+++ b/tests/data_fuzz_parse/types.xml
@@ -0,0 +1 @@
+<?xml version='1.0'?><!DOCTYPE html><node attr="value">	<child/>	pcdata	<![CDATA[ test ]]>	<!-- comment - -->	<?pi value?></node>
\ No newline at end of file
diff --git a/tests/data_fuzz_parse/utf16.xml b/tests/data_fuzz_parse/utf16.xml
new file mode 100644
index 0000000..3847a93
Binary files /dev/null and b/tests/data_fuzz_parse/utf16.xml differ
diff --git a/tests/data_fuzz_parse/utf32.xml b/tests/data_fuzz_parse/utf32.xml
new file mode 100644
index 0000000..51b8a89
Binary files /dev/null and b/tests/data_fuzz_parse/utf32.xml differ
diff --git a/tests/fuzz_parse.cpp b/tests/fuzz_parse.cpp
new file mode 100644
index 0000000..e758196
--- /dev/null
+++ b/tests/fuzz_parse.cpp
@@ -0,0 +1,16 @@
+#include "../src/pugixml.hpp"
+#include "allocator.hpp"
+
+int main(int argc, const char** argv)
+{
+    pugi::set_memory_management_functions(memory_allocate, memory_deallocate);
+
+    pugi::xml_document doc;
+
+    for (int i = 1; i < argc; ++i)
+    {
+	    doc.load_file(argv[i]);
+	    doc.load_file(argv[i], pugi::parse_minimal);
+	    doc.load_file(argv[i], pugi::parse_full);
+	}
+}
-- 
cgit v1.2.3

