summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Makefile11
-rw-r--r--src/pugixml.cpp2
-rw-r--r--tests/data_fuzz_parse/basic.xml1
-rw-r--r--tests/data_fuzz_parse/doctype.xml1
-rw-r--r--tests/data_fuzz_parse/refs.xml1
-rw-r--r--tests/data_fuzz_parse/types.xml1
-rw-r--r--tests/data_fuzz_parse/utf16.xmlbin0 -> 700 bytes
-rw-r--r--tests/data_fuzz_parse/utf32.xmlbin0 -> 652 bytes
-rw-r--r--tests/fuzz_parse.cpp16
-rw-r--r--tests/test_parse.cpp14
10 files changed, 43 insertions, 4 deletions
diff --git a/Makefile b/Makefile
index 897bcbb..b50ff69 100644
--- a/Makefile
+++ b/Makefile
@@ -3,10 +3,10 @@ defines=standard
BUILD=build/make-$(CXX)-$(config)-$(defines)
-SOURCES=src/pugixml.cpp $(wildcard tests/*.cpp)
+SOURCES=src/pugixml.cpp tests/main.cpp tests/allocator.cpp tests/test.cpp tests/writer_string.cpp $(wildcard tests/test_*.cpp)
EXECUTABLE=$(BUILD)/test
-CXXFLAGS=-c -g -Wall -Wextra -Werror -pedantic
+CXXFLAGS=-g -Wall -Wextra -Werror -pedantic
LDFLAGS=
ifeq ($(config),release)
@@ -39,6 +39,11 @@ test: $(EXECUTABLE)
./$(EXECUTABLE)
endif
+fuzz:
+ @mkdir -p $(BUILD)
+ $(AFL)/afl-clang++ tests/fuzz_parse.cpp tests/allocator.cpp src/pugixml.cpp $(CXXFLAGS) -o $(BUILD)/fuzz_parse
+ $(AFL)/afl-fuzz -i tests/data_fuzz_parse -o $(BUILD)/fuzz_parse_out -x $(AFL)/testcases/_extras/xml/ -- $(BUILD)/fuzz_parse @@
+
clean:
rm -rf $(BUILD)
@@ -47,7 +52,7 @@ $(EXECUTABLE): $(OBJECTS)
$(BUILD)/%.o: %
@mkdir -p $(dir $@)
- $(CXX) $< $(CXXFLAGS) -MMD -MP -o $@
+ $(CXX) $< $(CXXFLAGS) -c -MMD -MP -o $@
-include $(OBJECTS:.o=.d)
diff --git a/src/pugixml.cpp b/src/pugixml.cpp
index dd7ce21..41175ad 100644
--- a/src/pugixml.cpp
+++ b/src/pugixml.cpp
@@ -2899,7 +2899,7 @@ PUGI__NS_BEGIN
PUGI__SCANFOR(s[0] == '-' && s[1] == '-' && s[2] == '>'); // no need for ENDSWITH because --> can't terminate proper doctype
if (!*s) PUGI__THROW_ERROR(status_bad_doctype, s);
- s += 4;
+ s += 3;
}
else PUGI__THROW_ERROR(status_bad_doctype, s);
diff --git a/tests/data_fuzz_parse/basic.xml b/tests/data_fuzz_parse/basic.xml
new file mode 100644
index 0000000..a8eaa09
--- /dev/null
+++ b/tests/data_fuzz_parse/basic.xml
@@ -0,0 +1 @@
+<node attr="value" /> \ No newline at end of file
diff --git a/tests/data_fuzz_parse/doctype.xml b/tests/data_fuzz_parse/doctype.xml
new file mode 100644
index 0000000..dd1831d
--- /dev/null
+++ b/tests/data_fuzz_parse/doctype.xml
@@ -0,0 +1 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!DOCTYPE [ <!ELEMENT p (#PCDATA|emph)* > ]> <!DOCTYPE foo [ <![INCLUDE[<!ATTLIST foo bar CDATA #IMPLIED>]]> <![IGNORE[some junk]]> ]> <!DOCTYPE root [ <!ELEMENT a EMPTY> <!ATTLIST a attr1 CDATA "&ge1;"> <!--* GE reference in attr default before declaration *--> <!ENTITY ge1 "abcdef"> ]> <node/> \ No newline at end of file
diff --git a/tests/data_fuzz_parse/refs.xml b/tests/data_fuzz_parse/refs.xml
new file mode 100644
index 0000000..e42df5f
--- /dev/null
+++ b/tests/data_fuzz_parse/refs.xml
@@ -0,0 +1 @@
+<?xml version='1.0'?> <node enc='&lt; &gt; &amp; &quot; &apos; &#12; &#xAB;'> pcdata &lt; &gt; &amp; &quot; &apos; &#12; &#xAB; &unknown; %entity; </node> \ No newline at end of file
diff --git a/tests/data_fuzz_parse/types.xml b/tests/data_fuzz_parse/types.xml
new file mode 100644
index 0000000..dc6369a
--- /dev/null
+++ b/tests/data_fuzz_parse/types.xml
@@ -0,0 +1 @@
+<?xml version='1.0'?> <!DOCTYPE html> <node attr="value"> <child/> pcdata <![CDATA[ test ]]> <!-- comment - --> <?pi value?> </node> \ No newline at end of file
diff --git a/tests/data_fuzz_parse/utf16.xml b/tests/data_fuzz_parse/utf16.xml
new file mode 100644
index 0000000..3847a93
--- /dev/null
+++ b/tests/data_fuzz_parse/utf16.xml
Binary files differ
diff --git a/tests/data_fuzz_parse/utf32.xml b/tests/data_fuzz_parse/utf32.xml
new file mode 100644
index 0000000..51b8a89
--- /dev/null
+++ b/tests/data_fuzz_parse/utf32.xml
Binary files differ
diff --git a/tests/fuzz_parse.cpp b/tests/fuzz_parse.cpp
new file mode 100644
index 0000000..e758196
--- /dev/null
+++ b/tests/fuzz_parse.cpp
@@ -0,0 +1,16 @@
+#include "../src/pugixml.hpp"
+#include "allocator.hpp"
+
+int main(int argc, const char** argv)
+{
+ pugi::set_memory_management_functions(memory_allocate, memory_deallocate);
+
+ pugi::xml_document doc;
+
+ for (int i = 1; i < argc; ++i)
+ {
+ doc.load_file(argv[i]);
+ doc.load_file(argv[i], pugi::parse_minimal);
+ doc.load_file(argv[i], pugi::parse_full);
+ }
+}
diff --git a/tests/test_parse.cpp b/tests/test_parse.cpp
index 1b1e807..7bb2663 100644
--- a/tests/test_parse.cpp
+++ b/tests/test_parse.cpp
@@ -1091,3 +1091,17 @@ TEST(parse_close_tag_eof)
CHECK(doc.load_buffer_inplace(test2, 12 * sizeof(char_t)).status == status_end_element_mismatch);
CHECK_STRING(doc.first_child().name(), STR("node"));
}
+
+TEST(parse_fuzz_doctype)
+{
+ unsigned char data[] =
+ {
+ 0x3b, 0x3c, 0x21, 0x44, 0x4f, 0x43, 0x54, 0x59, 0x50, 0x45, 0xef, 0xbb, 0xbf, 0x3c, 0x3f, 0x78,
+ 0x6d, 0x6c, 0x20, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x3d, 0x22, 0x31, 0x2e, 0x30, 0x22,
+ 0x3f, 0x3e, 0x3c, 0x21, 0x2d, 0x2d, 0x20, 0xe9, 0x80, 0xb1, 0xe5, 0xa0, 0xb1, 0xe3, 0x82, 0xb4,
+ 0xe3, 0x83, 0xb3, 0x20, 0xef, 0x83, 0x97, 0xe3, 0xa9, 0x2a, 0x20, 0x2d, 0x2d, 0x3e
+ };
+
+ xml_document doc;
+ CHECK(doc.load_buffer(data, sizeof(data)).status == status_bad_doctype);
+}