added fuzzing support

gumbo-parser/.gitignore

@@ -1,3 +1,5 @@
 build
 googletest
 src/*.o
+fuzzer/build
+src/libgumbo.a

gumbo-parser/Makefile

@@ -13,6 +13,20 @@ LDFLAGS := -pthread
 
 all: check
 
+fuzzing: fuzzer-normal fuzzer-asan fuzzer-ubsan fuzzer-msan
+
+fuzzer-normal:
+	cd fuzzer && ./build.sh && cd -
+
+fuzzer-asan:
+	cd fuzzer && SANITIZER=address ./build.sh && cd -
+
+fuzzer-ubsan:
+	cd fuzzer && SANITIZER=undefined ./build.sh && cd -
+
+fuzzer-msan:
+	cd fuzzer && SANITIZER=memory ./build.sh && cd -
+
 # don't try to regenerate ragel or gperf files in CI, that should be a development-only action and
 # the generated files should be committed to SCM
 ifneq ($(CI),true)
@@ -81,6 +95,7 @@ coverage:
 
 clean:
 	$(RM) -r build
+	$(RM) -r fuzzer/build
 
 build/src/flags: | build/src
 	@echo 'old_CC := $(CC)' > $@

gumbo-parser/fuzzer/build.sh

@@ -0,0 +1,46 @@
+export SANITIZER_OPTS=""
+export SANITIZER_LINK=""
+
+if [ -z "${LLVM_CONFIG}" ]
+then
+  echo '$LLVM_CONFIG has not been configured, expecting "export LLVM_CONFIG=/usr/bin/llvm-config-12" assuming clang-12 is installed, however any clang version works'
+  exit
+fi
+
+if [ ! -d "build" ]
+then
+  mkdir build
+fi
+
+export CC="$(llvm-config-12 --bindir)/clang"
+export CXX="$(llvm-config-12 --bindir)/clang++"
+export CXXFLAGS="-fsanitize=fuzzer-no-link"
+export CFLAGS="-fsanitize=fuzzer-no-link"
+export ENGINE_LINK="$(find $($LLVM_CONFIG --libdir) -name libclang_rt.fuzzer-x86_64.a | head -1)"
+
+if [ "$SANITIZER" = "undefined" ]
+then
+  export SANITIZER_OPTS="-fsanitize=undefined"
+  export SANITIZER_LINK="$(find $($LLVM_CONFIG --libdir) -name libclang_rt.ubsan_standalone_cxx-x86_64.a | head -1)"
+fi
+if [ "$SANITIZER" = "address" ]
+then
+  export SANITIZER_OPTS="-fsanitize=address"
+  export SANITIZER_LINK="$(find $($LLVM_CONFIG --libdir) -name libclang_rt.asan_cxx-x86_64.a | head -1)"
+fi
+if [ "$SANITIZER" = "memory" ]
+then
+  export SANITIZER_OPTS="-fsanitize=memory -fPIE -pie -Wno-unused-command-line-argument"
+  export SANITIZER_LINK="$(find $($LLVM_CONFIG --libdir) -name libclang_rt.msan_cxx-x86_64.a | head -1)"
+fi
+
+export CXXFLAGS="-O3 $CXXFLAGS $SANITIZER_OPTS"
+export CFLAGS="-O3 $CFLAGS $SANITIZER_OPTS"
+cd ../src && make clean && make && cd -
+
+if [ -z "${SANITIZER}" ]
+then
+  $CXX $CXXFLAGS -o build/parse_fuzzer parse_fuzzer.cc ../src/libgumbo.a $ENGINE_LINK $SANITIZER_LINK
+else
+  $CXX $CXXFLAGS -o build/parse_fuzzer-$SANITIZER parse_fuzzer.cc ../src/libgumbo.a $ENGINE_LINK $SANITIZER_LINK
+fi

gumbo-parser/fuzzer/parse_fuzzer.cc

@@ -0,0 +1,68 @@
+#include "../src/nokogiri_gumbo.h"
+#include <stdint.h>
+
+int SanityCheckPointers(const char* input, size_t input_length, const GumboNode* node, int depth) {
+  if (node->type == GUMBO_NODE_DOCUMENT || depth > 400) {
+    return -1;
+  }
+  if (node->type == GUMBO_NODE_ELEMENT) {
+    const GumboElement* element = &node->v.element;
+    const GumboVector* attributes = &element->attributes;
+
+    for (unsigned int i = 0; i < attributes->length; ++i) {
+      const GumboAttribute* attribute = static_cast<const GumboAttribute*>(attributes->data[i]);
+      if (!attribute)
+      {
+        return -1;
+      }
+    }
+    const GumboVector* children = &element->children;
+    for (unsigned int i = 0; i < children->length; ++i) {
+      const GumboNode* child = static_cast<const GumboNode*>(children->data[i]);
+      if (!child)
+      {
+        return -1;
+      }
+      SanityCheckPointers(input, input_length, child, depth + 1);
+    }
+  } else {
+    const GumboText* text = &node->v.text;
+    if (!text)
+    {
+      return -1;
+    }
+  }
+
+  return 0;
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  if (size < 10)
+  {
+      return 0;
+  }
+
+  GumboOptions options = kGumboDefaultOptions;
+  GumboOutput* output;
+  GumboNode* root;
+
+  output = gumbo_parse_with_options(&options, (char*)data, size);
+  root = output->document;
+
+  int result = SanityCheckPointers((char*)data, size, output->root, 0);
+
+  if (result < 0)
+  {
+    if (output) {
+      gumbo_destroy_output(output);
+    }
+
+    return -1;
+  }
+
+  if (output) {
+    gumbo_destroy_output(output);
+  }
+
+	return 0;
+}