blob: 8dce02f4cc965750894721fb6a6a8759b2ea2279 [file] [log] [blame]
// Copyright 2021 The PDFium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include <fuzzer/FuzzedDataProvider.h>
#include <cctype>
#include <string>
#include "public/fpdf_formfill.h"
#include "testing/fuzzers/pdf_fuzzer_templates.h"
#include "testing/fuzzers/pdfium_fuzzer_helper.h"
class PDFiumXFAFuzzer : public PDFiumFuzzerHelper {
PDFiumXFAFuzzer() = default;
~PDFiumXFAFuzzer() override = default;
int GetFormCallbackVersion() const override { return 2; }
// Return false if XFA doesn't load as otherwise we're duplicating the work
// done by the non-xfa fuzzer.
bool OnFormFillEnvLoaded(FPDF_DOCUMENT doc) override {
int form_type = FPDF_GetFormType(doc);
if (form_type != FORMTYPE_XFA_FULL && form_type != FORMTYPE_XFA_FOREGROUND)
return false;
return FPDF_LoadXFA(doc);
bool IsValidForFuzzing(const uint8_t* data, size_t size) {
if (size > 2048) {
return false;
const char* ptr = reinterpret_cast<const char*>(data);
bool is_open = false;
size_t tag_size = 0;
for (size_t i = 0; i < size; i++) {
if (!std::isspace(ptr[i]) && !std::isprint(ptr[i])) {
return false;
// We do not want any script tags. The reason is this fuzzer
// should avoid exploring v8 code. Avoiding anything with "script"
// is an over-approximation, in that some inputs may contain "script"
// and still be a valid fuzz-case. However, this over-approximation is
// used to enforce strict constraints and avoid cases where whitespace
// may play a role, or other tags, e.g. "Javascript" will end up triggering
// large explorations of v8 code. The alternative we considered were
// "<script"
if (i + 6 < size && memcmp(ptr + i, "script", 6) == 0) {
return false;
if (ptr[i] == '<') {
if (is_open) {
return false;
is_open = true;
tag_size = 0;
} else if (ptr[i] == '>') {
if (!is_open || tag_size == 0) {
return false;
is_open = false;
} else if (is_open) {
// we must close the last bracket.
return !is_open;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
// Filter the string to reduce the state space exploration.
if (!IsValidForFuzzing(data, size)) {
return 0;
std::string xfa_string = "<xdp xmlns=\"\">";
xfa_string += std::string(reinterpret_cast<const char*>(data), size);
xfa_string += "</xdp>";
// Add 1 for newline before endstream.
std::string xfa_stream_len = std::to_string(xfa_string.size() + 1);
// Compose the fuzzer
std::string xfa_final_str = std::string(kSimplePdfTemplate);
xfa_final_str.replace(xfa_final_str.find("$1"), 2, xfa_stream_len);
xfa_final_str.replace(xfa_final_str.find("$2"), 2, xfa_string);
for (size_t i = 0; i < xfa_final_str.size(); i++) {
putc(xfa_final_str[i], stdout);
PDFiumXFAFuzzer fuzzer;
fuzzer.RenderPdf(xfa_final_str.c_str(), xfa_final_str.size());
return 0;