1 files changed, 76 insertions, 0 deletions

diff --git a/testing/libfuzzer/pdf_xml_fuzzer.cc b/testing/libfuzzer/pdf_xml_fuzzer.cc
new file mode 100644
index 0000000000..3eb1c8b5e5
--- /dev/null
+++ b/testing/libfuzzer/pdf_xml_fuzzer.cc
@@ -0,0 +1,76 @@
+// Copyright 2016 The PDFium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <cstddef>
+#include <cstdint>
+#include <limits>
+#include <memory>
+
+#include "core/include/fxcrt/fx_basic.h"
+#include "core/include/fxcrt/fx_system.h"
+#include "xfa/src/foxitlib.h"
+#include "xfa/src/fxfa/src/common/xfa_common.h"
+#include "xfa/src/fxfa/src/parser/xfa_parser_imp.h"
+
+namespace {
+
+IFDE_XMLNode* XFA_FDEExtension_GetDocumentNode(
+    IFDE_XMLDoc* pXMLDoc,
+    FX_BOOL bVerifyWellFormness = FALSE) {
+  if (!pXMLDoc) {
+    return nullptr;
+  }
+  IFDE_XMLNode* pXMLFakeRoot = pXMLDoc->GetRoot();
+  for (IFDE_XMLNode* pXMLNode =
+           pXMLFakeRoot->GetNodeItem(IFDE_XMLNode::FirstChild);
+       pXMLNode; pXMLNode = pXMLNode->GetNodeItem(IFDE_XMLNode::NextSibling)) {
+    if (pXMLNode->GetType() == FDE_XMLNODE_Element) {
+      if (bVerifyWellFormness) {
+        for (IFDE_XMLNode* pNextNode =
+                 pXMLNode->GetNodeItem(IFDE_XMLNode::NextSibling);
+             pNextNode;
+             pNextNode = pNextNode->GetNodeItem(IFDE_XMLNode::NextSibling)) {
+          if (pNextNode->GetType() == FDE_XMLNODE_Element) {
+            return FALSE;
+          }
+        }
+      }
+      return pXMLNode;
+    }
+  }
+  return nullptr;
+}
+
+}  // namespace
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  if (size > std::numeric_limits<FX_STRSIZE>::max())
+    return 0;
+
+  CFX_WideString input = CFX_WideString::FromUTF8(
+      reinterpret_cast<const char*>(data), static_cast<FX_STRSIZE>(size));
+  std::unique_ptr<IFX_Stream, ReleaseDeleter<IFX_Stream>> stream(
+      XFA_CreateWideTextRead(input));
+  if (!stream)
+    return 0;
+
+  std::unique_ptr<IFDE_XMLDoc> doc(IFDE_XMLDoc::Create());
+  if (!doc)
+    return 0;
+
+  std::unique_ptr<IFDE_XMLParser, ReleaseDeleter<IFDE_XMLParser>> parser(
+      new CXFA_XMLParser(doc->GetRoot(), stream.get()));
+  if (!parser)
+    return 0;
+
+  if (!doc->LoadXML(parser.release()))
+    return 0;
+
+  int32_t load_result = doc->DoLoad(nullptr);
+  if (load_result < 100)
+    return 0;
+
+  (void)XFA_FDEExtension_GetDocumentNode(doc.get());
+  return 0;
+}