Parser · C

How to fuzz Expat

Python's xml.parsers.expat wraps this — a single overflow cascades into the interpreter.

Expat is the default XML parser in Python's standard library and ships with Apache httpd and Subversion. Its streaming SAX design processes partial buffers, making it sensitive to boundary conditions at chunk edges — a class of bug that fuzzing finds efficiently.

Common bug classes

•Heap buffer overflow in XML_Parse buffer reallocation
•Integer overflow in encoding byte-count arithmetic
•Out-of-bounds read on truncated multi-byte character
•Use-after-free in namespace prefix hash table resize
•Null dereference on empty root element with namespace

Recommended setup

Fuzzers

→ AFL++
→ libFuzzer
→ Honggfuzz

Sanitizers

→ ASan
→ UBSan

Harness scaffold

#include <stdint.h>
#include <stddef.h>
#include <expat.h>

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  XML_Parser p = XML_ParserCreate(NULL);
  if (!p) return 0;
  XML_Parse(p, (const char *)data, (int)size, 1 /* isFinal */);
  XML_ParserFree(p);
  return 0;
}

Save this as fuzz_target.cc, build with your compiler + sanitizer flags, and you have a working starting point.

Notable CVEs found by fuzzing

→ CVE-2022-23852
→ CVE-2022-25313

Start fuzzing Expat on Fuzze.rs →

Push the harness above + a Dockerfile. First month 50% off.