From 8402848c65dd5b886b24f8821cf1fd415b94f22d Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 24 Mar 2024 15:51:21 +0100
Subject: [PATCH] fuzz: Test more parser entry points

Use the upper bits of 'options' to select a parser mode from

- cmark_parse_document
- cmark_parse_file
- cmark_parser_new/feed/finish
- cmark_markdown_to_html
---
 fuzz/cmark-fuzz.c | 58 +++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 49 insertions(+), 9 deletions(-)

diff --git a/fuzz/cmark-fuzz.c b/fuzz/cmark-fuzz.c
index b078e3dc7..b29063252 100644
--- a/fuzz/cmark-fuzz.c
+++ b/fuzz/cmark-fuzz.c
@@ -1,4 +1,8 @@
+/* for fmemopen */
+#define _POSIX_C_SOURCE 200809L
+
 #include <stdint.h>
+#include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include "cmark.h"
@@ -12,22 +16,58 @@ int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   if (size >= sizeof(fuzz_config)) {
     /* The beginning of `data` is treated as fuzzer configuration */
     memcpy(&fuzz_config, data, sizeof(fuzz_config));
+    int options = fuzz_config.options;
 
     /* Mask off valid option bits */
-    fuzz_config.options &= (CMARK_OPT_SOURCEPOS | CMARK_OPT_HARDBREAKS | CMARK_OPT_UNSAFE | CMARK_OPT_NOBREAKS | CMARK_OPT_NORMALIZE | CMARK_OPT_VALIDATE_UTF8 | CMARK_OPT_SMART);
+    options &= (CMARK_OPT_SOURCEPOS | CMARK_OPT_HARDBREAKS | CMARK_OPT_UNSAFE | CMARK_OPT_NOBREAKS | CMARK_OPT_NORMALIZE | CMARK_OPT_VALIDATE_UTF8 | CMARK_OPT_SMART);
 
     /* Remainder of input is the markdown */
     const char *markdown = (const char *)(data + sizeof(fuzz_config));
-    const size_t markdown_size = size - sizeof(fuzz_config);
-    cmark_node *doc = cmark_parse_document(markdown, markdown_size, fuzz_config.options);
+    size_t markdown_size = size - sizeof(fuzz_config);
+    cmark_node *doc = NULL;
+
+    /* Use upper bits of options to select parsing mode */
+    switch (((unsigned) fuzz_config.options >> 30) & 3) {
+      case 0:
+        doc = cmark_parse_document(markdown, markdown_size, options);
+        break;
+
+      case 1: {
+        FILE *file = fmemopen((void *) markdown, markdown_size, "r");
+        doc = cmark_parse_file(file, options);
+        fclose(file);
+        break;
+      }
+
+      case 2: {
+        size_t block_max = 20;
+        cmark_parser *parser = cmark_parser_new(options);
+
+        while (markdown_size > 0) {
+          size_t block_size = markdown_size > block_max ? block_max : markdown_size;
+          cmark_parser_feed(parser, markdown, block_size);
+          markdown += block_size;
+          markdown_size -= block_size;
+        }
+
+        doc = cmark_parser_finish(parser);
+        break;
+      }
+
+      case 3:
+        free(cmark_markdown_to_html(markdown, markdown_size, options));
+        break;
+    }
 
-    free(cmark_render_commonmark(doc, fuzz_config.options, fuzz_config.width));
-    free(cmark_render_html(doc, fuzz_config.options));
-    free(cmark_render_latex(doc, fuzz_config.options, fuzz_config.width));
-    free(cmark_render_man(doc, fuzz_config.options, fuzz_config.width));
-    free(cmark_render_xml(doc, fuzz_config.options));
+    if (doc != NULL) {
+      free(cmark_render_commonmark(doc, options, fuzz_config.width));
+      free(cmark_render_html(doc, options));
+      free(cmark_render_latex(doc, options, fuzz_config.width));
+      free(cmark_render_man(doc, options, fuzz_config.width));
+      free(cmark_render_xml(doc, options));
 
-    cmark_node_free(doc);
+      cmark_node_free(doc);
+    }
   }
   return 0;
 }