Bug Hunting Session
Bug 38841 - Fuzz XML file filters
Summary: Fuzz XML file filters
Status: RESOLVED MOVED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: LibreOffice (show other bugs)
Version:
(earliest affected)
unspecified
Hardware: Other All
: medium normal
Assignee: Sriyan Fernando
URL:
Whiteboard:
Keywords: difficultyBeginner, easyHack, skillScript, topicDebug
Depends on:
Blocks:
 
Reported: 2011-06-30 09:33 UTC by Björn Michaelsen
Modified: 2017-07-26 19:11 UTC (History)
8 users (show)

See Also:
Crash report or crash signature:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Björn Michaelsen 2011-06-30 09:33:49 UTC
Fuzz XML file filters

Background: The XML file filters are protected from casual binary fuzzing by the zip de-compression, and the XML parser - thus they get little real, hard-core testing. Morten Welinder (of gnumeric fame) has written a nice, simple perl XML fuzzer - which you can find here: http://git.gnome.org/browse/gnumeric/tree/test/fuzzxml - the idea is to get a complex, existing XML document - and to swap it about randomly into a new one, then load that inside LibreOffice, and see if it crashes - if it does; file a bug report with the file (or fix the crash). You will need to unzip, fuzz, and re-zip up an ODF file (which requires the mimetype as the first entry, and no compression ie zip -0).

Skills: shell, basic XML experience, optionally bit of debugger
Comment 1 Juan Jose Pablos 2011-12-17 07:27:18 UTC
Something like this ¿right?
---------------------
unzip -d example example.odt
perl fuzzml example/content.xml example/newcontent.xml
mv example/newcontent.xml example/content.xml
cd example
zip -0 ../text.odt mimetype
zip -r ../test.odt .
cd ..
rm -r example
libreoffice test.odt
-----------
Comment 2 Michael Meeks 2011-12-17 13:35:06 UTC
Sure - that's the right idea; worth turning into a script I guess :-) Then of course, we need to re-load the file notice it crashing left and right - and try to find out why & how to patch that;

It's quite a job - as/when you find a crasher, if it's not obvious it'd be great to work together on that.

And of course, the more complex and tangled the input document - using as many weirdo features as possible ;-) the better the attack surface from fuzzing.

ATB.
Comment 3 Florian Reisinger 2012-05-18 09:00:18 UTC
Deteted "Easyhack" from summary
Comment 4 Björn Michaelsen 2013-10-04 18:47:50 UTC
adding LibreOffice developer list as CC to unresolved EasyHacks for better visibility.

see e.g. http://nabble.documentfoundation.org/minutes-of-ESC-call-td4076214.html for details
Comment 5 John Smith 2014-04-21 19:10:51 UTC
proposed a change to dev-tools: An implementation of easyhack bug #38841.  https://gerrit.libreoffice.org/9114
Comment 6 John Smith 2014-04-22 13:59:05 UTC
Abandoned the patch; resetting assignee to default.
Comment 7 Robinson Tryon (qubit) 2015-12-14 06:51:42 UTC Comment hidden (obsolete)
Comment 8 Björn Michaelsen 2016-01-26 18:04:51 UTC
Remove skillDebug, superceded by topicDebug.
Comment 9 Robinson Tryon (qubit) 2016-02-18 14:52:33 UTC Comment hidden (obsolete)
Comment 10 Dennis Roczek 2017-03-30 13:05:57 UTC
Hi caolan, 

is that ticket still open? Didn't you already implemented a fuzzer because of ofz?

Dennis
Comment 11 Caolán McNamara 2017-03-30 14:48:34 UTC
haven't got to the xml file formats yet, but its just a matter of time I gues, couple of weeks maybe
Comment 12 Sriyan Fernando 2017-06-20 15:44:00 UTC
i'm working on this bug
Comment 13 Xisco Faulí 2017-07-21 02:30:14 UTC Comment hidden (obsolete)
Comment 14 Xisco Faulí 2017-07-26 19:11:10 UTC
I guess we can close this one as RESOLVED MOVED since we use the oss-fuzzers, and sooner or later, we will fuzz the xml there too.