googleprojectzero / domato Goto Github PK

I'm trying to make a grammar that embeds XML and XSL into CSS used in a private document editor, but I do not understand why I can not use:

htmlgrammar.generate_symbol('style_value')

I created another section:

<cssurl> = url(<xmlelement_xml>)

Error:

...
...
  File "/Users/agarcia/domato/grammar.py", line 347, in _select_creator
    raise GrammarError('No creators for type ' + symbol)
grammar.GrammarError: No creators for type xmlelement_xml

Result should be:

cssurl = URL(data:mimetype;<xml.....>)

In grammar.py, line 524:

        for v in new_vars:
            if v['type'] not in _NONINTERESTING_TYPES:
                self._add_variable(v['name'], v['type'], context)
                additional_lines.append("if (!" + v['name'] + ") { " + v['name'] + " = GetVariable(fuzzervars, '" + v['type'] + "'); } else { " + self._get_variable_setters(v['name'], v['type']) + " }")

after run generate.py，these code will generate something like:

try { if (!fuzzvar00001) { fuzzvar00001 = GetVariable(fuzzervars, 'element'); } else { SetVariable(fuzzvar00001, 'element');  } } catch(e) {}

=>

fuzzervars = {}
function GetVariable(fuzzervars, var_type) { if(fuzzervars[var_type]) { return fuzzervars[var_type]; } else { return null; }}
function SetVariable(fuzzervars, var_name, var_type) { fuzzervars[var_type] = var_name; }

I guess something wrong in SetVariable, and it should be :

SetVariable(fuzzervars, fuzzvar00001, 'element')

please check it, thanx

Basic support was added in 127b7f2

Igalia sent the intent-to-ship for MathML Core in Chromium last week and we were asked about support for MathML in fuzzers. Specifically, @dbratell asked "Do the fuzzing tools have support for mathml elements? If not, you should probably add a to-do item to teach them.".

So just opening this as a TODO.

I noticed that the CVEs referred are bit old despite the fact that i was able to discover the recent CVE-2022-3040 with Domato.

I didn't know that this Domato finding was CVE-2022-3040, but when i tired to submit the bug i found a similar crash reported and submitted for the same code few months ago and then it was labeled as CVE-2022-3040 ( i wish i was bit faster :) )

I think we can add this new CVE ref in the readme ?

I can share the Domato output that triggered this crash identified in CVE-2022-3040, this was generated using the default template !

Hi,

"=" symbol is different in basic syntax and lines syntax.
In basic syntax, the left symbol will be expanded by the right symbol.
But in lines syntax, it's just an equal symbol instead of expanding the left symbol.

If there exists some way that we can define symbols that can be expanded in lines instead of ending up in the output?

For example, I have a recursion expression in lines, which will new variables, the number of variables is according to the recursion depth. And I need basic syntax's "=" to define the recursion expression, but I also need the "new" features in lines syntax. So I may need some way that domato can define a symbol that can be expanded in lines instead of outputting it.

Or this problem can be solved by other ways?

hi , at first , it's a great project!
i am a bit confused with GetVariable and SetVariable

at template and output file , call GetVariable/SetVariable mismatch of declare

function SetVariable(fuzzervars, var_name, var_type) { fuzzervars[var_type] = var_name; }
....
try { /* newvar{var00005:HTMLTemplateElement} */ var var00005 = document.createElement("template"); } catch(e) { }
try { if (!var00005) { var00005 = GetVariable(fuzzervars, 'HTMLTemplateElement'); } else { SetVariable(var00005, 'HTMLTemplateElement'); SetVariable(var00005, 'Element'); SetVariable(var00005, 'GlobalEventHandlers'); SetVariable(var00005, 'EventTarget');  } } catch(e) { }

i am wonder what's your really goal of these generated code

at grammar.py(528 ~ 532) you just generate var with 2 params

for v in new_vars:
            if v['type'] not in _NONINTERESTING_TYPES:
                self._add_variable(v['name'], v['type'], context)
                additional_lines.append("if (!" + v['name'] + ") { " + v['name'] + " = GetVariable(fuzzervars, '" + v['type'] + "'); } else { " + self._get_variable_setters(v['name'], v['type']) + " }")

thank you!