return SUCCESS;
}
+void fuzzer_request_shutdown()
+{
+ /* Destroy thrown exceptions. This does not happen as part of request shutdown. */
+ if (EG(exception)) {
+ zend_object_release(EG(exception));
+ EG(exception) = NULL;
+ }
+
+ /* Some fuzzers (like unserialize) may create circular structures. Make sure we free them.
+ * Two calls are performed to handle objects with destructors. */
+ zend_gc_collect_cycles();
+ zend_gc_collect_cycles();
+
+ php_request_shutdown(NULL);
+}
+
+/* Set up a dummy stack frame so that exceptions may be thrown. */
+void fuzzer_setup_dummy_frame()
+{
+ static zend_execute_data execute_data;
+ static zend_function func;
+
+ memset(&execute_data, 0, sizeof(zend_execute_data));
+ memset(&func, 0, sizeof(zend_function));
+
+ func.type = ZEND_INTERNAL_FUNCTION;
+ func.common.function_name = ZSTR_EMPTY_ALLOC();
+ execute_data.func = &func;
+ EG(current_execute_data) = &execute_data;
+}
+
void fuzzer_set_ini_file(const char *file)
{
if (fuzzer_module.php_ini_path_override) {
+----------------------------------------------------------------------+
*/
-int fuzzer_init_php();
-int fuzzer_request_startup();
+int fuzzer_init_php(void);
+int fuzzer_request_startup(void);
+void fuzzer_request_shutdown(void);
+void fuzzer_setup_dummy_frame(void);
void fuzzer_call_php_func(const char *func_name, int nargs, char **params);
void fuzzer_call_php_func_zval(const char *func_name, int nargs, zval *args);
int fuzzer_do_request_from_buffer(char *filename, char *data, size_t data_len);
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
unsigned char *orig_data = malloc(Size+1);
- zend_execute_data execute_data;
- zend_function func;
-
memcpy(orig_data, Data, Size);
orig_data[Size] = '\0';
- if (fuzzer_request_startup()==FAILURE) {
+ if (fuzzer_request_startup() == FAILURE) {
return 0;
}
- /* Set up a dummy stack frame so that exceptions may be thrown. */
- {
- memset(&execute_data, 0, sizeof(zend_execute_data));
- memset(&func, 0, sizeof(zend_function));
-
- func.type = ZEND_INTERNAL_FUNCTION;
- func.common.function_name = ZSTR_EMPTY_ALLOC();
- execute_data.func = &func;
- EG(current_execute_data) = &execute_data;
- }
+ fuzzer_setup_dummy_frame();
{
const unsigned char *data = orig_data;
PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
zval_ptr_dtor(&result);
-
- /* Destroy any thrown exception. */
- if (EG(exception)) {
- zend_object_release(EG(exception));
- EG(exception) = NULL;
- }
}
- /* Unserialize may create circular structure. Make sure we free them.
- * Two calls are performed to handle objects with destructors. */
- zend_gc_collect_cycles();
- zend_gc_collect_cycles();
- php_request_shutdown(NULL);
-
free(orig_data);
+ fuzzer_request_shutdown();
return 0;
}
#include "ext/standard/php_var.h"
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t FullSize) {
- zend_execute_data execute_data;
- zend_function func;
const uint8_t *Start = memchr(Data, '|', FullSize);
if (!Start) {
return 0;
memcpy(orig_data, Start, Size);
orig_data[Size] = '\0';
- if (fuzzer_request_startup()==FAILURE) {
+ if (fuzzer_request_startup() == FAILURE) {
return 0;
}
- /* Set up a dummy stack frame so that exceptions may be thrown. */
- {
- memset(&execute_data, 0, sizeof(zend_execute_data));
- memset(&func, 0, sizeof(zend_function));
-
- func.type = ZEND_INTERNAL_FUNCTION;
- func.common.function_name = ZSTR_EMPTY_ALLOC();
- execute_data.func = &func;
- EG(current_execute_data) = &execute_data;
- }
+ fuzzer_setup_dummy_frame();
{
const unsigned char *data = orig_data;
}
zval_ptr_dtor(&result);
-
- /* Destroy any thrown exception. */
- if (EG(exception)) {
- zend_object_release(EG(exception));
- EG(exception) = NULL;
- }
}
- /* Unserialize may create circular structure. Make sure we free them.
- * Two calls are performed to handle objects with destructors. */
- zend_gc_collect_cycles();
- zend_gc_collect_cycles();
- php_request_shutdown(NULL);
-
free(orig_data);
+ fuzzer_request_shutdown();
return 0;
}
--- /dev/null
+<?php
+require __DIR__ . '/generate_unserialize_dict.php';
+require __DIR__ . '/generate_unserializehash_corpus.php';
+require __DIR__ . '/generate_parser_corpus.php';
projects / php / commitdiff