/src/php-src/sapi/fuzzer/fuzzer-unserialize.c

Source
/*
   +----------------------------------------------------------------------+
   | Copyright © The PHP Group and Contributors.                          |
   +----------------------------------------------------------------------+
   | This source file is subject to the Modified BSD License that is      |
   | bundled with this package in the file LICENSE, and is available      |
   | through the World Wide Web at <https://www.php.net/license/>.        |
   |                                                                      |
   | SPDX-License-Identifier: BSD-3-Clause                                |
   +----------------------------------------------------------------------+
   | Authors: Johannes Schlüter <johanes@php.net>                         |
   +----------------------------------------------------------------------+
 */


#include "fuzzer.h"

#include "Zend/zend.h"
#include <main/php_config.h>
#include "main/php_main.h"

#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>

#include "fuzzer-sapi.h"

#include "ext/standard/php_var.h"

int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {

  if (fuzzer_request_startup() == FAILURE) {
    return 0;
  }

  unsigned char *orig_data = malloc(Size+1);
  memcpy(orig_data, Data, Size);
  orig_data[Size] = '\0';

  fuzzer_setup_dummy_frame();

  {
    const unsigned char *data = orig_data;
    zval result;
    ZVAL_UNDEF(&result);

    php_unserialize_data_t var_hash;
    PHP_VAR_UNSERIALIZE_INIT(var_hash);
    php_var_unserialize(&result, (const unsigned char **) &data, data + Size, &var_hash);
    PHP_VAR_UNSERIALIZE_DESTROY(var_hash);

    zval_ptr_dtor(&result);
  }

  free(orig_data);

  fuzzer_request_shutdown();
  return 0;
}

int LLVMFuzzerInitialize(int *argc, char ***argv) {
  fuzzer_init_php(NULL);

  /* fuzzer_shutdown_php(); */
  return 0;
}

Line	Count	Source
1		/*
2		+----------------------------------------------------------------------+
3		\| Copyright © The PHP Group and Contributors. \|
4		+----------------------------------------------------------------------+
5		\| This source file is subject to the Modified BSD License that is \|
6		\| bundled with this package in the file LICENSE, and is available \|
7		\| through the World Wide Web at <https://www.php.net/license/>. \|
8		\| \|
9		\| SPDX-License-Identifier: BSD-3-Clause \|
10		+----------------------------------------------------------------------+
11		\| Authors: Johannes Schlüter <johanes@php.net> \|
12		+----------------------------------------------------------------------+
13		*/
14
15
16		#include "fuzzer.h"
17
18		#include "Zend/zend.h"
19		#include <main/php_config.h>
20		#include "main/php_main.h"
21
22		#include <stdio.h>
23		#include <stdint.h>
24		#include <stdlib.h>
25
26		#include "fuzzer-sapi.h"
27
28		#include "ext/standard/php_var.h"
29
30	38.2k	int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
31
32	38.2k	if (fuzzer_request_startup() == FAILURE) {
33	0	return 0;
34	0	}
35
36	38.2k	unsigned char *orig_data = malloc(Size+1);
37	38.2k	memcpy(orig_data, Data, Size);
38	38.2k	orig_data[Size] = '\0';
39
40	38.2k	fuzzer_setup_dummy_frame();
41
42	38.2k	{
43	38.2k	const unsigned char *data = orig_data;
44	38.2k	zval result;
45	38.2k	ZVAL_UNDEF(&result);
46
47	38.2k	php_unserialize_data_t var_hash;
48	38.2k	PHP_VAR_UNSERIALIZE_INIT(var_hash);
49	38.2k	php_var_unserialize(&result, (const unsigned char **) &data, data + Size, &var_hash);
50	38.2k	PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
51
52	38.2k	zval_ptr_dtor(&result);
53	38.2k	}
54
55	38.2k	free(orig_data);
56
57	38.2k	fuzzer_request_shutdown();
58	38.2k	return 0;
59	38.2k	}
60
61	2	int LLVMFuzzerInitialize(int argc, char **argv) {
62	2	fuzzer_init_php(NULL);
63
64		/* fuzzer_shutdown_php(); */
65	2	return 0;
66	2	}

Coverage Report

Created: 2026-06-02 06:36