/src/php-src/sapi/fuzzer/fuzzer-unserializehash.c

Source
/*
   +----------------------------------------------------------------------+
   | Copyright © The PHP Group and Contributors.                          |
   +----------------------------------------------------------------------+
   | This source file is subject to the Modified BSD License that is      |
   | bundled with this package in the file LICENSE, and is available      |
   | through the World Wide Web at <https://www.php.net/license/>.        |
   |                                                                      |
   | SPDX-License-Identifier: BSD-3-Clause                                |
   +----------------------------------------------------------------------+
 */


#include "fuzzer.h"

#include "Zend/zend.h"
#include <main/php_config.h>
#include "main/php_main.h"

#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>

#include "fuzzer-sapi.h"

#include "ext/standard/php_var.h"

int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t FullSize) {
  const uint8_t *Start = memchr(Data, '|', FullSize);
  if (!Start) {
    return 0;
  }
  ++Start;

  if (fuzzer_request_startup() == FAILURE) {
    return 0;
  }

  size_t Size = (Data + FullSize) - Start;
  unsigned char *orig_data = malloc(Size+1);
  memcpy(orig_data, Start, Size);
  orig_data[Size] = '\0';

  fuzzer_setup_dummy_frame();

  {
    const unsigned char *data = orig_data;
    zval result;
    ZVAL_UNDEF(&result);

    php_unserialize_data_t var_hash;
    PHP_VAR_UNSERIALIZE_INIT(var_hash);
    php_var_unserialize(&result, (const unsigned char **) &data, data + Size, &var_hash);
    PHP_VAR_UNSERIALIZE_DESTROY(var_hash);

    if (Z_TYPE(result) == IS_OBJECT
      && zend_string_equals_literal(Z_OBJCE(result)->name, "HashContext")) {
      zval args[2];
      ZVAL_COPY_VALUE(&args[0], &result);
      ZVAL_STRINGL(&args[1], (char *) Data, (Start - Data) - 1);
      fuzzer_call_php_func_zval("hash_update", 2, args);
      zval_ptr_dtor(&args[1]);
      fuzzer_call_php_func_zval("hash_final", 1, args);
    }

    zval_ptr_dtor(&result);
  }

  free(orig_data);

  fuzzer_request_shutdown();
  return 0;
}

int LLVMFuzzerInitialize(int *argc, char ***argv) {
  fuzzer_init_php(NULL);

  /* fuzzer_shutdown_php(); */
  return 0;
}

Line	Count	Source
1		/*
2		+----------------------------------------------------------------------+
3		\| Copyright © The PHP Group and Contributors. \|
4		+----------------------------------------------------------------------+
5		\| This source file is subject to the Modified BSD License that is \|
6		\| bundled with this package in the file LICENSE, and is available \|
7		\| through the World Wide Web at <https://www.php.net/license/>. \|
8		\| \|
9		\| SPDX-License-Identifier: BSD-3-Clause \|
10		+----------------------------------------------------------------------+
11		*/
12
13
14		#include "fuzzer.h"
15
16		#include "Zend/zend.h"
17		#include <main/php_config.h>
18		#include "main/php_main.h"
19
20		#include <stdio.h>
21		#include <stdint.h>
22		#include <stdlib.h>
23
24		#include "fuzzer-sapi.h"
25
26		#include "ext/standard/php_var.h"
27
28	38.8k	int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t FullSize) {
29	38.8k	const uint8_t *Start = memchr(Data, '\|', FullSize);
30	38.8k	if (!Start) {
31	1	return 0;
32	1	}
33	38.8k	++Start;
34
35	38.8k	if (fuzzer_request_startup() == FAILURE) {
36	0	return 0;
37	0	}
38
39	38.8k	size_t Size = (Data + FullSize) - Start;
40	38.8k	unsigned char *orig_data = malloc(Size+1);
41	38.8k	memcpy(orig_data, Start, Size);
42	38.8k	orig_data[Size] = '\0';
43
44	38.8k	fuzzer_setup_dummy_frame();
45
46	38.8k	{
47	38.8k	const unsigned char *data = orig_data;
48	38.8k	zval result;
49	38.8k	ZVAL_UNDEF(&result);
50
51	38.8k	php_unserialize_data_t var_hash;
52	38.8k	PHP_VAR_UNSERIALIZE_INIT(var_hash);
53	38.8k	php_var_unserialize(&result, (const unsigned char **) &data, data + Size, &var_hash);
54	38.8k	PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
55
56	38.8k	if (Z_TYPE(result) == IS_OBJECT
57	22.8k	&& zend_string_equals_literal(Z_OBJCE(result)->name, "HashContext")) {
58	2.08k	zval args[2];
59	2.08k	ZVAL_COPY_VALUE(&args[0], &result);
60	2.08k	ZVAL_STRINGL(&args[1], (char *) Data, (Start - Data) - 1);
61	2.08k	fuzzer_call_php_func_zval("hash_update", 2, args);
62	2.08k	zval_ptr_dtor(&args[1]);
63	2.08k	fuzzer_call_php_func_zval("hash_final", 1, args);
64	2.08k	}
65
66	38.8k	zval_ptr_dtor(&result);
67	38.8k	}
68
69	38.8k	free(orig_data);
70
71	38.8k	fuzzer_request_shutdown();
72	38.8k	return 0;
73	38.8k	}
74
75	2	int LLVMFuzzerInitialize(int argc, char **argv) {
76	2	fuzzer_init_php(NULL);
77
78		/* fuzzer_shutdown_php(); */
79	2	return 0;
80	2	}

Coverage Report

Created: 2026-06-02 06:37