Coverage Report

Created: 2025-06-13 06:43

/src/php-src/sapi/fuzzer/fuzzer-unserializehash.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
   +----------------------------------------------------------------------+
3
   | Copyright (c) The PHP Group                                          |
4
   +----------------------------------------------------------------------+
5
   | This source file is subject to version 3.01 of the PHP license,      |
6
   | that is bundled with this package in the file LICENSE, and is        |
7
   | available through the world-wide-web at the following url:           |
8
   | https://www.php.net/license/3_01.txt                                 |
9
   | If you did not receive a copy of the PHP license and are unable to   |
10
   | obtain it through the world-wide-web, please send a note to          |
11
   | license@php.net so we can mail you a copy immediately.               |
12
   +----------------------------------------------------------------------+
13
 */
14
15
16
#include "fuzzer.h"
17
18
#include "Zend/zend.h"
19
#include <main/php_config.h>
20
#include "main/php_main.h"
21
22
#include <stdio.h>
23
#include <stdint.h>
24
#include <stdlib.h>
25
26
#include "fuzzer-sapi.h"
27
28
#include "ext/standard/php_var.h"
29
30
65.0k
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t FullSize) {
31
65.0k
  const uint8_t *Start = memchr(Data, '|', FullSize);
32
65.0k
  if (!Start) {
33
1
    return 0;
34
1
  }
35
65.0k
  ++Start;
36
37
65.0k
  if (fuzzer_request_startup() == FAILURE) {
38
0
    return 0;
39
0
  }
40
41
65.0k
  size_t Size = (Data + FullSize) - Start;
42
65.0k
  unsigned char *orig_data = malloc(Size+1);
43
65.0k
  memcpy(orig_data, Start, Size);
44
65.0k
  orig_data[Size] = '\0';
45
46
65.0k
  fuzzer_setup_dummy_frame();
47
48
65.0k
  {
49
65.0k
    const unsigned char *data = orig_data;
50
65.0k
    zval result;
51
65.0k
    ZVAL_UNDEF(&result);
52
53
65.0k
    php_unserialize_data_t var_hash;
54
65.0k
    PHP_VAR_UNSERIALIZE_INIT(var_hash);
55
65.0k
    php_var_unserialize(&result, (const unsigned char **) &data, data + Size, &var_hash);
56
65.0k
    PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
57
58
65.0k
    if (Z_TYPE(result) == IS_OBJECT
59
65.0k
      && zend_string_equals_literal(Z_OBJCE(result)->name, "HashContext")) {
60
2.39k
      zval args[2];
61
2.39k
      ZVAL_COPY_VALUE(&args[0], &result);
62
2.39k
      ZVAL_STRINGL(&args[1], (char *) Data, (Start - Data) - 1);
63
2.39k
      fuzzer_call_php_func_zval("hash_update", 2, args);
64
2.39k
      zval_ptr_dtor(&args[1]);
65
2.39k
      fuzzer_call_php_func_zval("hash_final", 1, args);
66
2.39k
    }
67
68
65.0k
    zval_ptr_dtor(&result);
69
65.0k
  }
70
71
65.0k
  free(orig_data);
72
73
65.0k
  fuzzer_request_shutdown();
74
65.0k
  return 0;
75
65.0k
}
76
77
12
int LLVMFuzzerInitialize(int *argc, char ***argv) {
78
12
  fuzzer_init_php(NULL);
79
80
  /* fuzzer_shutdown_php(); */
81
12
  return 0;
82
12
}