/src/php-src/sapi/fuzzer/fuzzer-unserializehash.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | +----------------------------------------------------------------------+ |
3 | | | Copyright (c) The PHP Group | |
4 | | +----------------------------------------------------------------------+ |
5 | | | This source file is subject to version 3.01 of the PHP license, | |
6 | | | that is bundled with this package in the file LICENSE, and is | |
7 | | | available through the world-wide-web at the following url: | |
8 | | | https://www.php.net/license/3_01.txt | |
9 | | | If you did not receive a copy of the PHP license and are unable to | |
10 | | | obtain it through the world-wide-web, please send a note to | |
11 | | | license@php.net so we can mail you a copy immediately. | |
12 | | +----------------------------------------------------------------------+ |
13 | | */ |
14 | | |
15 | | |
16 | | #include "fuzzer.h" |
17 | | |
18 | | #include "Zend/zend.h" |
19 | | #include <main/php_config.h> |
20 | | #include "main/php_main.h" |
21 | | |
22 | | #include <stdio.h> |
23 | | #include <stdint.h> |
24 | | #include <stdlib.h> |
25 | | |
26 | | #include "fuzzer-sapi.h" |
27 | | |
28 | | #include "ext/standard/php_var.h" |
29 | | |
30 | 65.0k | int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t FullSize) { |
31 | 65.0k | const uint8_t *Start = memchr(Data, '|', FullSize); |
32 | 65.0k | if (!Start) { |
33 | 1 | return 0; |
34 | 1 | } |
35 | 65.0k | ++Start; |
36 | | |
37 | 65.0k | if (fuzzer_request_startup() == FAILURE) { |
38 | 0 | return 0; |
39 | 0 | } |
40 | | |
41 | 65.0k | size_t Size = (Data + FullSize) - Start; |
42 | 65.0k | unsigned char *orig_data = malloc(Size+1); |
43 | 65.0k | memcpy(orig_data, Start, Size); |
44 | 65.0k | orig_data[Size] = '\0'; |
45 | | |
46 | 65.0k | fuzzer_setup_dummy_frame(); |
47 | | |
48 | 65.0k | { |
49 | 65.0k | const unsigned char *data = orig_data; |
50 | 65.0k | zval result; |
51 | 65.0k | ZVAL_UNDEF(&result); |
52 | | |
53 | 65.0k | php_unserialize_data_t var_hash; |
54 | 65.0k | PHP_VAR_UNSERIALIZE_INIT(var_hash); |
55 | 65.0k | php_var_unserialize(&result, (const unsigned char **) &data, data + Size, &var_hash); |
56 | 65.0k | PHP_VAR_UNSERIALIZE_DESTROY(var_hash); |
57 | | |
58 | 65.0k | if (Z_TYPE(result) == IS_OBJECT |
59 | 65.0k | && zend_string_equals_literal(Z_OBJCE(result)->name, "HashContext")) { |
60 | 2.39k | zval args[2]; |
61 | 2.39k | ZVAL_COPY_VALUE(&args[0], &result); |
62 | 2.39k | ZVAL_STRINGL(&args[1], (char *) Data, (Start - Data) - 1); |
63 | 2.39k | fuzzer_call_php_func_zval("hash_update", 2, args); |
64 | 2.39k | zval_ptr_dtor(&args[1]); |
65 | 2.39k | fuzzer_call_php_func_zval("hash_final", 1, args); |
66 | 2.39k | } |
67 | | |
68 | 65.0k | zval_ptr_dtor(&result); |
69 | 65.0k | } |
70 | | |
71 | 65.0k | free(orig_data); |
72 | | |
73 | 65.0k | fuzzer_request_shutdown(); |
74 | 65.0k | return 0; |
75 | 65.0k | } |
76 | | |
77 | 12 | int LLVMFuzzerInitialize(int *argc, char ***argv) { |
78 | 12 | fuzzer_init_php(NULL); |
79 | | |
80 | | /* fuzzer_shutdown_php(); */ |
81 | 12 | return 0; |
82 | 12 | } |