/src/php-src/sapi/fuzzer/fuzzer-unserializehash.c

Source (jump to first uncovered line)
/*
   +----------------------------------------------------------------------+
   | Copyright (c) The PHP Group                                          |
   +----------------------------------------------------------------------+
   | This source file is subject to version 3.01 of the PHP license,      |
   | that is bundled with this package in the file LICENSE, and is        |
   | available through the world-wide-web at the following url:           |
   | https://www.php.net/license/3_01.txt                                 |
   | If you did not receive a copy of the PHP license and are unable to   |
   | obtain it through the world-wide-web, please send a note to          |
   | license@php.net so we can mail you a copy immediately.               |
   +----------------------------------------------------------------------+
 */


#include "fuzzer.h"

#include "Zend/zend.h"
#include <main/php_config.h>
#include "main/php_main.h"

#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>

#include "fuzzer-sapi.h"

#include "ext/standard/php_var.h"

int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t FullSize) {
  const uint8_t *Start = memchr(Data, '|', FullSize);
  if (!Start) {
    return 0;
  }
  ++Start;

  if (fuzzer_request_startup() == FAILURE) {
    return 0;
  }

  size_t Size = (Data + FullSize) - Start;
  unsigned char *orig_data = malloc(Size+1);
  memcpy(orig_data, Start, Size);
  orig_data[Size] = '\0';

  fuzzer_setup_dummy_frame();

  {
    const unsigned char *data = orig_data;
    zval result;
    ZVAL_UNDEF(&result);

    php_unserialize_data_t var_hash;
    PHP_VAR_UNSERIALIZE_INIT(var_hash);
    php_var_unserialize(&result, (const unsigned char **) &data, data + Size, &var_hash);
    PHP_VAR_UNSERIALIZE_DESTROY(var_hash);

    if (Z_TYPE(result) == IS_OBJECT
      && zend_string_equals_literal(Z_OBJCE(result)->name, "HashContext")) {
      zval args[2];
      ZVAL_COPY_VALUE(&args[0], &result);
      ZVAL_STRINGL(&args[1], (char *) Data, (Start - Data) - 1);
      fuzzer_call_php_func_zval("hash_update", 2, args);
      zval_ptr_dtor(&args[1]);
      fuzzer_call_php_func_zval("hash_final", 1, args);
    }

    zval_ptr_dtor(&result);
  }

  free(orig_data);

  fuzzer_request_shutdown();
  return 0;
}

int LLVMFuzzerInitialize(int *argc, char ***argv) {
  fuzzer_init_php(NULL);

  /* fuzzer_shutdown_php(); */
  return 0;
}

Line	Count	Source (jump to first uncovered line)
1		/*
2		+----------------------------------------------------------------------+
3		\| Copyright (c) The PHP Group \|
4		+----------------------------------------------------------------------+
5		\| This source file is subject to version 3.01 of the PHP license, \|
6		\| that is bundled with this package in the file LICENSE, and is \|
7		\| available through the world-wide-web at the following url: \|
8		\| https://www.php.net/license/3_01.txt \|
9		\| If you did not receive a copy of the PHP license and are unable to \|
10		\| obtain it through the world-wide-web, please send a note to \|
11		\| license@php.net so we can mail you a copy immediately. \|
12		+----------------------------------------------------------------------+
13		*/
14
15
16		#include "fuzzer.h"
17
18		#include "Zend/zend.h"
19		#include <main/php_config.h>
20		#include "main/php_main.h"
21
22		#include <stdio.h>
23		#include <stdint.h>
24		#include <stdlib.h>
25
26		#include "fuzzer-sapi.h"
27
28		#include "ext/standard/php_var.h"
29
30	65.0k	int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t FullSize) {
31	65.0k	const uint8_t *Start = memchr(Data, '\|', FullSize);
32	65.0k	if (!Start) {
33	1	return 0;
34	1	}
35	65.0k	++Start;
36
37	65.0k	if (fuzzer_request_startup() == FAILURE) {
38	0	return 0;
39	0	}
40
41	65.0k	size_t Size = (Data + FullSize) - Start;
42	65.0k	unsigned char *orig_data = malloc(Size+1);
43	65.0k	memcpy(orig_data, Start, Size);
44	65.0k	orig_data[Size] = '\0';
45
46	65.0k	fuzzer_setup_dummy_frame();
47
48	65.0k	{
49	65.0k	const unsigned char *data = orig_data;
50	65.0k	zval result;
51	65.0k	ZVAL_UNDEF(&result);
52
53	65.0k	php_unserialize_data_t var_hash;
54	65.0k	PHP_VAR_UNSERIALIZE_INIT(var_hash);
55	65.0k	php_var_unserialize(&result, (const unsigned char **) &data, data + Size, &var_hash);
56	65.0k	PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
57
58	65.0k	if (Z_TYPE(result) == IS_OBJECT
59	65.0k	&& zend_string_equals_literal(Z_OBJCE(result)->name, "HashContext")) {
60	2.39k	zval args[2];
61	2.39k	ZVAL_COPY_VALUE(&args[0], &result);
62	2.39k	ZVAL_STRINGL(&args[1], (char *) Data, (Start - Data) - 1);
63	2.39k	fuzzer_call_php_func_zval("hash_update", 2, args);
64	2.39k	zval_ptr_dtor(&args[1]);
65	2.39k	fuzzer_call_php_func_zval("hash_final", 1, args);
66	2.39k	}
67
68	65.0k	zval_ptr_dtor(&result);
69	65.0k	}
70
71	65.0k	free(orig_data);
72
73	65.0k	fuzzer_request_shutdown();
74	65.0k	return 0;
75	65.0k	}
76
77	12	int LLVMFuzzerInitialize(int argc, char **argv) {
78	12	fuzzer_init_php(NULL);
79
80		/* fuzzer_shutdown_php(); */
81	12	return 0;
82	12	}

Coverage Report

Created: 2025-06-13 06:43