/src/php-src/sapi/fuzzer/fuzzer-unserialize.c

Source (jump to first uncovered line)
/*
   +----------------------------------------------------------------------+
   | Copyright (c) The PHP Group                                          |
   +----------------------------------------------------------------------+
   | This source file is subject to version 3.01 of the PHP license,      |
   | that is bundled with this package in the file LICENSE, and is        |
   | available through the world-wide-web at the following url:           |
   | https://www.php.net/license/3_01.txt                                 |
   | If you did not receive a copy of the PHP license and are unable to   |
   | obtain it through the world-wide-web, please send a note to          |
   | license@php.net so we can mail you a copy immediately.               |
   +----------------------------------------------------------------------+
   | Authors: Johannes Schlüter <johanes@php.net>                         |
   +----------------------------------------------------------------------+
 */


#include "fuzzer.h"

#include "Zend/zend.h"
#include <main/php_config.h>
#include "main/php_main.h"

#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>

#include "fuzzer-sapi.h"

#include "ext/standard/php_var.h"

int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {

  if (fuzzer_request_startup() == FAILURE) {
    return 0;
  }

  unsigned char *orig_data = malloc(Size+1);
  memcpy(orig_data, Data, Size);
  orig_data[Size] = '\0';

  fuzzer_setup_dummy_frame();

  {
    const unsigned char *data = orig_data;
    zval result;
    ZVAL_UNDEF(&result);

    php_unserialize_data_t var_hash;
    PHP_VAR_UNSERIALIZE_INIT(var_hash);
    php_var_unserialize(&result, (const unsigned char **) &data, data + Size, &var_hash);
    PHP_VAR_UNSERIALIZE_DESTROY(var_hash);

    zval_ptr_dtor(&result);
  }

  free(orig_data);

  fuzzer_request_shutdown();
  return 0;
}

int LLVMFuzzerInitialize(int *argc, char ***argv) {
  fuzzer_init_php(NULL);

  /* fuzzer_shutdown_php(); */
  return 0;
}

Line	Count	Source (jump to first uncovered line)
1		/*
2		+----------------------------------------------------------------------+
3		\| Copyright (c) The PHP Group \|
4		+----------------------------------------------------------------------+
5		\| This source file is subject to version 3.01 of the PHP license, \|
6		\| that is bundled with this package in the file LICENSE, and is \|
7		\| available through the world-wide-web at the following url: \|
8		\| https://www.php.net/license/3_01.txt \|
9		\| If you did not receive a copy of the PHP license and are unable to \|
10		\| obtain it through the world-wide-web, please send a note to \|
11		\| license@php.net so we can mail you a copy immediately. \|
12		+----------------------------------------------------------------------+
13		\| Authors: Johannes Schlüter <johanes@php.net> \|
14		+----------------------------------------------------------------------+
15		*/
16
17
18		#include "fuzzer.h"
19
20		#include "Zend/zend.h"
21		#include <main/php_config.h>
22		#include "main/php_main.h"
23
24		#include <stdio.h>
25		#include <stdint.h>
26		#include <stdlib.h>
27
28		#include "fuzzer-sapi.h"
29
30		#include "ext/standard/php_var.h"
31
32	49.8k	int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
33
34	49.8k	if (fuzzer_request_startup() == FAILURE) {
35	0	return 0;
36	0	}
37
38	49.8k	unsigned char *orig_data = malloc(Size+1);
39	49.8k	memcpy(orig_data, Data, Size);
40	49.8k	orig_data[Size] = '\0';
41
42	49.8k	fuzzer_setup_dummy_frame();
43
44	49.8k	{
45	49.8k	const unsigned char *data = orig_data;
46	49.8k	zval result;
47	49.8k	ZVAL_UNDEF(&result);
48
49	49.8k	php_unserialize_data_t var_hash;
50	49.8k	PHP_VAR_UNSERIALIZE_INIT(var_hash);
51	49.8k	php_var_unserialize(&result, (const unsigned char **) &data, data + Size, &var_hash);
52	49.8k	PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
53
54	49.8k	zval_ptr_dtor(&result);
55	49.8k	}
56
57	49.8k	free(orig_data);
58
59	49.8k	fuzzer_request_shutdown();
60	49.8k	return 0;
61	49.8k	}
62
63	12	int LLVMFuzzerInitialize(int argc, char **argv) {
64	12	fuzzer_init_php(NULL);
65
66		/* fuzzer_shutdown_php(); */
67	12	return 0;
68	12	}

Coverage Report

Created: 2025-07-23 06:33