php-doxygen/fuzzer-mbregex_8c_source.html

/*

   +----------------------------------------------------------------------+

   | Copyright (c) The PHP Group                                          |

   +----------------------------------------------------------------------+

   | This source file is subject to version 3.01 of the PHP license,      |

   | that is bundled with this package in the file LICENSE, and is        |

   | available through the world-wide-web at the following url:           |

   | https://www.php.net/license/3_01.txt                                 |

   | If you did not receive a copy of the PHP license and are unable to   |

   | obtain it through the world-wide-web, please send a note to          |

   | license@php.net so we can mail you a copy immediately.               |

   +----------------------------------------------------------------------+

   | Authors: Stanislav Malyshev <stas@php.net>                           |

   +----------------------------------------------------------------------+

 */


#include "fuzzer.h"


#include "Zend/zend.h"

#include <main/php_config.h>

#include "main/php_main.h"

#include "oniguruma.h"


#include <stdio.h>

#include <stdint.h>

#include <stdlib.h>


#include "fuzzer-sapi.h"


int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {

#ifdef HAVE_MBREGEX


    if (fuzzer_request_startup() == FAILURE) {

        return 0;

    }


    char *args[2];

    char *data = malloc(Size+1);

    memcpy(data, Data, Size);

    data[Size] = '\0';


    fuzzer_setup_dummy_frame();


    args[0] = data;

    args[1] = "test123";

    fuzzer_call_php_func("mb_ereg", 2, args);


    args[0] = data;

    args[1] = "test123";

    fuzzer_call_php_func("mb_eregi", 2, args);


    args[0] = data;

    args[1] = data;

    fuzzer_call_php_func("mb_ereg", 2, args);


    args[0] = data;

    args[1] = data;

    fuzzer_call_php_func("mb_eregi", 2, args);


    fuzzer_request_shutdown();


    free(data);

#else

    fprintf(stderr, "\n\nERROR:\nPHP built without mbstring, recompile with --enable-mbstring to use this fuzzer\n");

    exit(1);

#endif

    return 0;

}


int LLVMFuzzerInitialize(int *argc, char ***argv) {

    fuzzer_init_php(NULL);


    /* The default parse depth limit allows stack overflows under asan. */

    onig_set_parse_depth_limit(512);


    /* fuzzer_shutdown_php(); */

    return 0;

}


fprintf
fprintf($stream, string $format, mixed ... $values)
Definition basic_functions.stub.php:2989

memcpy
memcpy(ptr1, ptr2, size)

LLVMFuzzerTestOneInput
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
Definition fuzzer-mbregex.c:31

LLVMFuzzerInitialize
int LLVMFuzzerInitialize(int *argc, char ***argv)
Definition fuzzer-mbregex.c:71

fuzzer_request_startup
int fuzzer_request_startup(void)
Definition fuzzer-sapi.c:173

fuzzer_call_php_func
void fuzzer_call_php_func(const char *func_name, int nargs, char **params)
Definition fuzzer-sapi.c:311

fuzzer_setup_dummy_frame
void fuzzer_setup_dummy_frame(void)
Definition fuzzer-sapi.c:208

fuzzer_request_shutdown
void fuzzer_request_shutdown(void)
Definition fuzzer-sapi.c:189

fuzzer_init_php
int fuzzer_init_php(const char *extra_ini)
Definition fuzzer-sapi.c:131

fuzzer-sapi.h

fuzzer.h

NULL
#define NULL
Definition gdcache.h:45

php_main.h

data
zend_constant * data
Definition phpdbg_info.c:102

zend.h

exit
exit(string|int $status=0)
Definition zend_builtin_functions.stub.php:10

args
zval * args
Definition zend_closures.c:46

FAILURE
@ FAILURE
Definition zend_types.h:61