php-doxygen/fuzzer-unserializehash_8c_source.html

/*

   +----------------------------------------------------------------------+

   | Copyright (c) The PHP Group                                          |

   +----------------------------------------------------------------------+

   | This source file is subject to version 3.01 of the PHP license,      |

   | that is bundled with this package in the file LICENSE, and is        |

   | available through the world-wide-web at the following url:           |

   | https://www.php.net/license/3_01.txt                                 |

   | If you did not receive a copy of the PHP license and are unable to   |

   | obtain it through the world-wide-web, please send a note to          |

   | license@php.net so we can mail you a copy immediately.               |

   +----------------------------------------------------------------------+

 */


#include "fuzzer.h"


#include "Zend/zend.h"

#include <main/php_config.h>

#include "main/php_main.h"


#include <stdio.h>

#include <stdint.h>

#include <stdlib.h>


#include "fuzzer-sapi.h"


#include "ext/standard/php_var.h"


int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t FullSize) {

    const uint8_t *Start = memchr(Data, '|', FullSize);

    if (!Start) {

        return 0;

    }

    ++Start;


    if (fuzzer_request_startup() == FAILURE) {

        return 0;

    }


    size_t Size = (Data + FullSize) - Start;

    unsigned char *orig_data = malloc(Size+1);

    memcpy(orig_data, Start, Size);

    orig_data[Size] = '\0';


    fuzzer_setup_dummy_frame();


    {

        const unsigned char *data = orig_data;

        zval result;

        ZVAL_UNDEF(&result);


        php_unserialize_data_t var_hash;

        PHP_VAR_UNSERIALIZE_INIT(var_hash);

        php_var_unserialize(&result, (const unsigned char **) &data, data + Size, &var_hash);

        PHP_VAR_UNSERIALIZE_DESTROY(var_hash);


        if (Z_TYPE(result) == IS_OBJECT

            && zend_string_equals_literal(Z_OBJCE(result)->name, "HashContext")) {

            zval args[2];

            ZVAL_COPY_VALUE(&args[0], &result);

            ZVAL_STRINGL(&args[1], (char *) Data, (Start - Data) - 1);

            fuzzer_call_php_func_zval("hash_update", 2, args);

            zval_ptr_dtor(&args[1]);

            fuzzer_call_php_func_zval("hash_final", 1, args);

        }


        zval_ptr_dtor(&result);

    }


    free(orig_data);


    fuzzer_request_shutdown();

    return 0;

}


int LLVMFuzzerInitialize(int *argc, char ***argv) {

    fuzzer_init_php(NULL);


    /* fuzzer_shutdown_php(); */

    return 0;

}


memcpy
memcpy(ptr1, ptr2, size)

fuzzer_request_startup
int fuzzer_request_startup(void)
Definition fuzzer-sapi.c:173

fuzzer_setup_dummy_frame
void fuzzer_setup_dummy_frame(void)
Definition fuzzer-sapi.c:208

fuzzer_call_php_func_zval
void fuzzer_call_php_func_zval(const char *func_name, int nargs, zval *args)
Definition fuzzer-sapi.c:294

fuzzer_request_shutdown
void fuzzer_request_shutdown(void)
Definition fuzzer-sapi.c:189

fuzzer_init_php
int fuzzer_init_php(const char *extra_ini)
Definition fuzzer-sapi.c:131

fuzzer-sapi.h

LLVMFuzzerInitialize
int LLVMFuzzerInitialize(int *argc, char ***argv)
Definition fuzzer-unserializehash.c:77

LLVMFuzzerTestOneInput
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t FullSize)
Definition fuzzer-unserializehash.c:30

fuzzer.h

NULL
#define NULL
Definition gdcache.h:45

php_main.h

php_var.h

PHP_VAR_UNSERIALIZE_DESTROY
#define PHP_VAR_UNSERIALIZE_DESTROY(d)
Definition php_var.h:59

php_unserialize_data_t
struct php_unserialize_data * php_unserialize_data_t
Definition php_var.h:32

PHP_VAR_UNSERIALIZE_INIT
#define PHP_VAR_UNSERIALIZE_INIT(d)
Definition php_var.h:56

php_var_unserialize
PHPAPI int php_var_unserialize(zval *rval, const unsigned char **p, const unsigned char *max, php_unserialize_data_t *var_hash)

data
zend_constant * data
Definition phpdbg_info.c:102

var_hash
php_unserialize_data_t var_hash
Definition session.c:964

zend.h

ZVAL_STRINGL
#define ZVAL_STRINGL(z, s, l)
Definition zend_API.h:952

zval
struct _zval_struct zval
Definition zend_builtin_functions.h:25

args
zval * args
Definition zend_closures.c:46

zend_string_equals_literal
#define zend_string_equals_literal(str, literal)
Definition zend_string.h:400

ZVAL_UNDEF
#define ZVAL_UNDEF(z)
Definition zend_types.h:1045

FAILURE
@ FAILURE
Definition zend_types.h:61

IS_OBJECT
#define IS_OBJECT
Definition zend_types.h:608

Z_TYPE
#define Z_TYPE(zval)
Definition zend_types.h:659

ZVAL_COPY_VALUE
#define ZVAL_COPY_VALUE(z, v)
Definition zend_types.h:1403

Z_OBJCE
#define Z_OBJCE(zval)
Definition zend_types.h:1001

zval_ptr_dtor
ZEND_API void zval_ptr_dtor(zval *zval_ptr)
Definition zend_variables.c:82

name
zend_string * name
Definition zend_vm_def.h:2429

result
bool result
Definition zend_vm_def.h:455