diff options
-rw-r--r-- | sapi/fuzzer/fuzzer-sapi.c | 31 | ||||
-rw-r--r-- | sapi/fuzzer/fuzzer-sapi.h | 6 | ||||
-rw-r--r-- | sapi/fuzzer/fuzzer-unserialize.c | 29 | ||||
-rw-r--r-- | sapi/fuzzer/fuzzer-unserializehash.c | 28 | ||||
-rw-r--r-- | sapi/fuzzer/generate_all.php | 4 |
5 files changed, 45 insertions, 53 deletions
diff --git a/sapi/fuzzer/fuzzer-sapi.c b/sapi/fuzzer/fuzzer-sapi.c index ca474af1ee..fdb4ff08b8 100644 --- a/sapi/fuzzer/fuzzer-sapi.c +++ b/sapi/fuzzer/fuzzer-sapi.c @@ -156,6 +156,37 @@ int fuzzer_request_startup() return SUCCESS; } +void fuzzer_request_shutdown() +{ + /* Destroy thrown exceptions. This does not happen as part of request shutdown. */ + if (EG(exception)) { + zend_object_release(EG(exception)); + EG(exception) = NULL; + } + + /* Some fuzzers (like unserialize) may create circular structures. Make sure we free them. + * Two calls are performed to handle objects with destructors. */ + zend_gc_collect_cycles(); + zend_gc_collect_cycles(); + + php_request_shutdown(NULL); +} + +/* Set up a dummy stack frame so that exceptions may be thrown. */ +void fuzzer_setup_dummy_frame() +{ + static zend_execute_data execute_data; + static zend_function func; + + memset(&execute_data, 0, sizeof(zend_execute_data)); + memset(&func, 0, sizeof(zend_function)); + + func.type = ZEND_INTERNAL_FUNCTION; + func.common.function_name = ZSTR_EMPTY_ALLOC(); + execute_data.func = &func; + EG(current_execute_data) = &execute_data; +} + void fuzzer_set_ini_file(const char *file) { if (fuzzer_module.php_ini_path_override) { diff --git a/sapi/fuzzer/fuzzer-sapi.h b/sapi/fuzzer/fuzzer-sapi.h index 495ca32c3d..f079fbcc05 100644 --- a/sapi/fuzzer/fuzzer-sapi.h +++ b/sapi/fuzzer/fuzzer-sapi.h @@ -15,8 +15,10 @@ +----------------------------------------------------------------------+ */ -int fuzzer_init_php(); -int fuzzer_request_startup(); +int fuzzer_init_php(void); +int fuzzer_request_startup(void); +void fuzzer_request_shutdown(void); +void fuzzer_setup_dummy_frame(void); void fuzzer_call_php_func(const char *func_name, int nargs, char **params); void fuzzer_call_php_func_zval(const char *func_name, int nargs, zval *args); int fuzzer_do_request_from_buffer(char *filename, char *data, size_t data_len); diff --git a/sapi/fuzzer/fuzzer-unserialize.c b/sapi/fuzzer/fuzzer-unserialize.c index 4b65197df9..ff68ee6e3e 100644 --- a/sapi/fuzzer/fuzzer-unserialize.c +++ b/sapi/fuzzer/fuzzer-unserialize.c @@ -31,26 +31,14 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { unsigned char *orig_data = malloc(Size+1); - zend_execute_data execute_data; - zend_function func; - memcpy(orig_data, Data, Size); orig_data[Size] = '\0'; - if (fuzzer_request_startup()==FAILURE) { + if (fuzzer_request_startup() == FAILURE) { return 0; } - /* Set up a dummy stack frame so that exceptions may be thrown. */ - { - memset(&execute_data, 0, sizeof(zend_execute_data)); - memset(&func, 0, sizeof(zend_function)); - - func.type = ZEND_INTERNAL_FUNCTION; - func.common.function_name = ZSTR_EMPTY_ALLOC(); - execute_data.func = &func; - EG(current_execute_data) = &execute_data; - } + fuzzer_setup_dummy_frame(); { const unsigned char *data = orig_data; @@ -63,22 +51,11 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { PHP_VAR_UNSERIALIZE_DESTROY(var_hash); zval_ptr_dtor(&result); - - /* Destroy any thrown exception. */ - if (EG(exception)) { - zend_object_release(EG(exception)); - EG(exception) = NULL; - } } - /* Unserialize may create circular structure. Make sure we free them. - * Two calls are performed to handle objects with destructors. */ - zend_gc_collect_cycles(); - zend_gc_collect_cycles(); - php_request_shutdown(NULL); - free(orig_data); + fuzzer_request_shutdown(); return 0; } diff --git a/sapi/fuzzer/fuzzer-unserializehash.c b/sapi/fuzzer/fuzzer-unserializehash.c index 9fbc10e6a8..c1231c4992 100644 --- a/sapi/fuzzer/fuzzer-unserializehash.c +++ b/sapi/fuzzer/fuzzer-unserializehash.c @@ -28,8 +28,6 @@ #include "ext/standard/php_var.h" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t FullSize) { - zend_execute_data execute_data; - zend_function func; const uint8_t *Start = memchr(Data, '|', FullSize); if (!Start) { return 0; @@ -41,20 +39,11 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t FullSize) { memcpy(orig_data, Start, Size); orig_data[Size] = '\0'; - if (fuzzer_request_startup()==FAILURE) { + if (fuzzer_request_startup() == FAILURE) { return 0; } - /* Set up a dummy stack frame so that exceptions may be thrown. */ - { - memset(&execute_data, 0, sizeof(zend_execute_data)); - memset(&func, 0, sizeof(zend_function)); - - func.type = ZEND_INTERNAL_FUNCTION; - func.common.function_name = ZSTR_EMPTY_ALLOC(); - execute_data.func = &func; - EG(current_execute_data) = &execute_data; - } + fuzzer_setup_dummy_frame(); { const unsigned char *data = orig_data; @@ -77,22 +66,11 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t FullSize) { } zval_ptr_dtor(&result); - - /* Destroy any thrown exception. */ - if (EG(exception)) { - zend_object_release(EG(exception)); - EG(exception) = NULL; - } } - /* Unserialize may create circular structure. Make sure we free them. - * Two calls are performed to handle objects with destructors. */ - zend_gc_collect_cycles(); - zend_gc_collect_cycles(); - php_request_shutdown(NULL); - free(orig_data); + fuzzer_request_shutdown(); return 0; } diff --git a/sapi/fuzzer/generate_all.php b/sapi/fuzzer/generate_all.php new file mode 100644 index 0000000000..eef2ddf243 --- /dev/null +++ b/sapi/fuzzer/generate_all.php @@ -0,0 +1,4 @@ +<?php +require __DIR__ . '/generate_unserialize_dict.php'; +require __DIR__ . '/generate_unserializehash_corpus.php'; +require __DIR__ . '/generate_parser_corpus.php'; |