1 /*
2 +----------------------------------------------------------------------+
3 | Copyright (c) The PHP Group |
4 +----------------------------------------------------------------------+
5 | This source file is subject to version 3.01 of the PHP license, |
6 | that is bundled with this package in the file LICENSE, and is |
7 | available through the world-wide-web at the following url: |
8 | https://www.php.net/license/3_01.txt |
9 | If you did not receive a copy of the PHP license and are unable to |
10 | obtain it through the world-wide-web, please send a note to |
11 | license@php.net so we can mail you a copy immediately. |
12 +----------------------------------------------------------------------+
13 | Authors: Stanislav Malyshev <stas@php.net> |
14 +----------------------------------------------------------------------+
15 */
16
17
18 #include "fuzzer.h"
19
20 #include "Zend/zend.h"
21 #include <main/php_config.h>
22 #include "main/php_main.h"
23 #include "oniguruma.h"
24
25 #include <stdio.h>
26 #include <stdint.h>
27 #include <stdlib.h>
28
29 #include "fuzzer-sapi.h"
30
LLVMFuzzerTestOneInput(const uint8_t * Data,size_t Size)31 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
32 #ifdef HAVE_MBREGEX
33 char *args[2];
34 char *data = malloc(Size+1);
35 memcpy(data, Data, Size);
36 data[Size] = '\0';
37
38 if (fuzzer_request_startup() == FAILURE) {
39 return 0;
40 }
41
42 fuzzer_setup_dummy_frame();
43
44 args[0] = data;
45 args[1] = "test123";
46 fuzzer_call_php_func("mb_ereg", 2, args);
47
48 args[0] = data;
49 args[1] = "test123";
50 fuzzer_call_php_func("mb_eregi", 2, args);
51
52 args[0] = data;
53 args[1] = data;
54 fuzzer_call_php_func("mb_ereg", 2, args);
55
56 args[0] = data;
57 args[1] = data;
58 fuzzer_call_php_func("mb_eregi", 2, args);
59
60 fuzzer_request_shutdown();
61
62 free(data);
63 #else
64 fprintf(stderr, "\n\nERROR:\nPHP built without mbstring, recompile with --enable-mbstring to use this fuzzer\n");
65 exit(1);
66 #endif
67 return 0;
68 }
69
LLVMFuzzerInitialize(int * argc,char *** argv)70 int LLVMFuzzerInitialize(int *argc, char ***argv) {
71 fuzzer_init_php(NULL);
72
73 /* The default parse depth limit allows stack overflows under asan. */
74 onig_set_parse_depth_limit(512);
75
76 /* fuzzer_shutdown_php(); */
77 return 0;
78 }
79