1 /*
2    +----------------------------------------------------------------------+
3    | Copyright (c) The PHP Group                                          |
4    +----------------------------------------------------------------------+
5    | This source file is subject to version 3.01 of the PHP license,      |
6    | that is bundled with this package in the file LICENSE, and is        |
7    | available through the world-wide-web at the following url:           |
8    | https://www.php.net/license/3_01.txt                                 |
9    | If you did not receive a copy of the PHP license and are unable to   |
10    | obtain it through the world-wide-web, please send a note to          |
11    | license@php.net so we can mail you a copy immediately.               |
12    +----------------------------------------------------------------------+
13  */
14 
15 
16 #include "fuzzer.h"
17 
18 #include "Zend/zend.h"
19 #include <main/php_config.h>
20 #include "main/php_main.h"
21 
22 #include <stdio.h>
23 #include <stdint.h>
24 #include <stdlib.h>
25 
26 #include "fuzzer-sapi.h"
27 
28 #include "ext/standard/php_var.h"
29 
LLVMFuzzerTestOneInput(const uint8_t * Data,size_t FullSize)30 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t FullSize) {
31 	const uint8_t *Start = memchr(Data, '|', FullSize);
32 	if (!Start) {
33 		return 0;
34 	}
35 	++Start;
36 
37 	size_t Size = (Data + FullSize) - Start;
38 	unsigned char *orig_data = malloc(Size+1);
39 	memcpy(orig_data, Start, Size);
40 	orig_data[Size] = '\0';
41 
42 	if (fuzzer_request_startup() == FAILURE) {
43 		return 0;
44 	}
45 
46 	fuzzer_setup_dummy_frame();
47 
48 	{
49 		const unsigned char *data = orig_data;
50 		zval result;
51 		ZVAL_UNDEF(&result);
52 
53 		php_unserialize_data_t var_hash;
54 		PHP_VAR_UNSERIALIZE_INIT(var_hash);
55 		php_var_unserialize(&result, (const unsigned char **) &data, data + Size, &var_hash);
56 		PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
57 
58 		if (Z_TYPE(result) == IS_OBJECT
59 			&& zend_string_equals_literal(Z_OBJCE(result)->name, "HashContext")) {
60 			zval args[2];
61 			ZVAL_COPY_VALUE(&args[0], &result);
62 			ZVAL_STRINGL(&args[1], (char *) Data, (Start - Data) - 1);
63 			fuzzer_call_php_func_zval("hash_update", 2, args);
64 			zval_ptr_dtor(&args[1]);
65 			fuzzer_call_php_func_zval("hash_final", 1, args);
66 		}
67 
68 		zval_ptr_dtor(&result);
69 	}
70 
71 	free(orig_data);
72 
73 	fuzzer_request_shutdown();
74 	return 0;
75 }
76 
LLVMFuzzerInitialize(int * argc,char *** argv)77 int LLVMFuzzerInitialize(int *argc, char ***argv) {
78 	fuzzer_init_php(NULL);
79 
80 	/* fuzzer_shutdown_php(); */
81 	return 0;
82 }
83