Home Explore Help
Sign In
SoftwareDesign
/
csu3_am335x
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
csu3_am335x
/
EVSE
/
GPL
/
php-8.1.12
/
sapi
/
fuzzer
/
fuzzer-unserializehash.c

fuzzer-unserializehash.c 2.3 KB
Permalink History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182 
  1. /*
    2. 

  2.    +----------------------------------------------------------------------+
    3. 

  3.    | Copyright (c) The PHP Group                                          |
    4. 

  4.    +----------------------------------------------------------------------+
    5. 

  5.    | This source file is subject to version 3.01 of the PHP license,      |
    6. 

  6.    | that is bundled with this package in the file LICENSE, and is        |
    7. 

  7.    | available through the world-wide-web at the following url:           |
    8. 

  8.    | https://www.php.net/license/3_01.txt                                 |
    9. 

  9.    | If you did not receive a copy of the PHP license and are unable to   |
    10. 

  10.    | obtain it through the world-wide-web, please send a note to          |
    11. 

  11.    | license@php.net so we can mail you a copy immediately.               |
    12. 

  12.    +----------------------------------------------------------------------+
    13. 

  13.  */
    14. 

  14. 

  15. 

  16. #include "fuzzer.h"
    17. 

  17. 

  18. #include "Zend/zend.h"
    19. 

  19. #include "main/php_config.h"
    20. 

  20. #include "main/php_main.h"
    21. 

  21. 

  22. #include <stdio.h>
    23. 

  23. #include <stdint.h>
    24. 

  24. #include <stdlib.h>
    25. 

  25. 

  26. #include "fuzzer-sapi.h"
    27. 

  27. 

  28. #include "ext/standard/php_var.h"
    29. 

  29. 

  30. int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t FullSize) {
    31. 

  31. 	const uint8_t *Start = memchr(Data, '|', FullSize);
    32. 

  32. 	if (!Start) {
    33. 

  33. 		return 0;
    34. 

  34. 	}
    35. 

  35. 	++Start;
    36. 

  36. 

  37. 	size_t Size = (Data + FullSize) - Start;
    38. 

  38. 	unsigned char *orig_data = malloc(Size+1);
    39. 

  39. 	memcpy(orig_data, Start, Size);
    40. 

  40. 	orig_data[Size] = '\0';
    41. 

  41. 

  42. 	if (fuzzer_request_startup() == FAILURE) {
    43. 

  43. 		return 0;
    44. 

  44. 	}
    45. 

  45. 

  46. 	fuzzer_setup_dummy_frame();
    47. 

  47. 

  48. 	{
    49. 

  49. 		const unsigned char *data = orig_data;
    50. 

  50. 		zval result;
    51. 

  51. 		ZVAL_UNDEF(&result);
    52. 

  52. 

  53. 		php_unserialize_data_t var_hash;
    54. 

  54. 		PHP_VAR_UNSERIALIZE_INIT(var_hash);
    55. 

  55. 		php_var_unserialize(&result, (const unsigned char **) &data, data + Size, &var_hash);
    56. 

  56. 		PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
    57. 

  57. 

  58. 		if (Z_TYPE(result) == IS_OBJECT
    59. 

  59. 			&& zend_string_equals_literal(Z_OBJCE(result)->name, "HashContext")) {
    60. 

  60. 			zval args[2];
    61. 

  61. 			ZVAL_COPY_VALUE(&args[0], &result);
    62. 

  62. 			ZVAL_STRINGL(&args[1], (char *) Data, (Start - Data) - 1);
    63. 

  63. 			fuzzer_call_php_func_zval("hash_update", 2, args);
    64. 

  64. 			zval_ptr_dtor(&args[1]);
    65. 

  65. 			fuzzer_call_php_func_zval("hash_final", 1, args);
    66. 

  66. 		}
    67. 

  67. 

  68. 		zval_ptr_dtor(&result);
    69. 

  69. 	}
    70. 

  70. 

  71. 	free(orig_data);
    72. 

  72. 

  73. 	fuzzer_request_shutdown();
    74. 

  74. 	return 0;
    75. 

  75. }
    76. 

  76. 

  77. int LLVMFuzzerInitialize(int *argc, char ***argv) {
    78. 

  78. 	fuzzer_init_php();
    79. 

  79. 

  80. 	/* fuzzer_shutdown_php(); */
    81. 

  81. 	return 0;
    82. 

  82. }
    83.