From 41f45647f90a44514fd18b16fdcec5cceebf1635 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Tue, 30 Jul 2019 22:45:55 -0700 Subject: Add fuzzer SAPIs to the core --- sapi/fuzzer/Makefile.frag | 18 ++ sapi/fuzzer/README | 13 ++ sapi/fuzzer/config.m4 | 63 ++++++ sapi/fuzzer/corpus/exif/bug34704.jpg | Bin 0 -> 9976 bytes sapi/fuzzer/corpus/exif/bug34704_2.jpg | Bin 0 -> 9976 bytes sapi/fuzzer/corpus/exif/bug48378.jpeg | Bin 0 -> 2566 bytes sapi/fuzzer/corpus/exif/bug54002_1.jpeg | Bin 0 -> 87599 bytes sapi/fuzzer/corpus/exif/bug54002_2.jpeg | Bin 0 -> 87599 bytes sapi/fuzzer/corpus/exif/bug62523_1.jpg | 9 + sapi/fuzzer/corpus/exif/bug62523_3.jpg | 12 ++ sapi/fuzzer/corpus/exif/bug68113.jpg | Bin 0 -> 368 bytes sapi/fuzzer/corpus/exif/bug68113_2.jpg | Bin 0 -> 368 bytes sapi/fuzzer/corpus/exif/bug68799.jpg | Bin 0 -> 735 bytes sapi/fuzzer/corpus/exif/bug72094_1.jpg | Bin 0 -> 140 bytes sapi/fuzzer/corpus/exif/bug72094_2.jpg | Bin 0 -> 140 bytes sapi/fuzzer/corpus/exif/bug72094_3.jpg | Bin 0 -> 112 bytes sapi/fuzzer/corpus/exif/bug72094_4.jpg | Bin 0 -> 32 bytes sapi/fuzzer/corpus/exif/bug72603.jpeg | Bin 0 -> 3711 bytes sapi/fuzzer/corpus/exif/bug72618.jpg | Bin 0 -> 3711 bytes sapi/fuzzer/corpus/exif/bug72627.tiff | Bin 0 -> 1250 bytes sapi/fuzzer/corpus/exif/bug73737.tiff | Bin 0 -> 48 bytes sapi/fuzzer/corpus/exif/bug76130_1.jpg | Bin 0 -> 3396 bytes sapi/fuzzer/corpus/exif/bug76130_2.jpg | Bin 0 -> 1632 bytes sapi/fuzzer/corpus/exif/bug76423.jpg | Bin 0 -> 1537 bytes sapi/fuzzer/corpus/exif/bug76557.jpg | Bin 0 -> 2372 bytes sapi/fuzzer/corpus/exif/bug77540.jpg | Bin 0 -> 91 bytes sapi/fuzzer/corpus/exif/bug77563.jpg | Bin 0 -> 63 bytes sapi/fuzzer/corpus/exif/bug77753.tiff | Bin 0 -> 873 bytes sapi/fuzzer/corpus/exif/bug77831.tiff | Bin 0 -> 49 bytes sapi/fuzzer/corpus/exif/bug77950.tiff | Bin 0 -> 1267 bytes sapi/fuzzer/corpus/exif/bug77988.jpg | Bin 0 -> 1202 bytes sapi/fuzzer/corpus/exif/exif_encoding_crash.jpg | Bin 0 -> 7599 bytes sapi/fuzzer/corpus/exif/image007.jpg | Bin 0 -> 283 bytes sapi/fuzzer/corpus/exif/image008.jpg | Bin 0 -> 527 bytes sapi/fuzzer/corpus/exif/image009.jpg | Bin 0 -> 527 bytes sapi/fuzzer/corpus/exif/image010.jpg | Bin 0 -> 741 bytes sapi/fuzzer/corpus/exif/image011.jpg | Bin 0 -> 741 bytes sapi/fuzzer/corpus/exif/image012.jpg | Bin 0 -> 721 bytes sapi/fuzzer/corpus/exif/image013.jpg | Bin 0 -> 721 bytes sapi/fuzzer/corpus/exif/image014.jpg | Bin 0 -> 935 bytes sapi/fuzzer/corpus/exif/image015.jpg | Bin 0 -> 935 bytes sapi/fuzzer/corpus/exif/image016.tiff | Bin 0 -> 1874 bytes sapi/fuzzer/corpus/exif/image017.tiff | Bin 0 -> 1874 bytes sapi/fuzzer/corpus/exif/image018.tiff | Bin 0 -> 2088 bytes sapi/fuzzer/corpus/exif/image020.tiff | Bin 0 -> 2068 bytes sapi/fuzzer/corpus/exif/image021.tiff | Bin 0 -> 2068 bytes sapi/fuzzer/corpus/exif/image022.tiff | Bin 0 -> 2282 bytes sapi/fuzzer/corpus/exif/image023.tiff | Bin 0 -> 2282 bytes sapi/fuzzer/corpus/exif/image024.jpg | Bin 0 -> 417 bytes sapi/fuzzer/corpus/exif/image025.jpg | Bin 0 -> 417 bytes sapi/fuzzer/corpus/exif/image026.tiff | Bin 0 -> 1984 bytes sapi/fuzzer/corpus/exif/image027.tiff | Bin 0 -> 1984 bytes sapi/fuzzer/corpus/exif/test1.jpg | Bin 0 -> 523 bytes sapi/fuzzer/corpus/exif/test2.jpg | Bin 0 -> 1240 bytes sapi/fuzzer/corpus/exif/test22.jpg | Bin 0 -> 1240 bytes sapi/fuzzer/corpus/exif/test3.jpg | Bin 0 -> 1240 bytes sapi/fuzzer/corpus/exif/test4.jpg | Bin 0 -> 713 bytes sapi/fuzzer/corpus/exif/test5.jpg | Bin 0 -> 603 bytes sapi/fuzzer/corpus/exif/test6.jpg | Bin 0 -> 1240 bytes sapi/fuzzer/corpus/json/1.json | 1 + sapi/fuzzer/corpus/json/10.json | 1 + sapi/fuzzer/corpus/json/11.json | 1 + sapi/fuzzer/corpus/json/12.json | 2 + sapi/fuzzer/corpus/json/13.json | 1 + sapi/fuzzer/corpus/json/14.json | 2 + sapi/fuzzer/corpus/json/15.json | 1 + sapi/fuzzer/corpus/json/16.json | 1 + sapi/fuzzer/corpus/json/17.json | 1 + sapi/fuzzer/corpus/json/18.json | 1 + sapi/fuzzer/corpus/json/19.json | 1 + sapi/fuzzer/corpus/json/2.json | 1 + sapi/fuzzer/corpus/json/3.json | 1 + sapi/fuzzer/corpus/json/4.json | 1 + sapi/fuzzer/corpus/json/5.json | 5 + sapi/fuzzer/corpus/json/6.json | 1 + sapi/fuzzer/corpus/json/7.json | 2 + sapi/fuzzer/corpus/json/8.json | 1 + sapi/fuzzer/corpus/json/9.json | 1 + sapi/fuzzer/corpus/json/fail1.json | 1 + sapi/fuzzer/corpus/json/fail10.json | 1 + sapi/fuzzer/corpus/json/fail11.json | 1 + sapi/fuzzer/corpus/json/fail12.json | 1 + sapi/fuzzer/corpus/json/fail13.json | 1 + sapi/fuzzer/corpus/json/fail14.json | 1 + sapi/fuzzer/corpus/json/fail15.json | 1 + sapi/fuzzer/corpus/json/fail16.json | 1 + sapi/fuzzer/corpus/json/fail17.json | 1 + sapi/fuzzer/corpus/json/fail18.json | 1 + sapi/fuzzer/corpus/json/fail19.json | 1 + sapi/fuzzer/corpus/json/fail2.json | 1 + sapi/fuzzer/corpus/json/fail20.json | 1 + sapi/fuzzer/corpus/json/fail21.json | 1 + sapi/fuzzer/corpus/json/fail22.json | 1 + sapi/fuzzer/corpus/json/fail23.json | 1 + sapi/fuzzer/corpus/json/fail24.json | 1 + sapi/fuzzer/corpus/json/fail25.json | 1 + sapi/fuzzer/corpus/json/fail26.json | 1 + sapi/fuzzer/corpus/json/fail27.json | 2 + sapi/fuzzer/corpus/json/fail28.json | 2 + sapi/fuzzer/corpus/json/fail29.json | 1 + sapi/fuzzer/corpus/json/fail3.json | 1 + sapi/fuzzer/corpus/json/fail30.json | 1 + sapi/fuzzer/corpus/json/fail31.json | 1 + sapi/fuzzer/corpus/json/fail32.json | 1 + sapi/fuzzer/corpus/json/fail33.json | 1 + sapi/fuzzer/corpus/json/fail4.json | 1 + sapi/fuzzer/corpus/json/fail5.json | 1 + sapi/fuzzer/corpus/json/fail6.json | 1 + sapi/fuzzer/corpus/json/fail7.json | 1 + sapi/fuzzer/corpus/json/fail8.json | 1 + sapi/fuzzer/corpus/json/fail9.json | 1 + sapi/fuzzer/corpus/json/pass1.json | 58 ++++++ sapi/fuzzer/corpus/json/pass2.json | 1 + sapi/fuzzer/corpus/json/pass3.json | 6 + sapi/fuzzer/fuzzer-exif.c | 65 +++++++ sapi/fuzzer/fuzzer-json.c | 73 +++++++ sapi/fuzzer/fuzzer-mbstring.c | 75 ++++++++ sapi/fuzzer/fuzzer-parser.c | 80 ++++++++ sapi/fuzzer/fuzzer-sapi.c | 242 ++++++++++++++++++++++++ sapi/fuzzer/fuzzer-sapi.h | 22 +++ sapi/fuzzer/fuzzer-unserialize.c | 66 +++++++ sapi/fuzzer/fuzzer.h | 20 ++ sapi/fuzzer/json.dict | 52 +++++ 123 files changed, 936 insertions(+) create mode 100644 sapi/fuzzer/Makefile.frag create mode 100644 sapi/fuzzer/README create mode 100644 sapi/fuzzer/config.m4 create mode 100644 sapi/fuzzer/corpus/exif/bug34704.jpg create mode 100644 sapi/fuzzer/corpus/exif/bug34704_2.jpg create mode 100644 sapi/fuzzer/corpus/exif/bug48378.jpeg create mode 100644 sapi/fuzzer/corpus/exif/bug54002_1.jpeg create mode 100644 sapi/fuzzer/corpus/exif/bug54002_2.jpeg create mode 100644 sapi/fuzzer/corpus/exif/bug62523_1.jpg create mode 100644 sapi/fuzzer/corpus/exif/bug62523_3.jpg create mode 100644 sapi/fuzzer/corpus/exif/bug68113.jpg create mode 100644 sapi/fuzzer/corpus/exif/bug68113_2.jpg create mode 100644 sapi/fuzzer/corpus/exif/bug68799.jpg create mode 100644 sapi/fuzzer/corpus/exif/bug72094_1.jpg create mode 100644 sapi/fuzzer/corpus/exif/bug72094_2.jpg create mode 100644 sapi/fuzzer/corpus/exif/bug72094_3.jpg create mode 100644 sapi/fuzzer/corpus/exif/bug72094_4.jpg create mode 100644 sapi/fuzzer/corpus/exif/bug72603.jpeg create mode 100644 sapi/fuzzer/corpus/exif/bug72618.jpg create mode 100644 sapi/fuzzer/corpus/exif/bug72627.tiff create mode 100644 sapi/fuzzer/corpus/exif/bug73737.tiff create mode 100644 sapi/fuzzer/corpus/exif/bug76130_1.jpg create mode 100644 sapi/fuzzer/corpus/exif/bug76130_2.jpg create mode 100644 sapi/fuzzer/corpus/exif/bug76423.jpg create mode 100644 sapi/fuzzer/corpus/exif/bug76557.jpg create mode 100644 sapi/fuzzer/corpus/exif/bug77540.jpg create mode 100644 sapi/fuzzer/corpus/exif/bug77563.jpg create mode 100644 sapi/fuzzer/corpus/exif/bug77753.tiff create mode 100644 sapi/fuzzer/corpus/exif/bug77831.tiff create mode 100644 sapi/fuzzer/corpus/exif/bug77950.tiff create mode 100644 sapi/fuzzer/corpus/exif/bug77988.jpg create mode 100644 sapi/fuzzer/corpus/exif/exif_encoding_crash.jpg create mode 100644 sapi/fuzzer/corpus/exif/image007.jpg create mode 100644 sapi/fuzzer/corpus/exif/image008.jpg create mode 100644 sapi/fuzzer/corpus/exif/image009.jpg create mode 100644 sapi/fuzzer/corpus/exif/image010.jpg create mode 100644 sapi/fuzzer/corpus/exif/image011.jpg create mode 100644 sapi/fuzzer/corpus/exif/image012.jpg create mode 100644 sapi/fuzzer/corpus/exif/image013.jpg create mode 100644 sapi/fuzzer/corpus/exif/image014.jpg create mode 100644 sapi/fuzzer/corpus/exif/image015.jpg create mode 100644 sapi/fuzzer/corpus/exif/image016.tiff create mode 100644 sapi/fuzzer/corpus/exif/image017.tiff create mode 100644 sapi/fuzzer/corpus/exif/image018.tiff create mode 100644 sapi/fuzzer/corpus/exif/image020.tiff create mode 100644 sapi/fuzzer/corpus/exif/image021.tiff create mode 100644 sapi/fuzzer/corpus/exif/image022.tiff create mode 100644 sapi/fuzzer/corpus/exif/image023.tiff create mode 100644 sapi/fuzzer/corpus/exif/image024.jpg create mode 100644 sapi/fuzzer/corpus/exif/image025.jpg create mode 100644 sapi/fuzzer/corpus/exif/image026.tiff create mode 100644 sapi/fuzzer/corpus/exif/image027.tiff create mode 100644 sapi/fuzzer/corpus/exif/test1.jpg create mode 100644 sapi/fuzzer/corpus/exif/test2.jpg create mode 100644 sapi/fuzzer/corpus/exif/test22.jpg create mode 100644 sapi/fuzzer/corpus/exif/test3.jpg create mode 100644 sapi/fuzzer/corpus/exif/test4.jpg create mode 100644 sapi/fuzzer/corpus/exif/test5.jpg create mode 100644 sapi/fuzzer/corpus/exif/test6.jpg create mode 100644 sapi/fuzzer/corpus/json/1.json create mode 100644 sapi/fuzzer/corpus/json/10.json create mode 100644 sapi/fuzzer/corpus/json/11.json create mode 100644 sapi/fuzzer/corpus/json/12.json create mode 100644 sapi/fuzzer/corpus/json/13.json create mode 100644 sapi/fuzzer/corpus/json/14.json create mode 100644 sapi/fuzzer/corpus/json/15.json create mode 100644 sapi/fuzzer/corpus/json/16.json create mode 100644 sapi/fuzzer/corpus/json/17.json create mode 100644 sapi/fuzzer/corpus/json/18.json create mode 100644 sapi/fuzzer/corpus/json/19.json create mode 100644 sapi/fuzzer/corpus/json/2.json create mode 100644 sapi/fuzzer/corpus/json/3.json create mode 100644 sapi/fuzzer/corpus/json/4.json create mode 100644 sapi/fuzzer/corpus/json/5.json create mode 100644 sapi/fuzzer/corpus/json/6.json create mode 100644 sapi/fuzzer/corpus/json/7.json create mode 100644 sapi/fuzzer/corpus/json/8.json create mode 100644 sapi/fuzzer/corpus/json/9.json create mode 100644 sapi/fuzzer/corpus/json/fail1.json create mode 100644 sapi/fuzzer/corpus/json/fail10.json create mode 100644 sapi/fuzzer/corpus/json/fail11.json create mode 100644 sapi/fuzzer/corpus/json/fail12.json create mode 100644 sapi/fuzzer/corpus/json/fail13.json create mode 100644 sapi/fuzzer/corpus/json/fail14.json create mode 100644 sapi/fuzzer/corpus/json/fail15.json create mode 100644 sapi/fuzzer/corpus/json/fail16.json create mode 100644 sapi/fuzzer/corpus/json/fail17.json create mode 100644 sapi/fuzzer/corpus/json/fail18.json create mode 100644 sapi/fuzzer/corpus/json/fail19.json create mode 100644 sapi/fuzzer/corpus/json/fail2.json create mode 100644 sapi/fuzzer/corpus/json/fail20.json create mode 100644 sapi/fuzzer/corpus/json/fail21.json create mode 100644 sapi/fuzzer/corpus/json/fail22.json create mode 100644 sapi/fuzzer/corpus/json/fail23.json create mode 100644 sapi/fuzzer/corpus/json/fail24.json create mode 100644 sapi/fuzzer/corpus/json/fail25.json create mode 100644 sapi/fuzzer/corpus/json/fail26.json create mode 100644 sapi/fuzzer/corpus/json/fail27.json create mode 100644 sapi/fuzzer/corpus/json/fail28.json create mode 100644 sapi/fuzzer/corpus/json/fail29.json create mode 100644 sapi/fuzzer/corpus/json/fail3.json create mode 100644 sapi/fuzzer/corpus/json/fail30.json create mode 100644 sapi/fuzzer/corpus/json/fail31.json create mode 100644 sapi/fuzzer/corpus/json/fail32.json create mode 100644 sapi/fuzzer/corpus/json/fail33.json create mode 100644 sapi/fuzzer/corpus/json/fail4.json create mode 100644 sapi/fuzzer/corpus/json/fail5.json create mode 100644 sapi/fuzzer/corpus/json/fail6.json create mode 100644 sapi/fuzzer/corpus/json/fail7.json create mode 100644 sapi/fuzzer/corpus/json/fail8.json create mode 100644 sapi/fuzzer/corpus/json/fail9.json create mode 100644 sapi/fuzzer/corpus/json/pass1.json create mode 100644 sapi/fuzzer/corpus/json/pass2.json create mode 100644 sapi/fuzzer/corpus/json/pass3.json create mode 100644 sapi/fuzzer/fuzzer-exif.c create mode 100644 sapi/fuzzer/fuzzer-json.c create mode 100644 sapi/fuzzer/fuzzer-mbstring.c create mode 100644 sapi/fuzzer/fuzzer-parser.c create mode 100644 sapi/fuzzer/fuzzer-sapi.c create mode 100644 sapi/fuzzer/fuzzer-sapi.h create mode 100644 sapi/fuzzer/fuzzer-unserialize.c create mode 100644 sapi/fuzzer/fuzzer.h create mode 100644 sapi/fuzzer/json.dict (limited to 'sapi/fuzzer') diff --git a/sapi/fuzzer/Makefile.frag b/sapi/fuzzer/Makefile.frag new file mode 100644 index 0000000000..57952a8ff4 --- /dev/null +++ b/sapi/fuzzer/Makefile.frag @@ -0,0 +1,18 @@ +fuzzer: $(PHP_FUZZER_BINARIES) + +FUZZER_BUILD = $(LIBTOOL) --mode=link $(FUZZING_CC) -export-dynamic $(CFLAGS_CLEAN) $(EXTRA_CFLAGS) $(EXTRA_LDFLAGS_PROGRAM) $(LDFLAGS) $(PHP_RPATHS) $(PHP_GLOBAL_OBJS) $(PHP_BINARY_OBJS) $(EXTRA_LIBS) $(ZEND_EXTRA_LIBS) $(FUZZING_LIB) -rpath /ORIGIN/lib + +$(SAPI_FUZZER_PATH)/php-fuzz-parser: $(PHP_GLOBAL_OBJS) $(PHP_SAPI_OBJS) $(PHP_FUZZER_PARSER_OBJS) + $(FUZZER_BUILD) $(PHP_FUZZER_PARSER_OBJS) -o $@ + +$(SAPI_FUZZER_PATH)/php-fuzz-unserialize: $(PHP_GLOBAL_OBJS) $(PHP_SAPI_OBJS) $(PHP_FUZZER_UNSERIALIZE_OBJS) + $(FUZZER_BUILD) $(PHP_FUZZER_UNSERIALIZE_OBJS) -o $@ + +$(SAPI_FUZZER_PATH)/php-fuzz-json: $(PHP_GLOBAL_OBJS) $(PHP_SAPI_OBJS) $(PHP_FUZZER_JSON_OBJS) + $(FUZZER_BUILD) $(PHP_FUZZER_JSON_OBJS) -o $@ + +$(SAPI_FUZZER_PATH)/php-fuzz-exif: $(PHP_GLOBAL_OBJS) $(PHP_SAPI_OBJS) $(PHP_FUZZER_EXIF_OBJS) + $(FUZZER_BUILD) $(PHP_FUZZER_EXIF_OBJS) -o $@ + +$(SAPI_FUZZER_PATH)/php-fuzz-mbstring: $(PHP_GLOBAL_OBJS) $(PHP_SAPI_OBJS) $(PHP_FUZZER_MBSTRING_OBJS) + $(FUZZER_BUILD) $(PHP_FUZZER_MBSTRING_OBJS) -o $@ diff --git a/sapi/fuzzer/README b/sapi/fuzzer/README new file mode 100644 index 0000000000..e0aafcaadf --- /dev/null +++ b/sapi/fuzzer/README @@ -0,0 +1,13 @@ +Fuzzing SAPI for PHP + +Enable fuzzing targets with --enable-fuzzer switch. + +Your compiler should support -fsanitize=address and you need +to have Fuzzer library around. + +When running `make` it creates these binaries in `sapi/fuzzer/`: +* php-fuzz-parser - fuzzing language parser +* php-fuzz-unserialize - fuzzing unserialize() function +* php-fuzz-json - fuzzing JSON parser +* php-fuzz-exif - fuzzing exif_read_data() function (use --enable-exif) +* php-fuzz-mbstring - fuzzing mb_ereg[i] (requires --enable-mbstring) diff --git a/sapi/fuzzer/config.m4 b/sapi/fuzzer/config.m4 new file mode 100644 index 0000000000..12cf99bf86 --- /dev/null +++ b/sapi/fuzzer/config.m4 @@ -0,0 +1,63 @@ +AC_MSG_CHECKING(for clang fuzzer SAPI) + +PHP_ARG_ENABLE([fuzzer],, + [AS_HELP_STRING([--enable-fuzzer], + [Build PHP as clang fuzzing test module (for developers)])], + [no]) + +dnl For newer clang versions see https://llvm.org/docs/LibFuzzer.html#fuzzer-usage +dnl for relevant flags. + +dnl Macro to define fuzzing target +dnl PHP_FUZZER_TARGET(name, target-var) +dnl +AC_DEFUN([PHP_FUZZER_TARGET], [ + PHP_FUZZER_BINARIES="$PHP_FUZZER_BINARIES $SAPI_FUZZER_PATH/php-fuzz-$1" + PHP_SUBST($2) + PHP_ADD_SOURCES_X([sapi/fuzzer],[fuzzer-$1.c fuzzer-sapi.c],[],$2) +]) + +if test "$PHP_FUZZER" != "no"; then + AC_MSG_RESULT([yes]) + PHP_REQUIRE_CXX() + PHP_ADD_MAKEFILE_FRAGMENT($abs_srcdir/sapi/fuzzer/Makefile.frag) + SAPI_FUZZER_PATH=sapi/fuzzer + PHP_SUBST(SAPI_FUZZER_PATH) + if test -z "$LIB_FUZZING_ENGINE"; then + FUZZING_LIB="-lFuzzer" + FUZZING_CC="$CC" + AX_CHECK_COMPILE_FLAG([-fsanitize=address], [ + CFLAGS="$CFLAGS -fsanitize=address" + CXXFLAGS="$CXXFLAGS -fsanitize=address" + LDFLAGS="$LDFLAGS -fsanitize=address" + ],[ + AC_MSG_ERROR(compiler doesn't support -fsanitize flags) + ]) + else + FUZZING_LIB="-lFuzzingEngine" + FUZZING_CC="$CXX -stdlib=libc++" + fi + PHP_SUBST(FUZZING_LIB) + PHP_SUBST(FUZZING_CC) + + dnl PHP_SELECT_SAPI(fuzzer-parser, program, $FUZZER_SOURCES, , '$(SAPI_FUZZER_PATH)') + + PHP_ADD_BUILD_DIR([sapi/fuzzer]) + PHP_FUZZER_BINARIES="" + PHP_INSTALLED_SAPIS="$PHP_INSTALLED_SAPIS fuzzer" + + PHP_FUZZER_TARGET([parser], PHP_FUZZER_PARSER_OBJS) + PHP_FUZZER_TARGET([unserialize], PHP_FUZZER_UNSERIALIZE_OBJS) + PHP_FUZZER_TARGET([exif], PHP_FUZZER_EXIF_OBJS) + + if test -n "$enable_json" && test "$enable_json" != "no"; then + PHP_FUZZER_TARGET([json], PHP_FUZZER_JSON_OBJS) + fi + if test -n "$enable_mbstring" && test "$enable_mbstring" != "no"; then + PHP_FUZZER_TARGET([mbstring], PHP_FUZZER_MBSTRING_OBJS) + fi + + PHP_SUBST(PHP_FUZZER_BINARIES) +fi + +AC_MSG_RESULT($PHP_FUZZER) diff --git a/sapi/fuzzer/corpus/exif/bug34704.jpg b/sapi/fuzzer/corpus/exif/bug34704.jpg new file mode 100644 index 0000000000..42b14c1908 Binary files /dev/null and b/sapi/fuzzer/corpus/exif/bug34704.jpg differ diff --git a/sapi/fuzzer/corpus/exif/bug34704_2.jpg b/sapi/fuzzer/corpus/exif/bug34704_2.jpg new file mode 100644 index 0000000000..42b14c1908 Binary files /dev/null and b/sapi/fuzzer/corpus/exif/bug34704_2.jpg differ diff --git a/sapi/fuzzer/corpus/exif/bug48378.jpeg b/sapi/fuzzer/corpus/exif/bug48378.jpeg new file mode 100644 index 0000000000..759d805709 Binary files /dev/null and b/sapi/fuzzer/corpus/exif/bug48378.jpeg differ diff --git a/sapi/fuzzer/corpus/exif/bug54002_1.jpeg b/sapi/fuzzer/corpus/exif/bug54002_1.jpeg new file mode 100644 index 0000000000..a622d6d213 Binary files /dev/null and b/sapi/fuzzer/corpus/exif/bug54002_1.jpeg differ diff --git a/sapi/fuzzer/corpus/exif/bug54002_2.jpeg b/sapi/fuzzer/corpus/exif/bug54002_2.jpeg new file mode 100644 index 0000000000..a622d6d213 Binary files /dev/null and b/sapi/fuzzer/corpus/exif/bug54002_2.jpeg differ diff --git a/sapi/fuzzer/corpus/exif/bug62523_1.jpg b/sapi/fuzzer/corpus/exif/bug62523_1.jpg new file mode 100644 index 0000000000..9a63d1e84d --- /dev/null +++ b/sapi/fuzzer/corpus/exif/bug62523_1.jpg @@ -0,0 +1,9 @@ + + +301 Moved Permanently + +

Moved Permanently

+

The document has moved here.

+
+
Apache Server at getid3.org Port 80
+ diff --git a/sapi/fuzzer/corpus/exif/bug62523_3.jpg b/sapi/fuzzer/corpus/exif/bug62523_3.jpg new file mode 100644 index 0000000000..3ee91368ce --- /dev/null +++ b/sapi/fuzzer/corpus/exif/bug62523_3.jpg @@ -0,0 +1,12 @@ + + Found + +

Found

+

The resource was found at http://dl.dropboxusercontent.com/u/7562584/Bugs/Php/bad_exif.jpeg; +you should be redirected automatically. + +

+
+
WSGI Server
+ + diff --git a/sapi/fuzzer/corpus/exif/bug68113.jpg b/sapi/fuzzer/corpus/exif/bug68113.jpg new file mode 100644 index 0000000000..3ce7a620fb Binary files /dev/null and b/sapi/fuzzer/corpus/exif/bug68113.jpg differ diff --git a/sapi/fuzzer/corpus/exif/bug68113_2.jpg b/sapi/fuzzer/corpus/exif/bug68113_2.jpg new file mode 100644 index 0000000000..3ce7a620fb Binary files /dev/null and b/sapi/fuzzer/corpus/exif/bug68113_2.jpg differ diff --git a/sapi/fuzzer/corpus/exif/bug68799.jpg b/sapi/fuzzer/corpus/exif/bug68799.jpg new file mode 100644 index 0000000000..acc326dbbf Binary files /dev/null and b/sapi/fuzzer/corpus/exif/bug68799.jpg differ diff --git a/sapi/fuzzer/corpus/exif/bug72094_1.jpg b/sapi/fuzzer/corpus/exif/bug72094_1.jpg new file mode 100644 index 0000000000..d21382b44b Binary files /dev/null and b/sapi/fuzzer/corpus/exif/bug72094_1.jpg differ diff --git a/sapi/fuzzer/corpus/exif/bug72094_2.jpg b/sapi/fuzzer/corpus/exif/bug72094_2.jpg new file mode 100644 index 0000000000..ec414ce02b Binary files /dev/null and b/sapi/fuzzer/corpus/exif/bug72094_2.jpg differ diff --git a/sapi/fuzzer/corpus/exif/bug72094_3.jpg b/sapi/fuzzer/corpus/exif/bug72094_3.jpg new file mode 100644 index 0000000000..8b05314b67 Binary files /dev/null and b/sapi/fuzzer/corpus/exif/bug72094_3.jpg differ diff --git a/sapi/fuzzer/corpus/exif/bug72094_4.jpg b/sapi/fuzzer/corpus/exif/bug72094_4.jpg new file mode 100644 index 0000000000..ca6d453c2c Binary files /dev/null and b/sapi/fuzzer/corpus/exif/bug72094_4.jpg differ diff --git a/sapi/fuzzer/corpus/exif/bug72603.jpeg b/sapi/fuzzer/corpus/exif/bug72603.jpeg new file mode 100644 index 0000000000..1764c805fb Binary files /dev/null and b/sapi/fuzzer/corpus/exif/bug72603.jpeg differ diff --git a/sapi/fuzzer/corpus/exif/bug72618.jpg b/sapi/fuzzer/corpus/exif/bug72618.jpg new file mode 100644 index 0000000000..0a61ae2e02 Binary files /dev/null and b/sapi/fuzzer/corpus/exif/bug72618.jpg differ diff --git a/sapi/fuzzer/corpus/exif/bug72627.tiff b/sapi/fuzzer/corpus/exif/bug72627.tiff new file mode 100644 index 0000000000..229190a604 Binary files /dev/null and b/sapi/fuzzer/corpus/exif/bug72627.tiff differ diff --git a/sapi/fuzzer/corpus/exif/bug73737.tiff b/sapi/fuzzer/corpus/exif/bug73737.tiff new file mode 100644 index 0000000000..2cb036fc47 Binary files /dev/null and b/sapi/fuzzer/corpus/exif/bug73737.tiff differ diff --git a/sapi/fuzzer/corpus/exif/bug76130_1.jpg b/sapi/fuzzer/corpus/exif/bug76130_1.jpg new file mode 100644 index 0000000000..e063e46d22 Binary files /dev/null and b/sapi/fuzzer/corpus/exif/bug76130_1.jpg differ diff --git a/sapi/fuzzer/corpus/exif/bug76130_2.jpg b/sapi/fuzzer/corpus/exif/bug76130_2.jpg new file mode 100644 index 0000000000..a9e79dca5c Binary files /dev/null and b/sapi/fuzzer/corpus/exif/bug76130_2.jpg differ diff --git a/sapi/fuzzer/corpus/exif/bug76423.jpg b/sapi/fuzzer/corpus/exif/bug76423.jpg new file mode 100644 index 0000000000..08fe2bbc57 Binary files /dev/null and b/sapi/fuzzer/corpus/exif/bug76423.jpg differ diff --git a/sapi/fuzzer/corpus/exif/bug76557.jpg b/sapi/fuzzer/corpus/exif/bug76557.jpg new file mode 100644 index 0000000000..d678f07c0f Binary files /dev/null and b/sapi/fuzzer/corpus/exif/bug76557.jpg differ diff --git a/sapi/fuzzer/corpus/exif/bug77540.jpg b/sapi/fuzzer/corpus/exif/bug77540.jpg new file mode 100644 index 0000000000..559022db0e Binary files /dev/null and b/sapi/fuzzer/corpus/exif/bug77540.jpg differ diff --git a/sapi/fuzzer/corpus/exif/bug77563.jpg b/sapi/fuzzer/corpus/exif/bug77563.jpg new file mode 100644 index 0000000000..d6280151f0 Binary files /dev/null and b/sapi/fuzzer/corpus/exif/bug77563.jpg differ diff --git a/sapi/fuzzer/corpus/exif/bug77753.tiff b/sapi/fuzzer/corpus/exif/bug77753.tiff new file mode 100644 index 0000000000..b237f39e2b Binary files /dev/null and b/sapi/fuzzer/corpus/exif/bug77753.tiff differ diff --git a/sapi/fuzzer/corpus/exif/bug77831.tiff b/sapi/fuzzer/corpus/exif/bug77831.tiff new file mode 100644 index 0000000000..c7e9f4472b Binary files /dev/null and b/sapi/fuzzer/corpus/exif/bug77831.tiff differ diff --git a/sapi/fuzzer/corpus/exif/bug77950.tiff b/sapi/fuzzer/corpus/exif/bug77950.tiff new file mode 100644 index 0000000000..5c8250ab04 Binary files /dev/null and b/sapi/fuzzer/corpus/exif/bug77950.tiff differ diff --git a/sapi/fuzzer/corpus/exif/bug77988.jpg b/sapi/fuzzer/corpus/exif/bug77988.jpg new file mode 100644 index 0000000000..120ff8565a Binary files /dev/null and b/sapi/fuzzer/corpus/exif/bug77988.jpg differ diff --git a/sapi/fuzzer/corpus/exif/exif_encoding_crash.jpg b/sapi/fuzzer/corpus/exif/exif_encoding_crash.jpg new file mode 100644 index 0000000000..55138abe55 Binary files /dev/null and b/sapi/fuzzer/corpus/exif/exif_encoding_crash.jpg differ diff --git a/sapi/fuzzer/corpus/exif/image007.jpg b/sapi/fuzzer/corpus/exif/image007.jpg new file mode 100644 index 0000000000..852654075a Binary files /dev/null and b/sapi/fuzzer/corpus/exif/image007.jpg differ diff --git a/sapi/fuzzer/corpus/exif/image008.jpg b/sapi/fuzzer/corpus/exif/image008.jpg new file mode 100644 index 0000000000..3e8bfe4512 Binary files /dev/null and b/sapi/fuzzer/corpus/exif/image008.jpg differ diff --git a/sapi/fuzzer/corpus/exif/image009.jpg b/sapi/fuzzer/corpus/exif/image009.jpg new file mode 100644 index 0000000000..8803ddccd4 Binary files /dev/null and b/sapi/fuzzer/corpus/exif/image009.jpg differ diff --git a/sapi/fuzzer/corpus/exif/image010.jpg b/sapi/fuzzer/corpus/exif/image010.jpg new file mode 100644 index 0000000000..31ed6d678d Binary files /dev/null and b/sapi/fuzzer/corpus/exif/image010.jpg differ diff --git a/sapi/fuzzer/corpus/exif/image011.jpg b/sapi/fuzzer/corpus/exif/image011.jpg new file mode 100644 index 0000000000..fcd5783ec7 Binary files /dev/null and b/sapi/fuzzer/corpus/exif/image011.jpg differ diff --git a/sapi/fuzzer/corpus/exif/image012.jpg b/sapi/fuzzer/corpus/exif/image012.jpg new file mode 100644 index 0000000000..dd25e06181 Binary files /dev/null and b/sapi/fuzzer/corpus/exif/image012.jpg differ diff --git a/sapi/fuzzer/corpus/exif/image013.jpg b/sapi/fuzzer/corpus/exif/image013.jpg new file mode 100644 index 0000000000..93ded26667 Binary files /dev/null and b/sapi/fuzzer/corpus/exif/image013.jpg differ diff --git a/sapi/fuzzer/corpus/exif/image014.jpg b/sapi/fuzzer/corpus/exif/image014.jpg new file mode 100644 index 0000000000..7657a0a4c7 Binary files /dev/null and b/sapi/fuzzer/corpus/exif/image014.jpg differ diff --git a/sapi/fuzzer/corpus/exif/image015.jpg b/sapi/fuzzer/corpus/exif/image015.jpg new file mode 100644 index 0000000000..6f52dec4d7 Binary files /dev/null and b/sapi/fuzzer/corpus/exif/image015.jpg differ diff --git a/sapi/fuzzer/corpus/exif/image016.tiff b/sapi/fuzzer/corpus/exif/image016.tiff new file mode 100644 index 0000000000..1712113933 Binary files /dev/null and b/sapi/fuzzer/corpus/exif/image016.tiff differ diff --git a/sapi/fuzzer/corpus/exif/image017.tiff b/sapi/fuzzer/corpus/exif/image017.tiff new file mode 100644 index 0000000000..89800d8796 Binary files /dev/null and b/sapi/fuzzer/corpus/exif/image017.tiff differ diff --git a/sapi/fuzzer/corpus/exif/image018.tiff b/sapi/fuzzer/corpus/exif/image018.tiff new file mode 100644 index 0000000000..6b4492f7cd Binary files /dev/null and b/sapi/fuzzer/corpus/exif/image018.tiff differ diff --git a/sapi/fuzzer/corpus/exif/image020.tiff b/sapi/fuzzer/corpus/exif/image020.tiff new file mode 100644 index 0000000000..87f187821a Binary files /dev/null and b/sapi/fuzzer/corpus/exif/image020.tiff differ diff --git a/sapi/fuzzer/corpus/exif/image021.tiff b/sapi/fuzzer/corpus/exif/image021.tiff new file mode 100644 index 0000000000..190f30b93a Binary files /dev/null and b/sapi/fuzzer/corpus/exif/image021.tiff differ diff --git a/sapi/fuzzer/corpus/exif/image022.tiff b/sapi/fuzzer/corpus/exif/image022.tiff new file mode 100644 index 0000000000..88f4373341 Binary files /dev/null and b/sapi/fuzzer/corpus/exif/image022.tiff differ diff --git a/sapi/fuzzer/corpus/exif/image023.tiff b/sapi/fuzzer/corpus/exif/image023.tiff new file mode 100644 index 0000000000..dc33f6ed90 Binary files /dev/null and b/sapi/fuzzer/corpus/exif/image023.tiff differ diff --git a/sapi/fuzzer/corpus/exif/image024.jpg b/sapi/fuzzer/corpus/exif/image024.jpg new file mode 100644 index 0000000000..0b5a42e894 Binary files /dev/null and b/sapi/fuzzer/corpus/exif/image024.jpg differ diff --git a/sapi/fuzzer/corpus/exif/image025.jpg b/sapi/fuzzer/corpus/exif/image025.jpg new file mode 100644 index 0000000000..a5c0e17c7a Binary files /dev/null and b/sapi/fuzzer/corpus/exif/image025.jpg differ diff --git a/sapi/fuzzer/corpus/exif/image026.tiff b/sapi/fuzzer/corpus/exif/image026.tiff new file mode 100644 index 0000000000..8fdafc738f Binary files /dev/null and b/sapi/fuzzer/corpus/exif/image026.tiff differ diff --git a/sapi/fuzzer/corpus/exif/image027.tiff b/sapi/fuzzer/corpus/exif/image027.tiff new file mode 100644 index 0000000000..7c3a37a90a Binary files /dev/null and b/sapi/fuzzer/corpus/exif/image027.tiff differ diff --git a/sapi/fuzzer/corpus/exif/test1.jpg b/sapi/fuzzer/corpus/exif/test1.jpg new file mode 100644 index 0000000000..121decb65a Binary files /dev/null and b/sapi/fuzzer/corpus/exif/test1.jpg differ diff --git a/sapi/fuzzer/corpus/exif/test2.jpg b/sapi/fuzzer/corpus/exif/test2.jpg new file mode 100644 index 0000000000..f60ecded6f Binary files /dev/null and b/sapi/fuzzer/corpus/exif/test2.jpg differ diff --git a/sapi/fuzzer/corpus/exif/test22.jpg b/sapi/fuzzer/corpus/exif/test22.jpg new file mode 100644 index 0000000000..f60ecded6f Binary files /dev/null and b/sapi/fuzzer/corpus/exif/test22.jpg differ diff --git a/sapi/fuzzer/corpus/exif/test3.jpg b/sapi/fuzzer/corpus/exif/test3.jpg new file mode 100644 index 0000000000..7547a16630 Binary files /dev/null and b/sapi/fuzzer/corpus/exif/test3.jpg differ diff --git a/sapi/fuzzer/corpus/exif/test4.jpg b/sapi/fuzzer/corpus/exif/test4.jpg new file mode 100644 index 0000000000..8a23a7b658 Binary files /dev/null and b/sapi/fuzzer/corpus/exif/test4.jpg differ diff --git a/sapi/fuzzer/corpus/exif/test5.jpg b/sapi/fuzzer/corpus/exif/test5.jpg new file mode 100644 index 0000000000..d03cac18a3 Binary files /dev/null and b/sapi/fuzzer/corpus/exif/test5.jpg differ diff --git a/sapi/fuzzer/corpus/exif/test6.jpg b/sapi/fuzzer/corpus/exif/test6.jpg new file mode 100644 index 0000000000..073cefdfe0 Binary files /dev/null and b/sapi/fuzzer/corpus/exif/test6.jpg differ diff --git a/sapi/fuzzer/corpus/json/1.json b/sapi/fuzzer/corpus/json/1.json new file mode 100644 index 0000000000..8161287aab --- /dev/null +++ b/sapi/fuzzer/corpus/json/1.json @@ -0,0 +1 @@ +{"prop":{"prop":null}} diff --git a/sapi/fuzzer/corpus/json/10.json b/sapi/fuzzer/corpus/json/10.json new file mode 100644 index 0000000000..59483c2539 --- /dev/null +++ b/sapi/fuzzer/corpus/json/10.json @@ -0,0 +1 @@ +{"a":100.1,"b":"foo"} diff --git a/sapi/fuzzer/corpus/json/11.json b/sapi/fuzzer/corpus/json/11.json new file mode 100644 index 0000000000..e3907a414c --- /dev/null +++ b/sapi/fuzzer/corpus/json/11.json @@ -0,0 +1 @@ +[100.1,"bar"] diff --git a/sapi/fuzzer/corpus/json/12.json b/sapi/fuzzer/corpus/json/12.json new file mode 100644 index 0000000000..222a6678f9 --- /dev/null +++ b/sapi/fuzzer/corpus/json/12.json @@ -0,0 +1,2 @@ +{"0":0,"\u0000ab":1,"1":"\u0000null-prefixed value"} + diff --git a/sapi/fuzzer/corpus/json/13.json b/sapi/fuzzer/corpus/json/13.json new file mode 100644 index 0000000000..b9c504cdbe --- /dev/null +++ b/sapi/fuzzer/corpus/json/13.json @@ -0,0 +1 @@ +{ "test": { "foo": "bar" } } diff --git a/sapi/fuzzer/corpus/json/14.json b/sapi/fuzzer/corpus/json/14.json new file mode 100644 index 0000000000..0014681471 --- /dev/null +++ b/sapi/fuzzer/corpus/json/14.json @@ -0,0 +1,2 @@ +"aa\udbff\udffdzz" + diff --git a/sapi/fuzzer/corpus/json/15.json b/sapi/fuzzer/corpus/json/15.json new file mode 100644 index 0000000000..92591f81a3 --- /dev/null +++ b/sapi/fuzzer/corpus/json/15.json @@ -0,0 +1 @@ +"latin 1234 -\/ russian мама мыла раму specialchars \u0002 \b \n U+1D11E >𝄞<" diff --git a/sapi/fuzzer/corpus/json/16.json b/sapi/fuzzer/corpus/json/16.json new file mode 100644 index 0000000000..2129292029 --- /dev/null +++ b/sapi/fuzzer/corpus/json/16.json @@ -0,0 +1 @@ +{"test":"123343e871700"} diff --git a/sapi/fuzzer/corpus/json/17.json b/sapi/fuzzer/corpus/json/17.json new file mode 100644 index 0000000000..4e4676b299 --- /dev/null +++ b/sapi/fuzzer/corpus/json/17.json @@ -0,0 +1 @@ +[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[["Too deep"]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]] diff --git a/sapi/fuzzer/corpus/json/18.json b/sapi/fuzzer/corpus/json/18.json new file mode 100644 index 0000000000..81873afdec --- /dev/null +++ b/sapi/fuzzer/corpus/json/18.json @@ -0,0 +1 @@ +{"myInt":99,"myFloat":123.45,"myNull":null,"myBool":true,"myString":"Hello World"} diff --git a/sapi/fuzzer/corpus/json/19.json b/sapi/fuzzer/corpus/json/19.json new file mode 100644 index 0000000000..cc33c95a71 --- /dev/null +++ b/sapi/fuzzer/corpus/json/19.json @@ -0,0 +1 @@ +"\u65e5\u672c\u8a9e\u30c6\u30ad\u30b9\u30c8\u3067\u3059\u300201234\uff15\uff16\uff17\uff18\uff19\u3002" diff --git a/sapi/fuzzer/corpus/json/2.json b/sapi/fuzzer/corpus/json/2.json new file mode 100644 index 0000000000..3a9a9722e2 --- /dev/null +++ b/sapi/fuzzer/corpus/json/2.json @@ -0,0 +1 @@ +{"largenum":123456789012345678901234567890} diff --git a/sapi/fuzzer/corpus/json/3.json b/sapi/fuzzer/corpus/json/3.json new file mode 100644 index 0000000000..b004f2079d --- /dev/null +++ b/sapi/fuzzer/corpus/json/3.json @@ -0,0 +1 @@ +["","'bar'","\"baz\"","&blong&"] diff --git a/sapi/fuzzer/corpus/json/4.json b/sapi/fuzzer/corpus/json/4.json new file mode 100644 index 0000000000..8e73a26dab --- /dev/null +++ b/sapi/fuzzer/corpus/json/4.json @@ -0,0 +1 @@ +["\u003Cfoo\u003E","\u0027bar\u0027","\u0022baz\u0022","\u0026blong\u0026"] diff --git a/sapi/fuzzer/corpus/json/5.json b/sapi/fuzzer/corpus/json/5.json new file mode 100644 index 0000000000..5c7912450d --- /dev/null +++ b/sapi/fuzzer/corpus/json/5.json @@ -0,0 +1,5 @@ +[ +{"":"value"}, +{"":"value", "key":"value"}, +{"key":"value", "":"value"} +] diff --git a/sapi/fuzzer/corpus/json/6.json b/sapi/fuzzer/corpus/json/6.json new file mode 100644 index 0000000000..2d852843f1 --- /dev/null +++ b/sapi/fuzzer/corpus/json/6.json @@ -0,0 +1 @@ +[123,13452345,123.13452345] diff --git a/sapi/fuzzer/corpus/json/7.json b/sapi/fuzzer/corpus/json/7.json new file mode 100644 index 0000000000..6e74debaf0 --- /dev/null +++ b/sapi/fuzzer/corpus/json/7.json @@ -0,0 +1,2 @@ +["\ud834\udd00"] + diff --git a/sapi/fuzzer/corpus/json/8.json b/sapi/fuzzer/corpus/json/8.json new file mode 100644 index 0000000000..7ea60c3af9 --- /dev/null +++ b/sapi/fuzzer/corpus/json/8.json @@ -0,0 +1 @@ +{"zero": 0e0} diff --git a/sapi/fuzzer/corpus/json/9.json b/sapi/fuzzer/corpus/json/9.json new file mode 100644 index 0000000000..49e7327986 --- /dev/null +++ b/sapi/fuzzer/corpus/json/9.json @@ -0,0 +1 @@ +[null,null,"abc"] diff --git a/sapi/fuzzer/corpus/json/fail1.json b/sapi/fuzzer/corpus/json/fail1.json new file mode 100644 index 0000000000..6216b865f1 --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail1.json @@ -0,0 +1 @@ +"A JSON payload should be an object or array, not a string." \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail10.json b/sapi/fuzzer/corpus/json/fail10.json new file mode 100644 index 0000000000..5d8c0047bd --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail10.json @@ -0,0 +1 @@ +{"Extra value after close": true} "misplaced quoted value" \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail11.json b/sapi/fuzzer/corpus/json/fail11.json new file mode 100644 index 0000000000..76eb95b458 --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail11.json @@ -0,0 +1 @@ +{"Illegal expression": 1 + 2} \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail12.json b/sapi/fuzzer/corpus/json/fail12.json new file mode 100644 index 0000000000..77580a4522 --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail12.json @@ -0,0 +1 @@ +{"Illegal invocation": alert()} \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail13.json b/sapi/fuzzer/corpus/json/fail13.json new file mode 100644 index 0000000000..379406b59b --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail13.json @@ -0,0 +1 @@ +{"Numbers cannot have leading zeroes": 013} \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail14.json b/sapi/fuzzer/corpus/json/fail14.json new file mode 100644 index 0000000000..0ed366b38a --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail14.json @@ -0,0 +1 @@ +{"Numbers cannot be hex": 0x14} \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail15.json b/sapi/fuzzer/corpus/json/fail15.json new file mode 100644 index 0000000000..fc8376b605 --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail15.json @@ -0,0 +1 @@ +["Illegal backslash escape: \x15"] \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail16.json b/sapi/fuzzer/corpus/json/fail16.json new file mode 100644 index 0000000000..3fe21d4b53 --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail16.json @@ -0,0 +1 @@ +[\naked] \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail17.json b/sapi/fuzzer/corpus/json/fail17.json new file mode 100644 index 0000000000..62b9214aed --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail17.json @@ -0,0 +1 @@ +["Illegal backslash escape: \017"] \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail18.json b/sapi/fuzzer/corpus/json/fail18.json new file mode 100644 index 0000000000..edac92716f --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail18.json @@ -0,0 +1 @@ +[[[[[[[[[[[[[[[[[[[["Too deep"]]]]]]]]]]]]]]]]]]]] \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail19.json b/sapi/fuzzer/corpus/json/fail19.json new file mode 100644 index 0000000000..3b9c46fa9a --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail19.json @@ -0,0 +1 @@ +{"Missing colon" null} \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail2.json b/sapi/fuzzer/corpus/json/fail2.json new file mode 100644 index 0000000000..6b7c11e5a5 --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail2.json @@ -0,0 +1 @@ +["Unclosed array" \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail20.json b/sapi/fuzzer/corpus/json/fail20.json new file mode 100644 index 0000000000..27c1af3e72 --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail20.json @@ -0,0 +1 @@ +{"Double colon":: null} \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail21.json b/sapi/fuzzer/corpus/json/fail21.json new file mode 100644 index 0000000000..62474573b2 --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail21.json @@ -0,0 +1 @@ +{"Comma instead of colon", null} \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail22.json b/sapi/fuzzer/corpus/json/fail22.json new file mode 100644 index 0000000000..a7752581bc --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail22.json @@ -0,0 +1 @@ +["Colon instead of comma": false] \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail23.json b/sapi/fuzzer/corpus/json/fail23.json new file mode 100644 index 0000000000..494add1ca1 --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail23.json @@ -0,0 +1 @@ +["Bad value", truth] \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail24.json b/sapi/fuzzer/corpus/json/fail24.json new file mode 100644 index 0000000000..caff239bfc --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail24.json @@ -0,0 +1 @@ +['single quote'] \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail25.json b/sapi/fuzzer/corpus/json/fail25.json new file mode 100644 index 0000000000..8b7ad23e01 --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail25.json @@ -0,0 +1 @@ +[" tab character in string "] \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail26.json b/sapi/fuzzer/corpus/json/fail26.json new file mode 100644 index 0000000000..845d26a6a5 --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail26.json @@ -0,0 +1 @@ +["tab\ character\ in\ string\ "] \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail27.json b/sapi/fuzzer/corpus/json/fail27.json new file mode 100644 index 0000000000..6b01a2ca4a --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail27.json @@ -0,0 +1,2 @@ +["line +break"] \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail28.json b/sapi/fuzzer/corpus/json/fail28.json new file mode 100644 index 0000000000..621a0101c6 --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail28.json @@ -0,0 +1,2 @@ +["line\ +break"] \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail29.json b/sapi/fuzzer/corpus/json/fail29.json new file mode 100644 index 0000000000..47ec421bb6 --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail29.json @@ -0,0 +1 @@ +[0e] \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail3.json b/sapi/fuzzer/corpus/json/fail3.json new file mode 100644 index 0000000000..168c81eb78 --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail3.json @@ -0,0 +1 @@ +{unquoted_key: "keys must be quoted"} \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail30.json b/sapi/fuzzer/corpus/json/fail30.json new file mode 100644 index 0000000000..8ab0bc4b8b --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail30.json @@ -0,0 +1 @@ +[0e+] \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail31.json b/sapi/fuzzer/corpus/json/fail31.json new file mode 100644 index 0000000000..1cce602b51 --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail31.json @@ -0,0 +1 @@ +[0e+-1] \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail32.json b/sapi/fuzzer/corpus/json/fail32.json new file mode 100644 index 0000000000..45cba7396f --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail32.json @@ -0,0 +1 @@ +{"Comma instead if closing brace": true, \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail33.json b/sapi/fuzzer/corpus/json/fail33.json new file mode 100644 index 0000000000..ca5eb19dc9 --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail33.json @@ -0,0 +1 @@ +["mismatch"} \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail4.json b/sapi/fuzzer/corpus/json/fail4.json new file mode 100644 index 0000000000..9de168bf34 --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail4.json @@ -0,0 +1 @@ +["extra comma",] \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail5.json b/sapi/fuzzer/corpus/json/fail5.json new file mode 100644 index 0000000000..ddf3ce3d24 --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail5.json @@ -0,0 +1 @@ +["double extra comma",,] \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail6.json b/sapi/fuzzer/corpus/json/fail6.json new file mode 100644 index 0000000000..ed91580e1b --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail6.json @@ -0,0 +1 @@ +[ , "<-- missing value"] \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail7.json b/sapi/fuzzer/corpus/json/fail7.json new file mode 100644 index 0000000000..8a96af3e4e --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail7.json @@ -0,0 +1 @@ +["Comma after the close"], \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail8.json b/sapi/fuzzer/corpus/json/fail8.json new file mode 100644 index 0000000000..b28479c6ec --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail8.json @@ -0,0 +1 @@ +["Extra close"]] \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/fail9.json b/sapi/fuzzer/corpus/json/fail9.json new file mode 100644 index 0000000000..5815574f36 --- /dev/null +++ b/sapi/fuzzer/corpus/json/fail9.json @@ -0,0 +1 @@ +{"Extra comma": true,} \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/pass1.json b/sapi/fuzzer/corpus/json/pass1.json new file mode 100644 index 0000000000..70e2685436 --- /dev/null +++ b/sapi/fuzzer/corpus/json/pass1.json @@ -0,0 +1,58 @@ +[ + "JSON Test Pattern pass1", + {"object with 1 member":["array with 1 element"]}, + {}, + [], + -42, + true, + false, + null, + { + "integer": 1234567890, + "real": -9876.543210, + "e": 0.123456789e-12, + "E": 1.234567890E+34, + "": 23456789012E66, + "zero": 0, + "one": 1, + "space": " ", + "quote": "\"", + "backslash": "\\", + "controls": "\b\f\n\r\t", + "slash": "/ & \/", + "alpha": "abcdefghijklmnopqrstuvwyz", + "ALPHA": "ABCDEFGHIJKLMNOPQRSTUVWYZ", + "digit": "0123456789", + "0123456789": "digit", + "special": "`1~!@#$%^&*()_+-={':[,]}|;.?", + "hex": "\u0123\u4567\u89AB\uCDEF\uabcd\uef4A", + "true": true, + "false": false, + "null": null, + "array":[ ], + "object":{ }, + "address": "50 St. James Street", + "url": "http://www.JSON.org/", + "comment": "// /* */": " ", + " s p a c e d " :[1,2 , 3 + +, + +4 , 5 , 6 ,7 ],"compact":[1,2,3,4,5,6,7], + "jsontext": "{\"object with 1 member\":[\"array with 1 element\"]}", + "quotes": "" \u0022 %22 0x22 034 "", + "\/\\\"\uCAFE\uBABE\uAB98\uFCDE\ubcda\uef4A\b\f\n\r\t`1~!@#$%^&*()_+-=[]{}|;:',./<>?" +: "A key can be any string" + }, + 0.5 ,98.6 +, +99.44 +, + +1066, +1e1, +0.1e1, +1e-1, +1e00,2e+00,2e-00 +,"rosebud"] \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/pass2.json b/sapi/fuzzer/corpus/json/pass2.json new file mode 100644 index 0000000000..d3c63c7ad8 --- /dev/null +++ b/sapi/fuzzer/corpus/json/pass2.json @@ -0,0 +1 @@ +[[[[[[[[[[[[[[[[[[["Not too deep"]]]]]]]]]]]]]]]]]]] \ No newline at end of file diff --git a/sapi/fuzzer/corpus/json/pass3.json b/sapi/fuzzer/corpus/json/pass3.json new file mode 100644 index 0000000000..4528d51f1a --- /dev/null +++ b/sapi/fuzzer/corpus/json/pass3.json @@ -0,0 +1,6 @@ +{ + "JSON Test Pattern pass3": { + "The outermost value": "must be an object or array.", + "In this test": "It is an object." + } +} diff --git a/sapi/fuzzer/fuzzer-exif.c b/sapi/fuzzer/fuzzer-exif.c new file mode 100644 index 0000000000..574f3393d2 --- /dev/null +++ b/sapi/fuzzer/fuzzer-exif.c @@ -0,0 +1,65 @@ +/* + +----------------------------------------------------------------------+ + | PHP Version 7 | + +----------------------------------------------------------------------+ + | Copyright (c) The PHP Group | + +----------------------------------------------------------------------+ + | This source file is subject to version 3.01 of the PHP license, | + | that is bundled with this package in the file LICENSE, and is | + | available through the world-wide-web at the following url: | + | http://www.php.net/license/3_01.txt | + | If you did not receive a copy of the PHP license and are unable to | + | obtain it through the world-wide-web, please send a note to | + | license@php.net so we can mail you a copy immediately. | + +----------------------------------------------------------------------+ + | Authors: Stanislav Malyshev | + +----------------------------------------------------------------------+ + */ + +#include "fuzzer.h" + +#include "Zend/zend.h" +#include "main/php_config.h" +#include "main/php_main.h" +#include "ext/standard/php_var.h" + +#include +#include +#include +#include +#include +#include + +#include "fuzzer-sapi.h" + +int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { + char *filename; + int filedes; + + if (php_request_startup()==FAILURE) { + php_module_shutdown(); + return 0; + } + + /* put the data in a file */ + filename = tmpnam(NULL); + filedes = open(filename, O_CREAT|O_RDWR); + write(filedes, Data, Size); + close(filedes); + + fuzzer_call_php_func("exif_read_data", 1, &filename); + + /* cleanup */ + unlink(filename); + php_request_shutdown(NULL); + + return 0; +} + +int LLVMFuzzerInitialize(int *argc, char ***argv) { + fuzzer_init_php(); + + /* fuzzer_shutdown_php(); */ + return 0; +} + diff --git a/sapi/fuzzer/fuzzer-json.c b/sapi/fuzzer/fuzzer-json.c new file mode 100644 index 0000000000..0c619a22b9 --- /dev/null +++ b/sapi/fuzzer/fuzzer-json.c @@ -0,0 +1,73 @@ +/* + +----------------------------------------------------------------------+ + | PHP Version 7 | + +----------------------------------------------------------------------+ + | Copyright (c) The PHP Group | + +----------------------------------------------------------------------+ + | This source file is subject to version 3.01 of the PHP license, | + | that is bundled with this package in the file LICENSE, and is | + | available through the world-wide-web at the following url: | + | http://www.php.net/license/3_01.txt | + | If you did not receive a copy of the PHP license and are unable to | + | obtain it through the world-wide-web, please send a note to | + | license@php.net so we can mail you a copy immediately. | + +----------------------------------------------------------------------+ + | Authors: Johannes Schlüter | + | Stanislav Malyshev | + +----------------------------------------------------------------------+ + */ + + + +#include "fuzzer.h" + +#include "Zend/zend.h" +#include "main/php_config.h" +#include "main/php_main.h" + +#include +#include +#include + +#include "fuzzer-sapi.h" + +#ifdef HAVE_JSON +#include "ext/json/php_json_parser.h" +#endif + +int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { +#ifdef HAVE_JSON + char *data = malloc(Size+1); + memcpy(data, Data, Size); + data[Size] = '\0'; + + if (php_request_startup()==FAILURE) { + php_module_shutdown(); + return 0; + } + + for (int option = 0; option <=1; ++option) { + zval result; + php_json_parser parser; + php_json_parser_init(&parser, &result, data, Size, option, 10); + php_json_yyparse(&parser); + + ZVAL_UNDEF(&result); + } + + php_request_shutdown(NULL); + + free(data); +#else + fprintf(stderr, "\n\nERROR:\nPHP built without JSON, recompile with --enable-json to use this fuzzer\n"); + exit(1); +#endif + return 0; +} + +int LLVMFuzzerInitialize(int *argc, char ***argv) { + fuzzer_init_php(); + + /* fuzzer_shutdown_php(); */ + return 0; +} diff --git a/sapi/fuzzer/fuzzer-mbstring.c b/sapi/fuzzer/fuzzer-mbstring.c new file mode 100644 index 0000000000..aaeef1ce8a --- /dev/null +++ b/sapi/fuzzer/fuzzer-mbstring.c @@ -0,0 +1,75 @@ +/* + +----------------------------------------------------------------------+ + | PHP Version 7 | + +----------------------------------------------------------------------+ + | Copyright (c) The PHP Group | + +----------------------------------------------------------------------+ + | This source file is subject to version 3.01 of the PHP license, | + | that is bundled with this package in the file LICENSE, and is | + | available through the world-wide-web at the following url: | + | http://www.php.net/license/3_01.txt | + | If you did not receive a copy of the PHP license and are unable to | + | obtain it through the world-wide-web, please send a note to | + | license@php.net so we can mail you a copy immediately. | + +----------------------------------------------------------------------+ + | Authors: Stanislav Malyshev | + +----------------------------------------------------------------------+ + */ + + +#include "fuzzer.h" + +#include "Zend/zend.h" +#include "main/php_config.h" +#include "main/php_main.h" + +#include +#include +#include + +#include "fuzzer-sapi.h" + +int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { +#ifdef HAVE_MBREGEX + char *args[2]; + char *data = malloc(Size+1); + memcpy(data, Data, Size); + data[Size] = '\0'; + + if (php_request_startup()==FAILURE) { + php_module_shutdown(); + return 0; + } + + args[0] = data; + args[1] = "test123"; + fuzzer_call_php_func("mb_ereg", 2, args); + + args[0] = data; + args[1] = "test123"; + fuzzer_call_php_func("mb_eregi", 2, args); + + args[0] = data; + args[1] = data; + fuzzer_call_php_func("mb_ereg", 2, args); + + args[0] = data; + args[1] = data; + fuzzer_call_php_func("mb_eregi", 2, args); + + php_request_shutdown(NULL); + + free(data); +#else + fprintf(stderr, "\n\nERROR:\nPHP built without mbstring, recompile with --enable-mbstring to use this fuzzer\n"); + exit(1); +#endif + return 0; +} + +int LLVMFuzzerInitialize(int *argc, char ***argv) { + fuzzer_init_php(); + + /* fuzzer_shutdown_php(); */ + return 0; +} diff --git a/sapi/fuzzer/fuzzer-parser.c b/sapi/fuzzer/fuzzer-parser.c new file mode 100644 index 0000000000..eb1e03b6e8 --- /dev/null +++ b/sapi/fuzzer/fuzzer-parser.c @@ -0,0 +1,80 @@ +/* + +----------------------------------------------------------------------+ + | PHP Version 7 | + +----------------------------------------------------------------------+ + | Copyright (c) The PHP Group | + +----------------------------------------------------------------------+ + | This source file is subject to version 3.01 of the PHP license, | + | that is bundled with this package in the file LICENSE, and is | + | available through the world-wide-web at the following url: | + | http://www.php.net/license/3_01.txt | + | If you did not receive a copy of the PHP license and are unable to | + | obtain it through the world-wide-web, please send a note to | + | license@php.net so we can mail you a copy immediately. | + +----------------------------------------------------------------------+ + | Authors: Johannes Schlüter | + | Stanislav Malyshev | + +----------------------------------------------------------------------+ + */ + +#include
+#include
+#include
+#include +#include +#include
+#ifdef JO0 +#include +#endif + +#include "fuzzer.h" + +#include "fuzzer-sapi.h" + +int fuzzer_do_parse(zend_file_handle *file_handle, char *filename) +{ + int retval = FAILURE; /* failure by default */ + + SG(options) |= SAPI_OPTION_NO_CHDIR; + SG(request_info).argc=0; + SG(request_info).argv=NULL; + + if (php_request_startup(TSRMLS_C)==FAILURE) { + php_module_shutdown(TSRMLS_C); + return FAILURE; + } + + SG(headers_sent) = 1; + SG(request_info).no_headers = 1; + php_register_variable("PHP_SELF", filename, NULL TSRMLS_CC); + + zend_first_try { + zend_compile_file(file_handle, ZEND_REQUIRE); + //retval = php_execute_script(file_handle TSRMLS_CC); + } zend_end_try(); + + php_request_shutdown((void *) 0); + + return (retval == SUCCESS) ? SUCCESS : FAILURE; +} + +int fuzzer_do_request_d(char *filename, char *data, size_t data_len); + +int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { + char *s = malloc(Size+1); + memcpy(s, Data, Size); + s[Size] = '\0'; + + fuzzer_do_request_d("fuzzer.php", Data, Size); + //fuzzer_do_parse(&file_handle, "fuzzer.php"); + + free(s); + return 0; +} + +int LLVMFuzzerInitialize(int *argc, char ***argv) { + fuzzer_init_php(); + + /* fuzzer_shutdown_php(); */ + return 0; +} diff --git a/sapi/fuzzer/fuzzer-sapi.c b/sapi/fuzzer/fuzzer-sapi.c new file mode 100644 index 0000000000..dd26c3c103 --- /dev/null +++ b/sapi/fuzzer/fuzzer-sapi.c @@ -0,0 +1,242 @@ +/* + +----------------------------------------------------------------------+ + | PHP Version 7 | + +----------------------------------------------------------------------+ + | Copyright (c) The PHP Group | + +----------------------------------------------------------------------+ + | This source file is subject to version 3.01 of the PHP license, | + | that is bundled with this package in the file LICENSE, and is | + | available through the world-wide-web at the following url: | + | http://www.php.net/license/3_01.txt | + | If you did not receive a copy of the PHP license and are unable to | + | obtain it through the world-wide-web, please send a note to | + | license@php.net so we can mail you a copy immediately. | + +----------------------------------------------------------------------+ + | Authors: Johannes Schlüter | + | Stanislav Malyshev | + +----------------------------------------------------------------------+ + */ + +#include
+#include
+#include
+#include +#include +#include
+ +#include "fuzzer.h" +#include "fuzzer-sapi.h" + +const char HARDCODED_INI[] = + "html_errors=0\n" + "implicit_flush=1\n" + "max_execution_time=20\n" + "output_buffering=0\n"; + +static int startup(sapi_module_struct *sapi_module) +{ + if (php_module_startup(sapi_module, NULL, 0)==FAILURE) { + return FAILURE; + } + return SUCCESS; +} + +static size_t ub_write(const char *str, size_t str_length TSRMLS_DC) +{ + /* quiet */ + return str_length; +} + +static void fuzzer_flush(void *server_context) +{ + /* quiet */ +} + +static void send_header(sapi_header_struct *sapi_header, void *server_context TSRMLS_DC) +{ +} + +static char* read_cookies(TSRMLS_D) +{ + /* TODO: fuzz these! */ + return NULL; +} + +static void register_variables(zval *track_vars_array TSRMLS_DC) +{ + php_import_environment_variables(track_vars_array TSRMLS_CC); +} + +static void log_message(char *message, int level TSRMLS_DC) +{ +} + + +static sapi_module_struct fuzzer_module = { + "fuzzer", /* name */ + "clang fuzzer", /* pretty name */ + + startup, /* startup */ + php_module_shutdown_wrapper, /* shutdown */ + + NULL, /* activate */ + NULL, /* deactivate */ + + ub_write, /* unbuffered write */ + fuzzer_flush, /* flush */ + NULL, /* get uid */ + NULL, /* getenv */ + + php_error, /* error handler */ + + NULL, /* header handler */ + NULL, /* send headers handler */ + send_header, /* send header handler */ + + NULL, /* read POST data */ + read_cookies, /* read Cookies */ + + register_variables, /* register server variables */ + log_message, /* Log message */ + NULL, /* Get request time */ + NULL, /* Child terminate */ + + STANDARD_SAPI_MODULE_PROPERTIES +}; + +int fuzzer_init_php() +{ + sapi_startup(&fuzzer_module); + fuzzer_module.phpinfo_as_text = 1; + + fuzzer_module.ini_entries = malloc(sizeof(HARDCODED_INI)); + memcpy(fuzzer_module.ini_entries, HARDCODED_INI, sizeof(HARDCODED_INI)); + + /* + * TODO: we might want to test both Zend and malloc MM, but testing with malloc + * is more likely to find bugs, so use that for now. + */ + putenv("USE_ZEND_ALLOC=0"); + +#ifdef __SANITIZE_ADDRESS__ + /* Not very interested in memory leak detection, since Zend MM does that */ + __lsan_disable(); +#endif + + if (fuzzer_module.startup(&fuzzer_module)==FAILURE) { + return FAILURE; + } + + return SUCCESS; +} + +void fuzzer_set_ini_file(const char *file) +{ + if (fuzzer_module.php_ini_path_override) { + free(fuzzer_module.php_ini_path_override); + } + fuzzer_module.php_ini_path_override = strdup(file); +} + + +int fuzzer_shutdown_php() +{ + TSRMLS_FETCH(); + + php_module_shutdown(TSRMLS_C); + sapi_shutdown(); + + free(fuzzer_module.ini_entries); + return SUCCESS; +} + +int fuzzer_do_request(zend_file_handle *file_handle, char *filename) +{ + int retval = FAILURE; /* failure by default */ + + SG(options) |= SAPI_OPTION_NO_CHDIR; + SG(request_info).argc=0; + SG(request_info).argv=NULL; + + if (php_request_startup(TSRMLS_C)==FAILURE) { + php_module_shutdown(TSRMLS_C); + return FAILURE; + } + + SG(headers_sent) = 1; + SG(request_info).no_headers = 1; + php_register_variable("PHP_SELF", filename, NULL TSRMLS_CC); + + zend_first_try { + zend_compile_file(file_handle, ZEND_REQUIRE); + /*retval = php_execute_script(file_handle TSRMLS_CC);*/ + } zend_end_try(); + + php_request_shutdown((void *) 0); + + return (retval == SUCCESS) ? SUCCESS : FAILURE; +} + + +int fuzzer_do_request_f(char *filename) +{ + zend_file_handle file_handle; + file_handle.type = ZEND_HANDLE_FILENAME; + file_handle.filename = filename; + file_handle.handle.fp = NULL; + file_handle.opened_path = NULL; + + return fuzzer_do_request(&file_handle, filename); +} + +int fuzzer_do_request_d(char *filename, char *data, size_t data_len) +{ + zend_file_handle file_handle; + file_handle.filename = filename; + file_handle.opened_path = NULL; + file_handle.handle.stream.handle = NULL; + file_handle.handle.stream.reader = (zend_stream_reader_t)_php_stream_read; + file_handle.handle.stream.fsizer = NULL; + file_handle.handle.stream.isatty = 0; + file_handle.handle.stream.closer = NULL; + file_handle.buf = data; + file_handle.len = data_len; + file_handle.type = ZEND_HANDLE_STREAM; + + return fuzzer_do_request(&file_handle, filename); +} + +// Call named PHP function with N zval arguments +void fuzzer_call_php_func_zval(const char *func_name, int nargs, zval *args) { + zval retval, func; + int result; + + ZVAL_STRING(&func, func_name); + ZVAL_UNDEF(&retval); + result = call_user_function(CG(function_table), NULL, &func, &retval, nargs, args); + + // TODO: check result? + /* to ensure retval is not broken */ + php_var_dump(&retval, 0); + + /* cleanup */ + zval_ptr_dtor(&retval); + zval_ptr_dtor(&func); +} + +// Call named PHP function with N string arguments +void fuzzer_call_php_func(const char *func_name, int nargs, char **params) { + zval args[nargs]; + int i; + + for(i=0;i | + | Stanislav Malyshev | + +----------------------------------------------------------------------+ + */ + +int fuzzer_init_php(); +void fuzzer_call_php_func(const char *func_name, int nargs, char **params); +void fuzzer_call_php_func_zval(const char *func_name, int nargs, zval *args); diff --git a/sapi/fuzzer/fuzzer-unserialize.c b/sapi/fuzzer/fuzzer-unserialize.c new file mode 100644 index 0000000000..9b843f25fe --- /dev/null +++ b/sapi/fuzzer/fuzzer-unserialize.c @@ -0,0 +1,66 @@ +/* + +----------------------------------------------------------------------+ + | PHP Version 7 | + +----------------------------------------------------------------------+ + | Copyright (c) The PHP Group | + +----------------------------------------------------------------------+ + | This source file is subject to version 3.01 of the PHP license, | + | that is bundled with this package in the file LICENSE, and is | + | available through the world-wide-web at the following url: | + | http://www.php.net/license/3_01.txt | + | If you did not receive a copy of the PHP license and are unable to | + | obtain it through the world-wide-web, please send a note to | + | license@php.net so we can mail you a copy immediately. | + +----------------------------------------------------------------------+ + | Authors: Johannes Schlüter | + +----------------------------------------------------------------------+ + */ + + +#include "fuzzer.h" + +#include "Zend/zend.h" +#include "main/php_config.h" +#include "main/php_main.h" + +#include +#include +#include + +#include "fuzzer-sapi.h" + +#include "ext/standard/php_var.h" + +int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { + unsigned char *data = malloc(Size+1); + + memcpy(data, Data, Size); + data[Size] = '\0'; + + if (php_request_startup()==FAILURE) { + php_module_shutdown(); + return 0; + } + + zval result; + + php_unserialize_data_t var_hash; + PHP_VAR_UNSERIALIZE_INIT(var_hash); + php_var_unserialize(&result, &data, data + Size, &var_hash); + PHP_VAR_UNSERIALIZE_DESTROY(var_hash); + + zval_ptr_dtor(&result); + + php_request_shutdown(NULL); + + free(data); + + return 0; +} + +int LLVMFuzzerInitialize(int *argc, char ***argv) { + fuzzer_init_php(); + + /* fuzzer_shutdown_php(); */ + return 0; +} diff --git a/sapi/fuzzer/fuzzer.h b/sapi/fuzzer/fuzzer.h new file mode 100644 index 0000000000..b0bae1c7bc --- /dev/null +++ b/sapi/fuzzer/fuzzer.h @@ -0,0 +1,20 @@ +/* + +----------------------------------------------------------------------+ + | PHP Version 7 | + +----------------------------------------------------------------------+ + | Copyright (c) The PHP Group | + +----------------------------------------------------------------------+ + | This source file is subject to version 3.01 of the PHP license, | + | that is bundled with this package in the file LICENSE, and is | + | available through the world-wide-web at the following url: | + | http://www.php.net/license/3_01.txt | + | If you did not receive a copy of the PHP license and are unable to | + | obtain it through the world-wide-web, please send a note to | + | license@php.net so we can mail you a copy immediately. | + +----------------------------------------------------------------------+ + | Authors: Johannes Schlüter | + +----------------------------------------------------------------------+ + */ + +#include "php_version.h" +#define FUZZER_VERSION PHP_VERSION diff --git a/sapi/fuzzer/json.dict b/sapi/fuzzer/json.dict new file mode 100644 index 0000000000..e08245a219 --- /dev/null +++ b/sapi/fuzzer/json.dict @@ -0,0 +1,52 @@ +# +# AFL dictionary for JSON +# ----------------------- +# +# Just the very basics. +# +# Inspired by a dictionary by Jakub Wilk +# + +"0" +",0" +":0" +"0:" +"-1.2e+3" + +"true" +"false" +"null" + +"\"\"" +",\"\"" +":\"\"" +"\"\":" + +"{}" +",{}" +":{}" +"{\"\":0}" +"{{}}" + +"[]" +",[]" +":[]" +"[0]" +"[[]]" + +"''" +"\\" +"\\b" +"\\f" +"\\n" +"\\r" +"\\t" +"\\u0000" +"\\x00" +"\\0" +"\\uD800\\uDC00" +"\\uDBFF\\uDFFF" + +"\"\":0" +"//" +"/**/" -- cgit v1.2.1