Extract some common fuzzer code

php · Jun 30, 2020 · b0b8361 · b0b8361
1 parent 75ada66
commit b0b8361
Show file tree

Hide file tree

Showing 5 changed files with 45 additions and 53 deletions.
diff --git a/sapi/fuzzer/fuzzer-sapi.c b/sapi/fuzzer/fuzzer-sapi.c
@@ -156,6 +156,37 @@ int fuzzer_request_startup()
 	return SUCCESS;
 }
 
+void fuzzer_request_shutdown()
+{
+	/* Destroy thrown exceptions. This does not happen as part of request shutdown. */
+	if (EG(exception)) {
+		zend_object_release(EG(exception));
+		EG(exception) = NULL;
+	}
+
+	/* Some fuzzers (like unserialize) may create circular structures. Make sure we free them.
+	 * Two calls are performed to handle objects with destructors. */
+	zend_gc_collect_cycles();
+	zend_gc_collect_cycles();
+
+	php_request_shutdown(NULL);
+}
+
+/* Set up a dummy stack frame so that exceptions may be thrown. */
+void fuzzer_setup_dummy_frame()
+{
+	static zend_execute_data execute_data;
+	static zend_function func;
+
+	memset(&execute_data, 0, sizeof(zend_execute_data));
+	memset(&func, 0, sizeof(zend_function));
+
+	func.type = ZEND_INTERNAL_FUNCTION;
+	func.common.function_name = ZSTR_EMPTY_ALLOC();
+	execute_data.func = &func;
+	EG(current_execute_data) = &execute_data;
+}
+
 void fuzzer_set_ini_file(const char *file)
 {
 	if (fuzzer_module.php_ini_path_override) {

diff --git a/sapi/fuzzer/fuzzer-sapi.h b/sapi/fuzzer/fuzzer-sapi.h
@@ -15,8 +15,10 @@
    +----------------------------------------------------------------------+
  */
 
-int fuzzer_init_php();
-int fuzzer_request_startup();
+int fuzzer_init_php(void);
+int fuzzer_request_startup(void);
+void fuzzer_request_shutdown(void);
+void fuzzer_setup_dummy_frame(void);
 void fuzzer_call_php_func(const char *func_name, int nargs, char **params);
 void fuzzer_call_php_func_zval(const char *func_name, int nargs, zval *args);
 int fuzzer_do_request_from_buffer(char *filename, char *data, size_t data_len);
diff --git a/sapi/fuzzer/fuzzer-unserialize.c b/sapi/fuzzer/fuzzer-unserialize.c
@@ -31,26 +31,14 @@
 
 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
 	unsigned char *orig_data = malloc(Size+1);
-	zend_execute_data execute_data;
-	zend_function func;
-
 	memcpy(orig_data, Data, Size);
 	orig_data[Size] = '\0';
 
-	if (fuzzer_request_startup()==FAILURE) {
+	if (fuzzer_request_startup() == FAILURE) {
 		return 0;
 	}
 
-	/* Set up a dummy stack frame so that exceptions may be thrown. */
-	{
-		memset(&execute_data, 0, sizeof(zend_execute_data));
-		memset(&func, 0, sizeof(zend_function));
-
-		func.type = ZEND_INTERNAL_FUNCTION;
-		func.common.function_name = ZSTR_EMPTY_ALLOC();
-		execute_data.func = &func;
-		EG(current_execute_data) = &execute_data;
-	}
+	fuzzer_setup_dummy_frame();
 
 	{
 		const unsigned char *data = orig_data;
@@ -63,22 +51,11 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
 		PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
 
 		zval_ptr_dtor(&result);
-
-		/* Destroy any thrown exception. */
-		if (EG(exception)) {
-			zend_object_release(EG(exception));
-			EG(exception) = NULL;
-		}
 	}
 
-	/* Unserialize may create circular structure. Make sure we free them.
-	 * Two calls are performed to handle objects with destructors. */
-	zend_gc_collect_cycles();
-	zend_gc_collect_cycles();
-	php_request_shutdown(NULL);
-
 	free(orig_data);
 
+	fuzzer_request_shutdown();
 	return 0;
 }
 

diff --git a/sapi/fuzzer/fuzzer-unserializehash.c b/sapi/fuzzer/fuzzer-unserializehash.c
@@ -28,8 +28,6 @@
 #include "ext/standard/php_var.h"
 
 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t FullSize) {
-	zend_execute_data execute_data;
-	zend_function func;
 	const uint8_t *Start = memchr(Data, '|', FullSize);
 	if (!Start) {
 		return 0;
@@ -41,20 +39,11 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t FullSize) {
 	memcpy(orig_data, Start, Size);
 	orig_data[Size] = '\0';
 
-	if (fuzzer_request_startup()==FAILURE) {
+	if (fuzzer_request_startup() == FAILURE) {
 		return 0;
 	}
 
-	/* Set up a dummy stack frame so that exceptions may be thrown. */
-	{
-		memset(&execute_data, 0, sizeof(zend_execute_data));
-		memset(&func, 0, sizeof(zend_function));
-
-		func.type = ZEND_INTERNAL_FUNCTION;
-		func.common.function_name = ZSTR_EMPTY_ALLOC();
-		execute_data.func = &func;
-		EG(current_execute_data) = &execute_data;
-	}
+	fuzzer_setup_dummy_frame();
 
 	{
 		const unsigned char *data = orig_data;
@@ -77,22 +66,11 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t FullSize) {
 		}
 
 		zval_ptr_dtor(&result);
-
-		/* Destroy any thrown exception. */
-		if (EG(exception)) {
-			zend_object_release(EG(exception));
-			EG(exception) = NULL;
-		}
 	}
 
-	/* Unserialize may create circular structure. Make sure we free them.
-	 * Two calls are performed to handle objects with destructors. */
-	zend_gc_collect_cycles();
-	zend_gc_collect_cycles();
-	php_request_shutdown(NULL);
-
 	free(orig_data);
 
+	fuzzer_request_shutdown();
 	return 0;
 }
 

diff --git a/sapi/fuzzer/generate_all.php b/sapi/fuzzer/generate_all.php
@@ -0,0 +1,4 @@
+<?php
+require __DIR__ . '/generate_unserialize_dict.php';
+require __DIR__ . '/generate_unserializehash_corpus.php';
+require __DIR__ . '/generate_parser_corpus.php';