New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add PHAR fuzzer #5424
base: master
Are you sure you want to change the base?
Add PHAR fuzzer #5424
Conversation
This comment has been minimized.
This comment has been minimized.
After fixing that, we get:
Could be resolved either by limiting max uncompressed size (via ini setting?) or by making memory limit work under USE_ZEND_ALLOC=0, which is implemented as part of #5030. |
This comment has been minimized.
This comment has been minimized.
I've opened a bug for that issue at https://bugs.php.net/bug.php?id=79503. A general problem with the fuzzing here is that tars have checksums (even though they seem primitive). We probably need to disable checksum verification under I'm going to leave it at that for now, I think this needs more work before it's usable for oss-fuzz. |
Not sure what to do with OOM errors - for a format that includes object sizes, it's trivial to specify very large object size, and I think for PHP OOM is exactly what should happen in this case - that's why emalloc has memory limits. Adding another check there would not be of much use. It'd be the best if we could just shut up OOM errors, as emalloc handles them just fine and it's not what we want the fuzzer for - but I am not sure whether there's an option for that. |
Hmm, I wasn't aware of |
Remove HAVE_PHAR check, it's on by default
With USE_TRACKED_ALLOC=1 we now avoid leaks on bailout and OOM issues. However, we get continuously increasing (but non-leaking) memory usage, likely because phar has some global state that does not get cleared. We'd have to check coverage data to see whether the fuzzer is actually doing anything useful, or getting stumped by checksum checks. |
It looks the the increasing memory usage (that causes leak sanitizer to be auto disabled) is caused by realpath cache:
There was a similar issue with the original exif fuzzer. It would be best if we can avoid going through a file at all, or open the file without going through realpath cache (iirc there's a flag for that). |
Unfortunately phar.c only exports the file endpoint, if we made the We could probably export the fp function and try with that if it improves things. |
This adds phar extension fuzzer, based on existing phar tests.