Add fuzzer SAPIs to the core

Author: smalyshev

sapi/fuzzer/Makefile.frag

@@ -0,0 +1,18 @@
+fuzzer: $(PHP_FUZZER_BINARIES)
+
+FUZZER_BUILD = $(LIBTOOL) --mode=link $(FUZZING_CC) -export-dynamic $(CFLAGS_CLEAN) $(EXTRA_CFLAGS) $(EXTRA_LDFLAGS_PROGRAM) $(LDFLAGS) $(PHP_RPATHS) $(PHP_GLOBAL_OBJS) $(PHP_BINARY_OBJS) $(EXTRA_LIBS) $(ZEND_EXTRA_LIBS) $(FUZZING_LIB) -rpath /ORIGIN/lib
+
+$(SAPI_FUZZER_PATH)/php-fuzz-parser: $(PHP_GLOBAL_OBJS) $(PHP_SAPI_OBJS) $(PHP_FUZZER_PARSER_OBJS)
+	$(FUZZER_BUILD) $(PHP_FUZZER_PARSER_OBJS) -o $@
+
+$(SAPI_FUZZER_PATH)/php-fuzz-unserialize: $(PHP_GLOBAL_OBJS) $(PHP_SAPI_OBJS) $(PHP_FUZZER_UNSERIALIZE_OBJS)
+	$(FUZZER_BUILD) $(PHP_FUZZER_UNSERIALIZE_OBJS) -o $@
+
+$(SAPI_FUZZER_PATH)/php-fuzz-json: $(PHP_GLOBAL_OBJS) $(PHP_SAPI_OBJS) $(PHP_FUZZER_JSON_OBJS)
+	$(FUZZER_BUILD) $(PHP_FUZZER_JSON_OBJS) -o $@
+
+$(SAPI_FUZZER_PATH)/php-fuzz-exif: $(PHP_GLOBAL_OBJS) $(PHP_SAPI_OBJS) $(PHP_FUZZER_EXIF_OBJS)
+	$(FUZZER_BUILD) $(PHP_FUZZER_EXIF_OBJS) -o $@
+
+$(SAPI_FUZZER_PATH)/php-fuzz-mbstring: $(PHP_GLOBAL_OBJS) $(PHP_SAPI_OBJS) $(PHP_FUZZER_MBSTRING_OBJS)
+	$(FUZZER_BUILD) $(PHP_FUZZER_MBSTRING_OBJS) -o $@

sapi/fuzzer/README

@@ -0,0 +1,13 @@
+Fuzzing SAPI for PHP
+
+Enable fuzzing targets with --enable-fuzzer switch.
+
+Your compiler should support -fsanitize=address and you need
+to have Fuzzer library around.
+
+When running `make` it creates these binaries in `sapi/fuzzer/`:
+* php-fuzz-parser - fuzzing language parser
+* php-fuzz-unserialize - fuzzing unserialize() function
+* php-fuzz-json - fuzzing JSON parser
+* php-fuzz-exif - fuzzing exif_read_data() function (use --enable-exif)
+* php-fuzz-mbstring - fuzzing mb_ereg[i] (requires --enable-mbstring)

sapi/fuzzer/config.m4

@@ -0,0 +1,63 @@
+AC_MSG_CHECKING(for clang fuzzer SAPI)
+
+PHP_ARG_ENABLE([fuzzer],,
+  [AS_HELP_STRING([--enable-fuzzer],
+    [Build PHP as clang fuzzing test module (for developers)])],
+  [no])
+
+dnl For newer clang versions see https://llvm.org/docs/LibFuzzer.html#fuzzer-usage
+dnl for relevant flags.
+
+dnl Macro to define fuzzing target
+dnl PHP_FUZZER_TARGET(name, target-var)
+dnl
+AC_DEFUN([PHP_FUZZER_TARGET], [
+  PHP_FUZZER_BINARIES="$PHP_FUZZER_BINARIES $SAPI_FUZZER_PATH/php-fuzz-$1"
+  PHP_SUBST($2)
+  PHP_ADD_SOURCES_X([sapi/fuzzer],[fuzzer-$1.c fuzzer-sapi.c],[],$2)
+])
+
+if test "$PHP_FUZZER" != "no"; then
+  AC_MSG_RESULT([yes])
+  PHP_REQUIRE_CXX()
+  PHP_ADD_MAKEFILE_FRAGMENT($abs_srcdir/sapi/fuzzer/Makefile.frag)
+  SAPI_FUZZER_PATH=sapi/fuzzer
+  PHP_SUBST(SAPI_FUZZER_PATH)
+  if test -z "$LIB_FUZZING_ENGINE"; then
+    FUZZING_LIB="-lFuzzer"
+    FUZZING_CC="$CC"
+    AX_CHECK_COMPILE_FLAG([-fsanitize=address], [
+      CFLAGS="$CFLAGS -fsanitize=address"
+      CXXFLAGS="$CXXFLAGS -fsanitize=address"
+      LDFLAGS="$LDFLAGS -fsanitize=address"
+    ],[
+      AC_MSG_ERROR(compiler doesn't support -fsanitize flags)
+    ])
+  else
+    FUZZING_LIB="-lFuzzingEngine"
+    FUZZING_CC="$CXX -stdlib=libc++"
+  fi
+  PHP_SUBST(FUZZING_LIB)
+  PHP_SUBST(FUZZING_CC)
+
+  dnl PHP_SELECT_SAPI(fuzzer-parser, program, $FUZZER_SOURCES, , '$(SAPI_FUZZER_PATH)')
+
+  PHP_ADD_BUILD_DIR([sapi/fuzzer])
+  PHP_FUZZER_BINARIES=""
+  PHP_INSTALLED_SAPIS="$PHP_INSTALLED_SAPIS fuzzer"
+
+  PHP_FUZZER_TARGET([parser], PHP_FUZZER_PARSER_OBJS)
+  PHP_FUZZER_TARGET([unserialize], PHP_FUZZER_UNSERIALIZE_OBJS)
+  PHP_FUZZER_TARGET([exif], PHP_FUZZER_EXIF_OBJS)
+
+  if test -n "$enable_json" && test "$enable_json" != "no"; then
+    PHP_FUZZER_TARGET([json], PHP_FUZZER_JSON_OBJS)
+  fi
+  if test -n "$enable_mbstring" && test "$enable_mbstring" != "no"; then
+    PHP_FUZZER_TARGET([mbstring], PHP_FUZZER_MBSTRING_OBJS)
+  fi
+
+  PHP_SUBST(PHP_FUZZER_BINARIES)
+fi
+
+AC_MSG_RESULT($PHP_FUZZER)

sapi/fuzzer/corpus/exif/bug34704.jpg

@@ -0,0 +1 @@
+{"prop":{"prop":null}}

sapi/fuzzer/corpus/exif/bug34704_2.jpg

@@ -0,0 +1 @@
+{"a":100.1,"b":"foo"}

sapi/fuzzer/corpus/exif/bug48378.jpeg

@@ -0,0 +1 @@
+[100.1,"bar"]

sapi/fuzzer/corpus/exif/bug54002_1.jpeg

@@ -0,0 +1,2 @@
+{"0":0,"\u0000ab":1,"1":"\u0000null-prefixed value"}
+

sapi/fuzzer/corpus/exif/bug54002_2.jpeg

@@ -0,0 +1 @@
+{ "test": { "foo": "bar" } }

sapi/fuzzer/corpus/exif/bug62523_1.jpg

@@ -0,0 +1,2 @@
+"aa\udbff\udffdzz"
+

sapi/fuzzer/corpus/exif/bug62523_3.jpg

@@ -0,0 +1 @@
+"latin 1234 -\/    russian мама мыла раму  specialchars \u0002   \b \n   U+1D11E >𝄞<"

sapi/fuzzer/corpus/exif/bug68113.jpg

@@ -0,0 +1 @@
+{"test":"123343e871700"}

sapi/fuzzer/corpus/exif/bug68113_2.jpg

@@ -0,0 +1 @@
+[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[["Too deep"]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]

sapi/fuzzer/corpus/exif/bug68799.jpg

@@ -0,0 +1 @@
+{"myInt":99,"myFloat":123.45,"myNull":null,"myBool":true,"myString":"Hello World"}

sapi/fuzzer/corpus/exif/bug72094_1.jpg

@@ -0,0 +1 @@
+"\u65e5\u672c\u8a9e\u30c6\u30ad\u30b9\u30c8\u3067\u3059\u300201234\uff15\uff16\uff17\uff18\uff19\u3002"

sapi/fuzzer/corpus/exif/bug72094_2.jpg

@@ -0,0 +1 @@
+{"largenum":123456789012345678901234567890}

sapi/fuzzer/corpus/exif/bug72094_3.jpg

@@ -0,0 +1 @@
+["<foo>","'bar'","\"baz\"","&blong&"]

sapi/fuzzer/corpus/exif/bug72094_4.jpg

@@ -0,0 +1 @@
+["\u003Cfoo\u003E","\u0027bar\u0027","\u0022baz\u0022","\u0026blong\u0026"]

sapi/fuzzer/corpus/exif/bug72603.jpeg

@@ -0,0 +1,5 @@
+[
+{"":"value"},
+{"":"value", "key":"value"},
+{"key":"value", "":"value"}
+]

sapi/fuzzer/corpus/exif/bug72618.jpg

@@ -0,0 +1 @@
+[123,13452345,123.13452345]

sapi/fuzzer/corpus/exif/bug72627.tiff

@@ -0,0 +1,2 @@
+["\ud834\udd00"]
+

sapi/fuzzer/corpus/exif/bug73737.tiff

@@ -0,0 +1 @@
+{"zero": 0e0}

sapi/fuzzer/corpus/exif/bug76130_1.jpg

@@ -0,0 +1 @@
+[null,null,"abc"]

sapi/fuzzer/corpus/exif/bug76130_2.jpg

@@ -0,0 +1 @@
+"A JSON payload should be an object or array, not a string."

sapi/fuzzer/corpus/exif/bug76423.jpg

@@ -0,0 +1 @@
+{"Extra value after close": true} "misplaced quoted value"

sapi/fuzzer/corpus/exif/bug76557.jpg

@@ -0,0 +1 @@
+{"Illegal expression": 1 + 2}

sapi/fuzzer/corpus/exif/bug77540.jpg

@@ -0,0 +1 @@
+{"Illegal invocation": alert()}

sapi/fuzzer/corpus/exif/bug77563.jpg

@@ -0,0 +1 @@
+{"Numbers cannot have leading zeroes": 013}

sapi/fuzzer/corpus/exif/bug77753.tiff

@@ -0,0 +1 @@
+{"Numbers cannot be hex": 0x14}

sapi/fuzzer/corpus/exif/bug77831.tiff

@@ -0,0 +1 @@
+["Illegal backslash escape: \x15"]

sapi/fuzzer/corpus/exif/bug77950.tiff

@@ -0,0 +1 @@
+[\naked]

sapi/fuzzer/corpus/exif/bug77988.jpg

@@ -0,0 +1 @@
+["Illegal backslash escape: \017"]

sapi/fuzzer/corpus/exif/exif_encoding_crash.jpg

@@ -0,0 +1 @@
+[[[[[[[[[[[[[[[[[[[["Too deep"]]]]]]]]]]]]]]]]]]]]

sapi/fuzzer/corpus/exif/image007.jpg

@@ -0,0 +1 @@
+{"Missing colon" null}

sapi/fuzzer/corpus/exif/image008.jpg

@@ -0,0 +1 @@
+["Unclosed array"

sapi/fuzzer/corpus/exif/image009.jpg

@@ -0,0 +1 @@
+{"Double colon":: null}

sapi/fuzzer/corpus/exif/image010.jpg

@@ -0,0 +1 @@
+{"Comma instead of colon", null}

sapi/fuzzer/corpus/exif/image011.jpg

@@ -0,0 +1 @@
+["Colon instead of comma": false]

sapi/fuzzer/corpus/exif/image012.jpg

@@ -0,0 +1 @@
+["Bad value", truth]

sapi/fuzzer/corpus/exif/image013.jpg

@@ -0,0 +1 @@
+['single quote']

sapi/fuzzer/corpus/exif/image014.jpg

@@ -0,0 +1 @@
+["	tab	character	in	string	"]

sapi/fuzzer/corpus/exif/image015.jpg

@@ -0,0 +1 @@
+["tab\   character\   in\  string\  "]

sapi/fuzzer/corpus/exif/image016.tiff

@@ -0,0 +1,2 @@
+["line
+break"]

sapi/fuzzer/corpus/exif/image017.tiff

@@ -0,0 +1,2 @@
+["line\
+break"]

sapi/fuzzer/corpus/exif/image018.tiff

@@ -0,0 +1 @@
+[0e]

sapi/fuzzer/corpus/exif/image020.tiff

@@ -0,0 +1 @@
+{unquoted_key: "keys must be quoted"}

sapi/fuzzer/corpus/exif/image021.tiff

@@ -0,0 +1 @@
+[0e+]

sapi/fuzzer/corpus/exif/image022.tiff

@@ -0,0 +1 @@
+[0e+-1]

sapi/fuzzer/corpus/exif/image023.tiff

@@ -0,0 +1 @@
+{"Comma instead if closing brace": true,

sapi/fuzzer/corpus/exif/image024.jpg

@@ -0,0 +1 @@
+["mismatch"}

sapi/fuzzer/corpus/exif/image025.jpg

@@ -0,0 +1 @@
+["extra comma",]

sapi/fuzzer/corpus/exif/image026.tiff

@@ -0,0 +1 @@
+["double extra comma",,]

sapi/fuzzer/corpus/exif/image027.tiff

@@ -0,0 +1 @@
+[   , "<-- missing value"]

sapi/fuzzer/corpus/exif/test1.jpg

@@ -0,0 +1 @@
+["Comma after the close"],

sapi/fuzzer/corpus/exif/test2.jpg

@@ -0,0 +1 @@
+["Extra close"]]

sapi/fuzzer/corpus/exif/test22.jpg

@@ -0,0 +1 @@
+{"Extra comma": true,}

sapi/fuzzer/corpus/exif/test3.jpg

@@ -0,0 +1,58 @@
+[
+    "JSON Test Pattern pass1",
+    {"object with 1 member":["array with 1 element"]},
+    {},
+    [],
+    -42,
+    true,
+    false,
+    null,
+    {
+        "integer": 1234567890,
+        "real": -9876.543210,
+        "e": 0.123456789e-12,
+        "E": 1.234567890E+34,
+        "":  23456789012E66,
+        "zero": 0,
+        "one": 1,
+        "space": " ",
+        "quote": "\"",
+        "backslash": "\\",
+        "controls": "\b\f\n\r\t",
+        "slash": "/ & \/",
+        "alpha": "abcdefghijklmnopqrstuvwyz",
+        "ALPHA": "ABCDEFGHIJKLMNOPQRSTUVWYZ",
+        "digit": "0123456789",
+        "0123456789": "digit",
+        "special": "`1~!@#$%^&*()_+-={':[,]}|;.</>?",
+        "hex": "\u0123\u4567\u89AB\uCDEF\uabcd\uef4A",
+        "true": true,
+        "false": false,
+        "null": null,
+        "array":[  ],
+        "object":{  },
+        "address": "50 St. James Street",
+        "url": "http://www.JSON.org/",
+        "comment": "// /* <!-- --",
+        "# -- --> */": " ",
+        " s p a c e d " :[1,2 , 3
+
+,
+
+4 , 5        ,          6           ,7        ],"compact":[1,2,3,4,5,6,7],
+        "jsontext": "{\"object with 1 member\":[\"array with 1 element\"]}",
+        "quotes": "&#34; \u0022 %22 0x22 034 &#x22;",
+        "\/\\\"\uCAFE\uBABE\uAB98\uFCDE\ubcda\uef4A\b\f\n\r\t`1~!@#$%^&*()_+-=[]{}|;:',./<>?"
+: "A key can be any string"
+    },
+    0.5 ,98.6
+,
+99.44
+,
+
+1066,
+1e1,
+0.1e1,
+1e-1,
+1e00,2e+00,2e-00
+,"rosebud"]

sapi/fuzzer/corpus/exif/test4.jpg

@@ -0,0 +1 @@
+[[[[[[[[[[[[[[[[[[["Not too deep"]]]]]]]]]]]]]]]]]]]

sapi/fuzzer/corpus/exif/test5.jpg

@@ -0,0 +1,6 @@
+{
+    "JSON Test Pattern pass3": {
+        "The outermost value": "must be an object or array.",
+        "In this test": "It is an object."
+    }
+}