From 24003b5e8cee9813b977eb4dca66be2143ad5606 Mon Sep 17 00:00:00 2001 From: Saki Takamachi Date: Thu, 13 Mar 2025 10:33:04 +0900 Subject: [PATCH 01/11] fuzzer for bcmath --- sapi/fuzzer/Makefile.frag | 3 + sapi/fuzzer/README.md | 1 + sapi/fuzzer/config.m4 | 1 + sapi/fuzzer/corpus/bcmath/1 | 1 + sapi/fuzzer/corpus/bcmath/2 | 1 + sapi/fuzzer/corpus/bcmath/3 | 1 + sapi/fuzzer/corpus/bcmath/4 | 1 + sapi/fuzzer/corpus/bcmath/5 | 1 + sapi/fuzzer/corpus/bcmath/6 | 1 + sapi/fuzzer/fuzzer-bcmath.c | 165 ++++++++++++++++++++++++++++++++++++ 10 files changed, 176 insertions(+) create mode 100644 sapi/fuzzer/corpus/bcmath/1 create mode 100644 sapi/fuzzer/corpus/bcmath/2 create mode 100644 sapi/fuzzer/corpus/bcmath/3 create mode 100644 sapi/fuzzer/corpus/bcmath/4 create mode 100644 sapi/fuzzer/corpus/bcmath/5 create mode 100644 sapi/fuzzer/corpus/bcmath/6 create mode 100644 sapi/fuzzer/fuzzer-bcmath.c diff --git a/sapi/fuzzer/Makefile.frag b/sapi/fuzzer/Makefile.frag index 9608e29d48910..d6cabedde7015 100644 --- a/sapi/fuzzer/Makefile.frag +++ b/sapi/fuzzer/Makefile.frag @@ -31,3 +31,6 @@ $(SAPI_FUZZER_PATH)/php-fuzz-mbstring: $(PHP_GLOBAL_OBJS) $(PHP_SAPI_OBJS) $(PHP $(SAPI_FUZZER_PATH)/php-fuzz-mbregex: $(PHP_GLOBAL_OBJS) $(PHP_SAPI_OBJS) $(PHP_FUZZER_MBREGEX_OBJS) $(FUZZER_BUILD) $(PHP_FUZZER_MBREGEX_OBJS) -o $@ + +$(SAPI_FUZZER_PATH)/php-fuzz-bcmath: $(PHP_GLOBAL_OBJS) $(PHP_SAPI_OBJS) $(PHP_FUZZER_BCMATH_OBJS) + $(FUZZER_BUILD) $(PHP_FUZZER_BCMATH_OBJS) -o $@ diff --git a/sapi/fuzzer/README.md b/sapi/fuzzer/README.md index b4bb2bbe4573f..2ada5f7b79e8e 100644 --- a/sapi/fuzzer/README.md +++ b/sapi/fuzzer/README.md @@ -33,6 +33,7 @@ When running `make` it creates these binaries in `sapi/fuzzer/`: * `php-fuzz-execute`: Fuzzing the executor * `php-fuzz-function-jit`: Fuzzing the function JIT (requires --enable-opcache) * `php-fuzz-tracing-jit`: Fuzzing the tracing JIT (requires --enable-opcache) +* `php-fuzz-bcmath`: Fuzzing division (requires --enable-bcmath) Some fuzzers have a seed corpus in `sapi/fuzzer/corpus`. You can use it as follows: diff --git a/sapi/fuzzer/config.m4 b/sapi/fuzzer/config.m4 index 21a44cd6d886e..5da5ea5e71a8a 100644 --- a/sapi/fuzzer/config.m4 +++ b/sapi/fuzzer/config.m4 @@ -63,6 +63,7 @@ if test "$PHP_FUZZER" != "no"; then PHP_FUZZER_TARGET([unserialize], [PHP_FUZZER_UNSERIALIZE_OBJS]) PHP_FUZZER_TARGET([unserializehash], [PHP_FUZZER_UNSERIALIZEHASH_OBJS]) PHP_FUZZER_TARGET([json], [PHP_FUZZER_JSON_OBJS]) + PHP_FUZZER_TARGET([bcmath], [PHP_FUZZER_BCMATH_OBJS]) if test -n "$enable_exif" && test "$enable_exif" != "no"; then PHP_FUZZER_TARGET([exif], [PHP_FUZZER_EXIF_OBJS]) diff --git a/sapi/fuzzer/corpus/bcmath/1 b/sapi/fuzzer/corpus/bcmath/1 new file mode 100644 index 0000000000000..87e56bbe3c16a --- /dev/null +++ b/sapi/fuzzer/corpus/bcmath/1 @@ -0,0 +1 @@ +15,7,0 diff --git a/sapi/fuzzer/corpus/bcmath/2 b/sapi/fuzzer/corpus/bcmath/2 new file mode 100644 index 0000000000000..0fcc6ef088827 --- /dev/null +++ b/sapi/fuzzer/corpus/bcmath/2 @@ -0,0 +1 @@ +14.14,9,10 diff --git a/sapi/fuzzer/corpus/bcmath/3 b/sapi/fuzzer/corpus/bcmath/3 new file mode 100644 index 0000000000000..0b218cc599193 --- /dev/null +++ b/sapi/fuzzer/corpus/bcmath/3 @@ -0,0 +1 @@ +1.23456789,0.56,10 diff --git a/sapi/fuzzer/corpus/bcmath/4 b/sapi/fuzzer/corpus/bcmath/4 new file mode 100644 index 0000000000000..e44b29bd6715e --- /dev/null +++ b/sapi/fuzzer/corpus/bcmath/4 @@ -0,0 +1 @@ +0.00123456789,0.001,10 diff --git a/sapi/fuzzer/corpus/bcmath/5 b/sapi/fuzzer/corpus/bcmath/5 new file mode 100644 index 0000000000000..68de032118588 --- /dev/null +++ b/sapi/fuzzer/corpus/bcmath/5 @@ -0,0 +1 @@ +12345.6789,100,2 diff --git a/sapi/fuzzer/corpus/bcmath/6 b/sapi/fuzzer/corpus/bcmath/6 new file mode 100644 index 0000000000000..ba59d52f5047b --- /dev/null +++ b/sapi/fuzzer/corpus/bcmath/6 @@ -0,0 +1 @@ +12345.6,0.00001,20 diff --git a/sapi/fuzzer/fuzzer-bcmath.c b/sapi/fuzzer/fuzzer-bcmath.c new file mode 100644 index 0000000000000..4aa84e7110ea5 --- /dev/null +++ b/sapi/fuzzer/fuzzer-bcmath.c @@ -0,0 +1,165 @@ +/* + +----------------------------------------------------------------------+ + | Copyright (c) The PHP Group | + +----------------------------------------------------------------------+ + | This source file is subject to version 3.01 of the PHP license, | + | that is bundled with this package in the file LICENSE, and is | + | available through the world-wide-web at the following url: | + | https://www.php.net/license/3_01.txt | + | If you did not receive a copy of the PHP license and are unable to | + | obtain it through the world-wide-web, please send a note to | + | license@php.net so we can mail you a copy immediately. | + +----------------------------------------------------------------------+ + | Authors: Saki Takamachi | + +----------------------------------------------------------------------+ + */ + + + +#include "fuzzer.h" + +#include "Zend/zend.h" +#include
+#include "main/php_main.h" + +#include +#include +#include + +#include "fuzzer-sapi.h" + +zend_long char_to_size_t(char *c) { + zend_long ret = 0; + if (*c >= '0' && *c <= '9') { + ret *= 10; + ret += *c - '0'; + } + return ret; +} + +int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { + /* num1,num2,scale */ + const uint8_t *Comma1 = memchr(Data, ',', Size); + if (!Comma1) { + return 0; + } + + size_t dividend_len = Comma1 - Data; + char *dividend_str = estrndup((char *) Data, dividend_len); + Data = Comma1 + 1; + Size -= dividend_len + 1; + + const uint8_t *Comma2 = memchr(Data, ',', Size); + if (!Comma2) { + efree(dividend_str); + return 0; + } + + size_t divisor_len = Comma2 - Data; + char *divisor_str = estrndup((char *) Data, divisor_len); + Data = Comma2 + 1; + Size -= divisor_len + 1; + + char *scale_str = malloc(Size + 1); + memcpy(scale_str, Data, Size); + scale_str[Size] = '\0'; + + zend_long scale = char_to_size_t(scale_str); + free(scale_str); + + if (fuzzer_request_startup() == FAILURE) { + return 0; + } + + fuzzer_setup_dummy_frame(); + + zval result; + ZVAL_UNDEF(&result); + + zval args[4]; + ZVAL_COPY_VALUE(&args[0], &result); + ZVAL_STRINGL(&args[1], dividend_str, dividend_len); + ZVAL_STRINGL(&args[2], divisor_str, divisor_len); + ZVAL_LONG(&args[3], scale); + + fuzzer_call_php_func_zval("bcdiv", 4, args); + + zval_ptr_dtor(&result); + zval_ptr_dtor(&args[1]); + zval_ptr_dtor(&args[2]); + efree(dividend_str); + efree(divisor_str); + + fuzzer_request_shutdown(); + + return 0; +} + +#define BUF_SIZE 128 + +static inline bool rand_bool() { + return rand() & 1; +} + +static inline size_t generate_random_num_fraction(char *buf, size_t len) { + int zeros = rand() % 10; + for (int i = 0; i < zeros; i++) { + buf[len] = '0'; + len++; + } + len += snprintf(buf + len, BUF_SIZE - len, "%ld", random()); + return len; +} + +static inline size_t generate_random_num(char *buf, size_t len) { + if (rand_bool()) { + /* num < 1 */ + buf[len] = '0'; + buf[len + 1]= '.'; + len += 2; + /* fraction */ + len = generate_random_num_fraction(buf, len); + } else { + /* integer */ + len += snprintf(buf + len, BUF_SIZE - len, "%ld", random()); + if (rand_bool()) { + /* fraction */ + buf[len] = '.'; + len++; + len = generate_random_num_fraction(buf, len); + } + } + + return len; +} + +size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size, size_t MaxSize, unsigned int Seed) { + char buf[BUF_SIZE]; + size_t len = 0; + + /* num1 */ + len = generate_random_num(buf, len); + buf[len] = ','; + len++; + + /* num2 */ + len = generate_random_num(buf, len); + buf[len] = ','; + len++; + + /* scale */ + len += snprintf(buf + len, BUF_SIZE - len, "%d", rand() % 10); + + if (len > MaxSize) { + return 0; + } + memcpy(Data, buf, len); + return len; +} + +int LLVMFuzzerInitialize(int *argc, char ***argv) { + fuzzer_init_php(NULL); + + /* fuzzer_shutdown_php(); */ + return 0; +} From 5341ef7b0a029121acf3a0b5d9d3a072f17784a9 Mon Sep 17 00:00:00 2001 From: SakiTakamachi Date: Fri, 21 Mar 2025 17:50:25 +0900 Subject: [PATCH 02/11] Fixed the number of `args` --- sapi/fuzzer/fuzzer-bcmath.c | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/sapi/fuzzer/fuzzer-bcmath.c b/sapi/fuzzer/fuzzer-bcmath.c index 4aa84e7110ea5..18a324abb195d 100644 --- a/sapi/fuzzer/fuzzer-bcmath.c +++ b/sapi/fuzzer/fuzzer-bcmath.c @@ -73,20 +73,15 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { fuzzer_setup_dummy_frame(); - zval result; - ZVAL_UNDEF(&result); + zval args[3]; + ZVAL_STRINGL(&args[0], dividend_str, dividend_len); + ZVAL_STRINGL(&args[1], divisor_str, divisor_len); + ZVAL_LONG(&args[2], scale); - zval args[4]; - ZVAL_COPY_VALUE(&args[0], &result); - ZVAL_STRINGL(&args[1], dividend_str, dividend_len); - ZVAL_STRINGL(&args[2], divisor_str, divisor_len); - ZVAL_LONG(&args[3], scale); + fuzzer_call_php_func_zval("bcdiv", 3, args); - fuzzer_call_php_func_zval("bcdiv", 4, args); - - zval_ptr_dtor(&result); + zval_ptr_dtor(&args[0]); zval_ptr_dtor(&args[1]); - zval_ptr_dtor(&args[2]); efree(dividend_str); efree(divisor_str); From 1fb2cd1c610fd50fff5cecbf29867b6510a2f5eb Mon Sep 17 00:00:00 2001 From: SakiTakamachi Date: Fri, 21 Mar 2025 17:51:20 +0900 Subject: [PATCH 03/11] Changed "Comma" to "comma" --- sapi/fuzzer/fuzzer-bcmath.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/sapi/fuzzer/fuzzer-bcmath.c b/sapi/fuzzer/fuzzer-bcmath.c index 18a324abb195d..d64473581826a 100644 --- a/sapi/fuzzer/fuzzer-bcmath.c +++ b/sapi/fuzzer/fuzzer-bcmath.c @@ -39,25 +39,25 @@ zend_long char_to_size_t(char *c) { int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { /* num1,num2,scale */ - const uint8_t *Comma1 = memchr(Data, ',', Size); - if (!Comma1) { + const uint8_t *comma1 = memchr(Data, ',', Size); + if (!comma1) { return 0; } - size_t dividend_len = Comma1 - Data; + size_t dividend_len = comma1 - Data; char *dividend_str = estrndup((char *) Data, dividend_len); - Data = Comma1 + 1; + Data = comma1 + 1; Size -= dividend_len + 1; - const uint8_t *Comma2 = memchr(Data, ',', Size); - if (!Comma2) { + const uint8_t *comma2 = memchr(Data, ',', Size); + if (!comma2) { efree(dividend_str); return 0; } - size_t divisor_len = Comma2 - Data; + size_t divisor_len = comma2 - Data; char *divisor_str = estrndup((char *) Data, divisor_len); - Data = Comma2 + 1; + Data = comma2 + 1; Size -= divisor_len + 1; char *scale_str = malloc(Size + 1); From 82ed67d91dec73019b4105f9890b5aebb65a97ef Mon Sep 17 00:00:00 2001 From: SakiTakamachi Date: Fri, 21 Mar 2025 18:17:33 +0900 Subject: [PATCH 04/11] Overall fix to scale parsing --- sapi/fuzzer/fuzzer-bcmath.c | 32 ++++++++++++++++++++------------ 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/sapi/fuzzer/fuzzer-bcmath.c b/sapi/fuzzer/fuzzer-bcmath.c index d64473581826a..5674f184d7590 100644 --- a/sapi/fuzzer/fuzzer-bcmath.c +++ b/sapi/fuzzer/fuzzer-bcmath.c @@ -28,13 +28,21 @@ #include "fuzzer-sapi.h" -zend_long char_to_size_t(char *c) { - zend_long ret = 0; - if (*c >= '0' && *c <= '9') { - ret *= 10; - ret += *c - '0'; +bool char_to_zend_long(const char *c, size_t scale_len, zend_long *ret) { + *ret = 0; + zend_long old_ret = 0; + for (size_t i = 0; i < scale_len; i++) { + if (*c >= '0' && *c <= '9') { + *ret *= 10; + *ret += *c - '0'; + } + if (*ret > old_ret) { + old_ret = *ret; + } else { + return false; + } } - return ret; + return true; } int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { @@ -60,12 +68,12 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { Data = comma2 + 1; Size -= divisor_len + 1; - char *scale_str = malloc(Size + 1); - memcpy(scale_str, Data, Size); - scale_str[Size] = '\0'; - - zend_long scale = char_to_size_t(scale_str); - free(scale_str); + zend_long scale = 0; + if (!char_to_zend_long((char *) Data, Size, &scale)) { + efree(dividend_str); + efree(divisor_str); + return 0; + } if (fuzzer_request_startup() == FAILURE) { return 0; From bd630e326b6f660dcc03b9a5f1533893cd6ceab9 Mon Sep 17 00:00:00 2001 From: SakiTakamachi Date: Fri, 21 Mar 2025 18:33:32 +0900 Subject: [PATCH 05/11] Changed the six main calculation functions to be specified randomly --- sapi/fuzzer/fuzzer-bcmath.c | 50 ++++++++++++++++++++++++++----------- 1 file changed, 36 insertions(+), 14 deletions(-) diff --git a/sapi/fuzzer/fuzzer-bcmath.c b/sapi/fuzzer/fuzzer-bcmath.c index 5674f184d7590..e7422693fdb19 100644 --- a/sapi/fuzzer/fuzzer-bcmath.c +++ b/sapi/fuzzer/fuzzer-bcmath.c @@ -52,26 +52,26 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { return 0; } - size_t dividend_len = comma1 - Data; - char *dividend_str = estrndup((char *) Data, dividend_len); + size_t num1_len = comma1 - Data; + char *num1_str = estrndup((char *) Data, num1_len); Data = comma1 + 1; - Size -= dividend_len + 1; + Size -= num1_len + 1; const uint8_t *comma2 = memchr(Data, ',', Size); if (!comma2) { - efree(dividend_str); + efree(num1_str); return 0; } - size_t divisor_len = comma2 - Data; - char *divisor_str = estrndup((char *) Data, divisor_len); + size_t num2_len = comma2 - Data; + char *num2_str = estrndup((char *) Data, num2_len); Data = comma2 + 1; - Size -= divisor_len + 1; + Size -= num2_len + 1; zend_long scale = 0; if (!char_to_zend_long((char *) Data, Size, &scale)) { - efree(dividend_str); - efree(divisor_str); + efree(num1_str); + efree(num2_str); return 0; } @@ -79,19 +79,41 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { return 0; } + char func_name[6]; + switch (rand() % 6) { + case 0: + sprintf(func_name, "%s", "bcadd"); + break; + case 1: + sprintf(func_name, "%s", "bcsub"); + break; + case 2: + sprintf(func_name, "%s", "bcmul"); + break; + case 3: + sprintf(func_name, "%s", "bcdiv"); + break; + case 4: + sprintf(func_name, "%s", "bcmod"); + break; + case 5: + sprintf(func_name, "%s", "bcpow"); + break; + } + fuzzer_setup_dummy_frame(); zval args[3]; - ZVAL_STRINGL(&args[0], dividend_str, dividend_len); - ZVAL_STRINGL(&args[1], divisor_str, divisor_len); + ZVAL_STRINGL(&args[0], num1_str, num1_len); + ZVAL_STRINGL(&args[1], num2_str, num2_len); ZVAL_LONG(&args[2], scale); - fuzzer_call_php_func_zval("bcdiv", 3, args); + fuzzer_call_php_func_zval(func_name, 3, args); zval_ptr_dtor(&args[0]); zval_ptr_dtor(&args[1]); - efree(dividend_str); - efree(divisor_str); + efree(num1_str); + efree(num2_str); fuzzer_request_shutdown(); From a2c3f560e1e3706de95b6068274479cab1ee6f40 Mon Sep 17 00:00:00 2001 From: SakiTakamachi Date: Fri, 21 Mar 2025 18:39:19 +0900 Subject: [PATCH 06/11] remove `LLVMFuzzerCustomMutator` --- sapi/fuzzer/fuzzer-bcmath.c | 62 ------------------------------------- 1 file changed, 62 deletions(-) diff --git a/sapi/fuzzer/fuzzer-bcmath.c b/sapi/fuzzer/fuzzer-bcmath.c index e7422693fdb19..676fe7d18a045 100644 --- a/sapi/fuzzer/fuzzer-bcmath.c +++ b/sapi/fuzzer/fuzzer-bcmath.c @@ -120,68 +120,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { return 0; } -#define BUF_SIZE 128 - -static inline bool rand_bool() { - return rand() & 1; -} - -static inline size_t generate_random_num_fraction(char *buf, size_t len) { - int zeros = rand() % 10; - for (int i = 0; i < zeros; i++) { - buf[len] = '0'; - len++; - } - len += snprintf(buf + len, BUF_SIZE - len, "%ld", random()); - return len; -} - -static inline size_t generate_random_num(char *buf, size_t len) { - if (rand_bool()) { - /* num < 1 */ - buf[len] = '0'; - buf[len + 1]= '.'; - len += 2; - /* fraction */ - len = generate_random_num_fraction(buf, len); - } else { - /* integer */ - len += snprintf(buf + len, BUF_SIZE - len, "%ld", random()); - if (rand_bool()) { - /* fraction */ - buf[len] = '.'; - len++; - len = generate_random_num_fraction(buf, len); - } - } - - return len; -} - -size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size, size_t MaxSize, unsigned int Seed) { - char buf[BUF_SIZE]; - size_t len = 0; - - /* num1 */ - len = generate_random_num(buf, len); - buf[len] = ','; - len++; - - /* num2 */ - len = generate_random_num(buf, len); - buf[len] = ','; - len++; - - /* scale */ - len += snprintf(buf + len, BUF_SIZE - len, "%d", rand() % 10); - - if (len > MaxSize) { - return 0; - } - memcpy(Data, buf, len); - return len; -} - int LLVMFuzzerInitialize(int *argc, char ***argv) { fuzzer_init_php(NULL); From 13319aadad9a22111ea9fd6f64abb5b2d6c09b6a Mon Sep 17 00:00:00 2001 From: SakiTakamachi Date: Fri, 21 Mar 2025 19:16:31 +0900 Subject: [PATCH 07/11] Added bcmath dict --- sapi/fuzzer/dict/bcmath | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 sapi/fuzzer/dict/bcmath diff --git a/sapi/fuzzer/dict/bcmath b/sapi/fuzzer/dict/bcmath new file mode 100644 index 0000000000000..a422cc8ccd180 --- /dev/null +++ b/sapi/fuzzer/dict/bcmath @@ -0,0 +1,6 @@ +"," +"1234567890" +"0.12345678" +"9999999999999999" +"0.00000000000000000000001" +"10" From e1fa2fa0fb3817109d45384e66cb3d148218521e Mon Sep 17 00:00:00 2001 From: SakiTakamachi Date: Fri, 21 Mar 2025 20:55:47 +0900 Subject: [PATCH 08/11] Removed unnecessary memory allocation. --- sapi/fuzzer/fuzzer-bcmath.c | 31 +++++++++++-------------------- 1 file changed, 11 insertions(+), 20 deletions(-) diff --git a/sapi/fuzzer/fuzzer-bcmath.c b/sapi/fuzzer/fuzzer-bcmath.c index 676fe7d18a045..fb658ab9220b5 100644 --- a/sapi/fuzzer/fuzzer-bcmath.c +++ b/sapi/fuzzer/fuzzer-bcmath.c @@ -47,31 +47,24 @@ bool char_to_zend_long(const char *c, size_t scale_len, zend_long *ret) { int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { /* num1,num2,scale */ - const uint8_t *comma1 = memchr(Data, ',', Size); + const char *n1ptr = (char *) Data; + const char *comma1 = memchr(n1ptr, ',', Size); if (!comma1) { return 0; } + size_t n1len = comma1 - n1ptr; + Size -= n1len + 1; - size_t num1_len = comma1 - Data; - char *num1_str = estrndup((char *) Data, num1_len); - Data = comma1 + 1; - Size -= num1_len + 1; - - const uint8_t *comma2 = memchr(Data, ',', Size); + const char *n2ptr = comma1 + 1; + const char *comma2 = memchr(n2ptr, ',', Size); if (!comma2) { - efree(num1_str); return 0; } - - size_t num2_len = comma2 - Data; - char *num2_str = estrndup((char *) Data, num2_len); - Data = comma2 + 1; - Size -= num2_len + 1; + size_t n2len = comma2 - n2ptr; + Size -= n2len + 1; zend_long scale = 0; - if (!char_to_zend_long((char *) Data, Size, &scale)) { - efree(num1_str); - efree(num2_str); + if (!char_to_zend_long((char *) comma2 + 1, Size, &scale)) { return 0; } @@ -104,16 +97,14 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { fuzzer_setup_dummy_frame(); zval args[3]; - ZVAL_STRINGL(&args[0], num1_str, num1_len); - ZVAL_STRINGL(&args[1], num2_str, num2_len); + ZVAL_STRINGL(&args[0], n1ptr, n1len); + ZVAL_STRINGL(&args[1], n2ptr, n2len); ZVAL_LONG(&args[2], scale); fuzzer_call_php_func_zval(func_name, 3, args); zval_ptr_dtor(&args[0]); zval_ptr_dtor(&args[1]); - efree(num1_str); - efree(num2_str); fuzzer_request_shutdown(); From 3d52e018df17746ab9311678c8fa8d815a85f852 Mon Sep 17 00:00:00 2001 From: SakiTakamachi Date: Fri, 21 Mar 2025 21:04:50 +0900 Subject: [PATCH 09/11] Added .gitignore --- sapi/fuzzer/.gitignore | 1 + 1 file changed, 1 insertion(+) create mode 100644 sapi/fuzzer/.gitignore diff --git a/sapi/fuzzer/.gitignore b/sapi/fuzzer/.gitignore new file mode 100644 index 0000000000000..8e655e0fc9b1b --- /dev/null +++ b/sapi/fuzzer/.gitignore @@ -0,0 +1 @@ +php-fuzz-* From 39cca77ea0a1c3a38b3aa0967e57e697bf939333 Mon Sep 17 00:00:00 2001 From: SakiTakamachi Date: Fri, 21 Mar 2025 21:12:45 +0900 Subject: [PATCH 10/11] Fixed README.md --- sapi/fuzzer/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sapi/fuzzer/README.md b/sapi/fuzzer/README.md index 2ada5f7b79e8e..6a5fbe19ff13e 100644 --- a/sapi/fuzzer/README.md +++ b/sapi/fuzzer/README.md @@ -33,7 +33,7 @@ When running `make` it creates these binaries in `sapi/fuzzer/`: * `php-fuzz-execute`: Fuzzing the executor * `php-fuzz-function-jit`: Fuzzing the function JIT (requires --enable-opcache) * `php-fuzz-tracing-jit`: Fuzzing the tracing JIT (requires --enable-opcache) -* `php-fuzz-bcmath`: Fuzzing division (requires --enable-bcmath) +* `php-fuzz-bcmath`: Fuzzing bcadd, bcsub, bcmul, bcdiv, bcmod and bcpow (requires --enable-bcmath) Some fuzzers have a seed corpus in `sapi/fuzzer/corpus`. You can use it as follows: From cddaede123d6031b7b7e0f5ed8c248c0d1b66bb6 Mon Sep 17 00:00:00 2001 From: SakiTakamachi Date: Fri, 21 Mar 2025 21:30:16 +0900 Subject: [PATCH 11/11] I forgot to include the pattern for negative values --- sapi/fuzzer/corpus/bcmath/2 | 2 +- sapi/fuzzer/corpus/bcmath/5 | 2 +- sapi/fuzzer/dict/bcmath | 3 +++ 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/sapi/fuzzer/corpus/bcmath/2 b/sapi/fuzzer/corpus/bcmath/2 index 0fcc6ef088827..d476337baa9cc 100644 --- a/sapi/fuzzer/corpus/bcmath/2 +++ b/sapi/fuzzer/corpus/bcmath/2 @@ -1 +1 @@ -14.14,9,10 +14.14,-9,10 diff --git a/sapi/fuzzer/corpus/bcmath/5 b/sapi/fuzzer/corpus/bcmath/5 index 68de032118588..a1bb0eceb04e3 100644 --- a/sapi/fuzzer/corpus/bcmath/5 +++ b/sapi/fuzzer/corpus/bcmath/5 @@ -1 +1 @@ -12345.6789,100,2 +-12345.6789,100,2 diff --git a/sapi/fuzzer/dict/bcmath b/sapi/fuzzer/dict/bcmath index a422cc8ccd180..583f5220fed59 100644 --- a/sapi/fuzzer/dict/bcmath +++ b/sapi/fuzzer/dict/bcmath @@ -1,6 +1,9 @@ "," "1234567890" +"-9876543" "0.12345678" +"-0.002468" "9999999999999999" "0.00000000000000000000001" "10" +"-29"