fuzzer for bcmath

Author: SakiTakamachi

sapi/fuzzer/Makefile.frag

@@ -31,3 +31,6 @@ $(SAPI_FUZZER_PATH)/php-fuzz-mbstring: $(PHP_GLOBAL_OBJS) $(PHP_SAPI_OBJS) $(PHP
 
 $(SAPI_FUZZER_PATH)/php-fuzz-mbregex: $(PHP_GLOBAL_OBJS) $(PHP_SAPI_OBJS) $(PHP_FUZZER_MBREGEX_OBJS)
 	$(FUZZER_BUILD) $(PHP_FUZZER_MBREGEX_OBJS) -o $@
+
+$(SAPI_FUZZER_PATH)/php-fuzz-bcmath: $(PHP_GLOBAL_OBJS) $(PHP_SAPI_OBJS) $(PHP_FUZZER_BCMATH_OBJS)
+	$(FUZZER_BUILD) $(PHP_FUZZER_BCMATH_OBJS) -o $@

sapi/fuzzer/config.m4

@@ -63,6 +63,7 @@ if test "$PHP_FUZZER" != "no"; then
   PHP_FUZZER_TARGET([unserialize], [PHP_FUZZER_UNSERIALIZE_OBJS])
   PHP_FUZZER_TARGET([unserializehash], [PHP_FUZZER_UNSERIALIZEHASH_OBJS])
   PHP_FUZZER_TARGET([json], [PHP_FUZZER_JSON_OBJS])
+  PHP_FUZZER_TARGET([bcmath], [PHP_FUZZER_BCMATH_OBJS])
 
   if test -n "$enable_exif" && test "$enable_exif" != "no"; then
     PHP_FUZZER_TARGET([exif], [PHP_FUZZER_EXIF_OBJS])

sapi/fuzzer/fuzzer-bcmath.c

@@ -0,0 +1,102 @@
+/*
+   +----------------------------------------------------------------------+
+   | Copyright (c) The PHP Group                                          |
+   +----------------------------------------------------------------------+
+   | This source file is subject to version 3.01 of the PHP license,      |
+   | that is bundled with this package in the file LICENSE, and is        |
+   | available through the world-wide-web at the following url:           |
+   | https://www.php.net/license/3_01.txt                                 |
+   | If you did not receive a copy of the PHP license and are unable to   |
+   | obtain it through the world-wide-web, please send a note to          |
+   | license@php.net so we can mail you a copy immediately.               |
+   +----------------------------------------------------------------------+
+   | Authors: Saki Takamachi <saki@php.net>                               |
+   +----------------------------------------------------------------------+
+ */
+
+
+
+#include "fuzzer.h"
+
+#include "Zend/zend.h"
+#include <main/php_config.h>
+#include "main/php_main.h"
+
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+
+#include "fuzzer-sapi.h"
+
+zend_long char_to_size_t(char *c) {
+	zend_long ret = 0;
+	if (*c >= '0' && *c <= '9') {
+		ret *= 10;
+		ret += *c - '0';
+	}
+	return ret;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+	const uint8_t *Comma1 = memchr(Data, ',', Size);
+	if (!Comma1) {
+		return 0;
+	}
+
+	size_t dividend_len = Comma1 - Data;
+	char *dividend_str = estrndup((char *) Data, dividend_len);
+	Data = Comma1 + 1;
+	Size -= dividend_len + 1;
+
+	const uint8_t *Comma2 = memchr(Data, ',', Size);
+	if (!Comma2) {
+		efree(dividend_str);
+		return 0;
+	}
+
+	size_t divisor_len = Comma2 - Data;
+	char *divisor_str = estrndup((char *) Data, divisor_len);
+	Data = Comma2 + 1;
+	Size -= divisor_len + 1;
+
+	char *scale_str = malloc(Size + 1);
+	memcpy(scale_str, Data, Size);
+	scale_str[Size] = '\0';
+
+	zend_long scale = char_to_size_t(scale_str);
+	free(scale_str);
+
+	if (fuzzer_request_startup() == FAILURE) {
+		return 0;
+	}
+
+	fuzzer_setup_dummy_frame();
+
+	zval result;
+	ZVAL_UNDEF(&result);
+
+	zval args[4];
+	ZVAL_COPY_VALUE(&args[0], &result);
+	ZVAL_STRINGL(&args[1], dividend_str, dividend_len);
+	ZVAL_STRINGL(&args[2], divisor_str, divisor_len);
+	ZVAL_LONG(&args[3], scale);
+
+	fuzzer_call_php_func_zval("bcdiv", 4, args);
+
+	zval_ptr_dtor(&result);
+	zval_ptr_dtor(&args[1]);
+	zval_ptr_dtor(&args[2]);
+	efree(dividend_str);
+	efree(divisor_str);
+
+	fuzzer_request_shutdown();
+
+	return 0;
+}
+
+int LLVMFuzzerInitialize(int *argc, char ***argv) {
+	fuzzer_init_php(NULL);
+
+	/* fuzzer_shutdown_php(); */
+	return 0;
+}

sapi/fuzzer/generate_bcmath_dict.php

@@ -0,0 +1,93 @@
+<?php
+
+if (!extension_loaded('bcmath')) {
+    echo "Skipping bcmath dictionary generation\n";
+    return;
+}
+
+define('BCMATH_GEN_DICT_LOOP', 300);
+
+function genRandomNumberString(): string
+{
+    return match (rand(0, 2)) {
+        0 => (string) rand(0, 1000000),
+        1 => rand(0, 1000000) . rand(0, 1000000),
+        2 => rand(0, 1000000) . rand(0, 1000000) . rand(0, 1000000),
+    };
+}
+
+function genRandomNumber(bool $integerIsZero, bool $hasFraction): string
+{
+    $sign = rand(0, 1) ? '' : '-';
+    $integer = $integerIsZero ? '0' : genRandomNumberString();
+    $fraction = $hasFraction ? '.' . genRandomNumberString() : '';
+    return $sign . $integer . $fraction;
+}
+
+function writeDict(array $dicts): void
+{
+    $dict = implode("\n", $dicts) . "\n";
+    file_put_contents(__DIR__ . "/dict/bcmath", $dict, FILE_APPEND);
+}
+
+$total = 0;
+
+for ($loop = 0; $loop < BCMATH_GEN_DICT_LOOP; $loop++) {
+    $case1 = [true, true];
+    $case2 = [false, true];
+    $case3 = [false, false];
+
+    foreach ([
+        [
+            $case1,
+            $case1,
+        ],
+        [
+            $case1,
+            $case2,
+        ],
+        [
+            $case1,
+            $case3,
+        ],
+        [
+            $case2,
+            $case1,
+        ],
+        [
+            $case2,
+            $case2,
+        ],
+        [
+            $case2,
+            $case3,
+        ],
+        [
+            $case3,
+            $case1,
+        ],
+        [
+            $case3,
+            $case2,
+        ],
+        [
+            $case3,
+            $case3,
+        ],
+    ] as [
+        [$integerIsZero, $hasFraction],
+        [$integerIsZero2, $hasFraction2],
+    ]) {
+        //$dicts = [];
+        for ($i = 0; $i < 100; $i++) {
+            $dividend = genRandomNumber($integerIsZero, $hasFraction);
+            $divisor = genRandomNumber($integerIsZero2, $hasFraction2);
+            $scale = rand(0, 100);
+            //$dicts[] = '"' . implode(',', [$dividend, $divisor, $scale]) . '"';
+            $dict = '"' . implode(',', [$dividend, $divisor, $scale]) . '"' . "\n";
+            file_put_contents(__DIR__ . "/corpus/bcmath/{$total}", $dict);
+            $total++;
+        }
+        //writeDict($dicts);
+    }
+}