Add fuzzer SAPIs to the core

sapi/fuzzer/Makefile.frag

@@ -0,0 +1,18 @@
+fuzzer: $(PHP_FUZZER_BINARIES)
+
+FUZZER_BUILD = $(LIBTOOL) --mode=link $(FUZZING_CC) -export-dynamic $(CFLAGS_CLEAN) $(EXTRA_CFLAGS) $(EXTRA_LDFLAGS_PROGRAM) $(LDFLAGS) $(PHP_RPATHS) $(PHP_GLOBAL_OBJS) $(PHP_BINARY_OBJS) $(EXTRA_LIBS) $(ZEND_EXTRA_LIBS) $(FUZZING_LIB) -rpath /ORIGIN/lib
+
+$(SAPI_FUZZER_PATH)/php-fuzz-parser: $(PHP_GLOBAL_OBJS) $(PHP_SAPI_OBJS) $(PHP_FUZZER_PARSER_OBJS)
+	$(FUZZER_BUILD) $(PHP_FUZZER_PARSER_OBJS) -o $@
+
+$(SAPI_FUZZER_PATH)/php-fuzz-unserialize: $(PHP_GLOBAL_OBJS) $(PHP_SAPI_OBJS) $(PHP_FUZZER_UNSERIALIZE_OBJS)
+	$(FUZZER_BUILD) $(PHP_FUZZER_UNSERIALIZE_OBJS) -o $@
+
+$(SAPI_FUZZER_PATH)/php-fuzz-json: $(PHP_GLOBAL_OBJS) $(PHP_SAPI_OBJS) $(PHP_FUZZER_JSON_OBJS)
+	$(FUZZER_BUILD) $(PHP_FUZZER_JSON_OBJS) -o $@
+
+$(SAPI_FUZZER_PATH)/php-fuzz-exif: $(PHP_GLOBAL_OBJS) $(PHP_SAPI_OBJS) $(PHP_FUZZER_EXIF_OBJS)
+	$(FUZZER_BUILD) $(PHP_FUZZER_EXIF_OBJS) -o $@
+
+$(SAPI_FUZZER_PATH)/php-fuzz-mbstring: $(PHP_GLOBAL_OBJS) $(PHP_SAPI_OBJS) $(PHP_FUZZER_MBSTRING_OBJS)
+	$(FUZZER_BUILD) $(PHP_FUZZER_MBSTRING_OBJS) -o $@

sapi/fuzzer/README

@@ -0,0 +1,13 @@
+Fuzzing SAPI for PHP
+
+Enable fuzzing targets with --enable-fuzzer switch.
+
+Your compiler should support -fsanitize=address and you need
+to have Fuzzer library around.
+
+When running `make` it creates these binaries in `sapi/fuzzer/`:
+* php-fuzz-parser - fuzzing language parser
+* php-fuzz-unserialize - fuzzing unserialize() function
+* php-fuzz-json - fuzzing JSON parser
+* php-fuzz-exif - fuzzing exif_read_data() function (use --enable-exif)
+* php-fuzz-mbstring - fuzzing mb_ereg[i] (requires --enable-mbstring)

sapi/fuzzer/config.m4

@@ -0,0 +1,63 @@
+AC_MSG_CHECKING(for clang fuzzer SAPI)
+
+PHP_ARG_ENABLE([fuzzer],,
+  [AS_HELP_STRING([--enable-fuzzer],
+    [Build PHP as clang fuzzing test module (for developers)])],
+  [no])
+
+dnl For newer clang versions see https://llvm.org/docs/LibFuzzer.html#fuzzer-usage
+dnl for relevant flags.
+
+dnl Macro to define fuzzing target
+dnl PHP_FUZZER_TARGET(name, target-var)
+dnl
+AC_DEFUN([PHP_FUZZER_TARGET], [
+  PHP_FUZZER_BINARIES="$PHP_FUZZER_BINARIES $SAPI_FUZZER_PATH/php-fuzz-$1"
+  PHP_SUBST($2)
+  PHP_ADD_SOURCES_X([sapi/fuzzer],[fuzzer-$1.c fuzzer-sapi.c],[],$2)
+])
+
+if test "$PHP_FUZZER" != "no"; then
+  AC_MSG_RESULT([yes])
+  PHP_REQUIRE_CXX()
+  PHP_ADD_MAKEFILE_FRAGMENT($abs_srcdir/sapi/fuzzer/Makefile.frag)
+  SAPI_FUZZER_PATH=sapi/fuzzer
+  PHP_SUBST(SAPI_FUZZER_PATH)
+  if test -z "$LIB_FUZZING_ENGINE"; then
+    FUZZING_LIB="-lFuzzer"
+    FUZZING_CC="$CC"
+    AX_CHECK_COMPILE_FLAG([-fsanitize=address], [
+      CFLAGS="$CFLAGS -fsanitize=address"
+      CXXFLAGS="$CXXFLAGS -fsanitize=address"
+      LDFLAGS="$LDFLAGS -fsanitize=address"
+    ],[
+      AC_MSG_ERROR(compiler doesn't support -fsanitize flags)
+    ])
+  else
+    FUZZING_LIB="-lFuzzingEngine"
+    FUZZING_CC="$CXX -stdlib=libc++"
+  fi
+  PHP_SUBST(FUZZING_LIB)
+  PHP_SUBST(FUZZING_CC)
+
+  dnl PHP_SELECT_SAPI(fuzzer-parser, program, $FUZZER_SOURCES, , '$(SAPI_FUZZER_PATH)')
+
+  PHP_ADD_BUILD_DIR([sapi/fuzzer])
+  PHP_FUZZER_BINARIES=""
+  PHP_INSTALLED_SAPIS="$PHP_INSTALLED_SAPIS fuzzer"
+
+  PHP_FUZZER_TARGET([parser], PHP_FUZZER_PARSER_OBJS)
+  PHP_FUZZER_TARGET([unserialize], PHP_FUZZER_UNSERIALIZE_OBJS)
+  PHP_FUZZER_TARGET([exif], PHP_FUZZER_EXIF_OBJS)
+
+  if test -n "$enable_json" && test "$enable_json" != "no"; then
+    PHP_FUZZER_TARGET([json], PHP_FUZZER_JSON_OBJS)
+  fi
+  if test -n "$enable_mbstring" && test "$enable_mbstring" != "no"; then
+    PHP_FUZZER_TARGET([mbstring], PHP_FUZZER_MBSTRING_OBJS)
+  fi
+
+  PHP_SUBST(PHP_FUZZER_BINARIES)
+fi
+
+AC_MSG_RESULT($PHP_FUZZER)

sapi/fuzzer/corpus/exif/bug62523_1.jpg

@@ -0,0 +1,9 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
+<html><head>
+<title>301 Moved Permanently</title>
+</head><body>
+<h1>Moved Permanently</h1>
+<p>The document has moved <a href="http://www.getid3.org/temp/62523.jpg">here</a>.</p>
+<hr>
+<address>Apache Server at getid3.org Port 80</address>
+</body></html>

sapi/fuzzer/corpus/exif/bug62523_3.jpg

@@ -0,0 +1,12 @@
+<html>
+  <head><title>Found</title></head>
+  <body>
+    <h1>Found</h1>
+    <p>The resource was found at <a href="http://dl.dropboxusercontent.com/u/7562584/Bugs/Php/bad_exif.jpeg">http://dl.dropboxusercontent.com/u/7562584/Bugs/Php/bad_exif.jpeg</a>;
+you should be redirected automatically.
+
+<!--  --></p>
+    <hr noshade>
+    <div align="right">WSGI Server</div>
+  </body>
+</html>

sapi/fuzzer/corpus/json/1.json

@@ -0,0 +1 @@
+{"prop":{"prop":null}}

sapi/fuzzer/corpus/json/10.json

@@ -0,0 +1 @@
+{"a":100.1,"b":"foo"}

sapi/fuzzer/corpus/json/11.json

@@ -0,0 +1 @@
+[100.1,"bar"]

sapi/fuzzer/corpus/json/12.json

@@ -0,0 +1,2 @@
+{"0":0,"\u0000ab":1,"1":"\u0000null-prefixed value"}
+

sapi/fuzzer/corpus/json/13.json

@@ -0,0 +1 @@
+{ "test": { "foo": "bar" } }

sapi/fuzzer/corpus/json/14.json

@@ -0,0 +1,2 @@
+"aa\udbff\udffdzz"
+

sapi/fuzzer/corpus/json/15.json

@@ -0,0 +1 @@
+"latin 1234 -\/    russian мама мыла раму  specialchars \u0002   \b \n   U+1D11E >𝄞<"

sapi/fuzzer/corpus/json/16.json

@@ -0,0 +1 @@
+{"test":"123343e871700"}

sapi/fuzzer/corpus/json/17.json

@@ -0,0 +1 @@
+[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[["Too deep"]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]

sapi/fuzzer/corpus/json/18.json

@@ -0,0 +1 @@
+{"myInt":99,"myFloat":123.45,"myNull":null,"myBool":true,"myString":"Hello World"}

sapi/fuzzer/corpus/json/19.json

@@ -0,0 +1 @@
+"\u65e5\u672c\u8a9e\u30c6\u30ad\u30b9\u30c8\u3067\u3059\u300201234\uff15\uff16\uff17\uff18\uff19\u3002"

sapi/fuzzer/corpus/json/2.json

@@ -0,0 +1 @@
+{"largenum":123456789012345678901234567890}

sapi/fuzzer/corpus/json/3.json

@@ -0,0 +1 @@
+["<foo>","'bar'","\"baz\"","&blong&"]

sapi/fuzzer/corpus/json/4.json

@@ -0,0 +1 @@
+["\u003Cfoo\u003E","\u0027bar\u0027","\u0022baz\u0022","\u0026blong\u0026"]

sapi/fuzzer/corpus/json/5.json

@@ -0,0 +1,5 @@
+[
+{"":"value"},
+{"":"value", "key":"value"},
+{"key":"value", "":"value"}
+]

sapi/fuzzer/corpus/json/6.json

@@ -0,0 +1 @@
+[123,13452345,123.13452345]

sapi/fuzzer/corpus/json/7.json

@@ -0,0 +1,2 @@
+["\ud834\udd00"]
+

sapi/fuzzer/corpus/json/8.json

@@ -0,0 +1 @@
+{"zero": 0e0}

sapi/fuzzer/corpus/json/9.json

@@ -0,0 +1 @@
+[null,null,"abc"]

sapi/fuzzer/corpus/json/fail1.json

@@ -0,0 +1 @@
+"A JSON payload should be an object or array, not a string."

sapi/fuzzer/corpus/json/fail10.json

@@ -0,0 +1 @@
+{"Extra value after close": true} "misplaced quoted value"

sapi/fuzzer/corpus/json/fail11.json

@@ -0,0 +1 @@
+{"Illegal expression": 1 + 2}

sapi/fuzzer/corpus/json/fail12.json

@@ -0,0 +1 @@
+{"Illegal invocation": alert()}

sapi/fuzzer/corpus/json/fail13.json

@@ -0,0 +1 @@
+{"Numbers cannot have leading zeroes": 013}

sapi/fuzzer/corpus/json/fail14.json

@@ -0,0 +1 @@
+{"Numbers cannot be hex": 0x14}

sapi/fuzzer/corpus/json/fail15.json

@@ -0,0 +1 @@
+["Illegal backslash escape: \x15"]

sapi/fuzzer/corpus/json/fail16.json

@@ -0,0 +1 @@
+[\naked]

sapi/fuzzer/corpus/json/fail17.json

@@ -0,0 +1 @@
+["Illegal backslash escape: \017"]

sapi/fuzzer/corpus/json/fail18.json

@@ -0,0 +1 @@
+[[[[[[[[[[[[[[[[[[[["Too deep"]]]]]]]]]]]]]]]]]]]]

sapi/fuzzer/corpus/json/fail19.json

@@ -0,0 +1 @@
+{"Missing colon" null}

sapi/fuzzer/corpus/json/fail2.json

@@ -0,0 +1 @@
+["Unclosed array"

sapi/fuzzer/corpus/json/fail20.json

@@ -0,0 +1 @@
+{"Double colon":: null}

sapi/fuzzer/corpus/json/fail21.json

@@ -0,0 +1 @@
+{"Comma instead of colon", null}

sapi/fuzzer/corpus/json/fail22.json

@@ -0,0 +1 @@
+["Colon instead of comma": false]

sapi/fuzzer/corpus/json/fail23.json

@@ -0,0 +1 @@
+["Bad value", truth]

sapi/fuzzer/corpus/json/fail24.json

@@ -0,0 +1 @@
+['single quote']

sapi/fuzzer/corpus/json/fail25.json

@@ -0,0 +1 @@
+["	tab	character	in	string	"]

sapi/fuzzer/corpus/json/fail26.json

@@ -0,0 +1 @@
+["tab\   character\   in\  string\  "]

sapi/fuzzer/corpus/json/fail27.json

@@ -0,0 +1,2 @@
+["line
+break"]

sapi/fuzzer/corpus/json/fail28.json

@@ -0,0 +1,2 @@
+["line\
+break"]

sapi/fuzzer/corpus/json/fail29.json

@@ -0,0 +1 @@
+[0e]