archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Limit internal function calls in execute fuzzer

Browse source 
Infinite recursion might occur purely through internal functions,
without reentering the executor.
This commit is contained in:
Nikita Popov 2021-08-26 14:42:45 +02:00
parent fa032764db
commit cae80ef552
1 changed files with 19 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

26
sapi/fuzzer/fuzzer-execute.c
View file

@ -27,16 +27,19 @@ static uint32_t steps_left;
* we can assume that we don't use global registers / hybrid VM. */
typedef int (ZEND_FASTCALL *opcode_handler_t)(zend_execute_data *);
static zend_always_inline void fuzzer_step(void) {
if (--steps_left == 0) {
/* Reset steps before bailing out, so code running after bailout (e.g. in
* destructors) will get another MAX_STEPS, rather than UINT32_MAX steps. */
steps_left = MAX_STEPS;
zend_bailout();
}
}
static void fuzzer_execute_ex(zend_execute_data *execute_data) {
while (1) {
int ret;
if (--steps_left == 0) {
/* Reset steps before bailing out, so code running after bailout (e.g. in
* destructors) will get another MAX_STEPS, rather than UINT32_MAX steps. */
steps_left = MAX_STEPS;
zend_bailout();
}
fuzzer_step();
if ((ret = ((opcode_handler_t) EX(opline)->handler)(execute_data)) != 0) {
if (ret > 0) {
execute_data = EG(current_execute_data);
@ -58,6 +61,13 @@ static zend_op_array *fuzzer_compile_string(zend_string *str, const char *filena
return orig_compile_string(str, filename);
}
static void (*orig_execute_internal)(zend_execute_data *execute_data, zval *return_value);
static void fuzzer_execute_internal(zend_execute_data *execute_data, zval *return_value) {
fuzzer_step();
orig_execute_internal(execute_data, return_value);
}
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size > MAX_SIZE) {
/* Large inputs have a large impact on fuzzer performance,
@ -82,6 +92,8 @@ int LLVMFuzzerInitialize(int *argc, char ***argv) {
fuzzer_init_php();
zend_execute_ex = fuzzer_execute_ex;
orig_execute_internal = zend_execute_internal ? zend_execute_internal : execute_internal;
zend_execute_internal = fuzzer_execute_internal;
orig_compile_string = zend_compile_string;
zend_compile_string = fuzzer_compile_string;