Fuzzing SAPI for PHP
The following ./configure options can be used to enable the fuzzing SAPI, as well as all availablefuzzers. If you don't build the exif/json/mbstring extensions, fuzzers for these extensions will not be built.
./configure \
--enable-fuzzer \
--with-pic \
--enable-debug-assertions \
--enable-exif \
--enable-json \
--enable-mbstring
The --with-pic option is required to avoid a linking failure. The --enable-debug-assertions option can be used to enable debug assertions despite the use of a release build.
You will need a recent version of clang that supports the -fsanitize=fuzzer-no-link option.
When running make it creates these binaries in sapi/fuzzer/:
php-fuzz-parser: Fuzzing language parser and compilerphp-fuzz-unserialize: Fuzzing unserialize() functionphp-fuzz-json: Fuzzing JSON parser (requires --enable-json)php-fuzz-exif: Fuzzingexif_read_data()function (requires --enable-exif)php-fuzz-mbstring: fuzzingmb_ereg[i]()(requires --enable-mbstring)
Some fuzzers have a seed corpus in sapi/fuzzer/corpus. You can use it as follows:
cp -r sapi/fuzzer/corpus/exif ./my-exif-corpus
sapi/fuzzer/php-fuzz-exif ./my-exif-corpus
For the unserialize fuzzer, a dictionary of internal classes should be generated first:
sapi/cli/php sapi/fuzzer/generate_unserialize_dict.php
cp -r sapi/fuzzer/corpus/unserialize ./my-unserialize-corpus
sapi/fuzzer/php-fuzz-unserialize -dict=$PWD/sapi/fuzzer/dict/unserialize ./my-unserialize-corpus
For the parser fuzzer, a corpus may be generated from Zend test files:
sapi/cli/php sapi/fuzzer/generate_parser_corpus.php
mkdir ./my-parser-corpus
sapi/fuzzer/php-fuzz-parser -merge=1 ./my-parser-corpus sapi/fuzzer/corpus/parser
sapi/fuzzer/php-fuzz-parser -only_ascii=1 ./my-parser-corpus