Skip to content

Commit bd630e3

Browse files
SakiTakamachiSakiTakamachi
committed
Changed the six main calculation functions to be specified randomly
1 parent 82ed67d commit bd630e3

File tree

1 file changed

+36
-14
lines changed

1 file changed

+36
-14
lines changed

sapi/fuzzer/fuzzer-bcmath.c

Lines changed: 36 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -52,46 +52,68 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
5252
return 0;
5353
}
5454

55-
size_t dividend_len = comma1 - Data;
56-
char *dividend_str = estrndup((char *) Data, dividend_len);
55+
size_t num1_len = comma1 - Data;
56+
char *num1_str = estrndup((char *) Data, num1_len);
5757
Data = comma1 + 1;
58-
Size -= dividend_len + 1;
58+
Size -= num1_len + 1;
5959

6060
const uint8_t *comma2 = memchr(Data, ',', Size);
6161
if (!comma2) {
62-
efree(dividend_str);
62+
efree(num1_str);
6363
return 0;
6464
}
6565

66-
size_t divisor_len = comma2 - Data;
67-
char *divisor_str = estrndup((char *) Data, divisor_len);
66+
size_t num2_len = comma2 - Data;
67+
char *num2_str = estrndup((char *) Data, num2_len);
6868
Data = comma2 + 1;
69-
Size -= divisor_len + 1;
69+
Size -= num2_len + 1;
7070

7171
zend_long scale = 0;
7272
if (!char_to_zend_long((char *) Data, Size, &scale)) {
73-
efree(dividend_str);
74-
efree(divisor_str);
73+
efree(num1_str);
74+
efree(num2_str);
7575
return 0;
7676
}
7777

7878
if (fuzzer_request_startup() == FAILURE) {
7979
return 0;
8080
}
8181

82+
char func_name[6];
83+
switch (rand() % 6) {
84+
case 0:
85+
sprintf(func_name, "%s", "bcadd");
86+
break;
87+
case 1:
88+
sprintf(func_name, "%s", "bcsub");
89+
break;
90+
case 2:
91+
sprintf(func_name, "%s", "bcmul");
92+
break;
93+
case 3:
94+
sprintf(func_name, "%s", "bcdiv");
95+
break;
96+
case 4:
97+
sprintf(func_name, "%s", "bcmod");
98+
break;
99+
case 5:
100+
sprintf(func_name, "%s", "bcpow");
101+
break;
102+
}
103+
82104
fuzzer_setup_dummy_frame();
83105

84106
zval args[3];
85-
ZVAL_STRINGL(&args[0], dividend_str, dividend_len);
86-
ZVAL_STRINGL(&args[1], divisor_str, divisor_len);
107+
ZVAL_STRINGL(&args[0], num1_str, num1_len);
108+
ZVAL_STRINGL(&args[1], num2_str, num2_len);
87109
ZVAL_LONG(&args[2], scale);
88110

89-
fuzzer_call_php_func_zval("bcdiv", 3, args);
111+
fuzzer_call_php_func_zval(func_name, 3, args);
90112

91113
zval_ptr_dtor(&args[0]);
92114
zval_ptr_dtor(&args[1]);
93-
efree(dividend_str);
94-
efree(divisor_str);
115+
efree(num1_str);
116+
efree(num2_str);
95117

96118
fuzzer_request_shutdown();
97119

0 commit comments

Comments
 (0)