sapi/fuzzer: Fetch function and call it directly instead of using a zval to hold the name

Author: Girgias

sapi/fuzzer/fuzzer-execute-common.h

@@ -127,15 +127,16 @@ ZEND_ATTRIBUTE_UNUSED static void create_file(void) {
 ZEND_ATTRIBUTE_UNUSED static void opcache_invalidate(void) {
 	steps_left = MAX_STEPS;
 	zend_exception_save();
-	zval retval, func, args[2];
-	ZVAL_STRING(&func, "opcache_invalidate");
+	zval retval, args[2];
+	zend_function *fn = zend_hash_str_find_ptr(CG(function_table), ZEND_STRL("opcache_invalidate"));
+	ZEND_ASSERT(fn != NULL);
+
 	ZVAL_STRING(&args[0], FILE_NAME);
 	ZVAL_TRUE(&args[1]);
-	call_user_function(CG(function_table), NULL, &func, &retval, 2, args);
+	zend_call_known_function(fn, NULL, NULL, &retval, 2, args, NULL);
 	ZEND_ASSERT(Z_TYPE(retval) == IS_TRUE);
 	zval_ptr_dtor(&args[0]);
 	zval_ptr_dtor(&retval);
-	zval_ptr_dtor(&func);
 	zend_exception_restore();
 }
 

sapi/fuzzer/fuzzer-sapi.c

@@ -294,9 +294,11 @@ int fuzzer_do_request_from_buffer(
 void fuzzer_call_php_func_zval(const char *func_name, int nargs, zval *args) {
 	zval retval, func;
 
-	ZVAL_STRING(&func, func_name);
+	zend_function *fn = zend_hash_str_find_ptr(CG(function_table), func_name, strlen(func_name));
+	ZEND_ASSERT(fn != NULL);
+
 	ZVAL_UNDEF(&retval);
-	call_user_function(CG(function_table), NULL, &func, &retval, nargs, args);
+	zend_call_known_function(fn, NULL, NULL, &retval, nargs, args, NULL);
 
 	// TODO: check result?
 	/* to ensure retval is not broken */