From 843c5f0415d046e757b2dd3727aaf039261f7ca6 Mon Sep 17 00:00:00 2001 From: Gina Peter Banyard Date: Fri, 4 Jul 2025 12:16:37 +0100 Subject: [PATCH 1/2] sapi/fuzzer: Fetch function and call it directly instead of using a zval to hold the name --- sapi/fuzzer/fuzzer-execute-common.h | 9 +++++---- sapi/fuzzer/fuzzer-sapi.c | 6 ++++-- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/sapi/fuzzer/fuzzer-execute-common.h b/sapi/fuzzer/fuzzer-execute-common.h index f5113a5b0e41f..081ab4d30e823 100644 --- a/sapi/fuzzer/fuzzer-execute-common.h +++ b/sapi/fuzzer/fuzzer-execute-common.h @@ -127,15 +127,16 @@ ZEND_ATTRIBUTE_UNUSED static void create_file(void) { ZEND_ATTRIBUTE_UNUSED static void opcache_invalidate(void) { steps_left = MAX_STEPS; zend_exception_save(); - zval retval, func, args[2]; - ZVAL_STRING(&func, "opcache_invalidate"); + zval retval, args[2]; + zend_function *fn = zend_hash_str_find_ptr(CG(function_table), ZEND_STRL("opcache_invalidate")); + ZEND_ASSERT(fn != NULL); + ZVAL_STRING(&args[0], FILE_NAME); ZVAL_TRUE(&args[1]); - call_user_function(CG(function_table), NULL, &func, &retval, 2, args); + zend_call_known_function(fn, NULL, NULL, &retval, 2, args, NULL); ZEND_ASSERT(Z_TYPE(retval) == IS_TRUE); zval_ptr_dtor(&args[0]); zval_ptr_dtor(&retval); - zval_ptr_dtor(&func); zend_exception_restore(); } diff --git a/sapi/fuzzer/fuzzer-sapi.c b/sapi/fuzzer/fuzzer-sapi.c index baf77ae0463b3..66cec70ea7b7e 100644 --- a/sapi/fuzzer/fuzzer-sapi.c +++ b/sapi/fuzzer/fuzzer-sapi.c @@ -294,9 +294,11 @@ int fuzzer_do_request_from_buffer( void fuzzer_call_php_func_zval(const char *func_name, int nargs, zval *args) { zval retval, func; - ZVAL_STRING(&func, func_name); + zend_function *fn = zend_hash_str_find_ptr(CG(function_table), func_name, strlen(func_name)); + ZEND_ASSERT(fn != NULL); + ZVAL_UNDEF(&retval); - call_user_function(CG(function_table), NULL, &func, &retval, nargs, args); + zend_call_known_function(fn, NULL, NULL, &retval, nargs, args, NULL); // TODO: check result? /* to ensure retval is not broken */ From 246531943749d9a8c8375ca4c8b831ee60ef54a6 Mon Sep 17 00:00:00 2001 From: Gina Peter Banyard Date: Sat, 5 Jul 2025 13:14:13 +0100 Subject: [PATCH 2/2] Remove unused variable and dtor --- sapi/fuzzer/fuzzer-sapi.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/sapi/fuzzer/fuzzer-sapi.c b/sapi/fuzzer/fuzzer-sapi.c index 66cec70ea7b7e..5014a51cca4f2 100644 --- a/sapi/fuzzer/fuzzer-sapi.c +++ b/sapi/fuzzer/fuzzer-sapi.c @@ -292,7 +292,7 @@ int fuzzer_do_request_from_buffer( // Call named PHP function with N zval arguments void fuzzer_call_php_func_zval(const char *func_name, int nargs, zval *args) { - zval retval, func; + zval retval; zend_function *fn = zend_hash_str_find_ptr(CG(function_table), func_name, strlen(func_name)); ZEND_ASSERT(fn != NULL); @@ -306,7 +306,6 @@ void fuzzer_call_php_func_zval(const char *func_name, int nargs, zval *args) { /* cleanup */ zval_ptr_dtor(&retval); - zval_ptr_dtor(&func); } // Call named PHP function with N string arguments