From 73e4b5796c61db660832e203314f1f5f2edb01c7 Mon Sep 17 00:00:00 2001
From: JP3BGY <6635381+JP3BGY@users.noreply.github.com>
Date: Tue, 29 Aug 2023 10:42:57 +0000
Subject: [PATCH 1/4] add load-offset option to aurora

---
 feature_extraction/methods/AuroraFE/src/rca.sh | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/feature_extraction/methods/AuroraFE/src/rca.sh b/feature_extraction/methods/AuroraFE/src/rca.sh
index 46fcfb3..13d9589 100755
--- a/feature_extraction/methods/AuroraFE/src/rca.sh
+++ b/feature_extraction/methods/AuroraFE/src/rca.sh
@@ -1,6 +1,12 @@
 #!/bin/bash
 set -eu
 
+RCA_LOAD_OFFSET=""
+if [[ -v LOAD_OFFSET ]];
+then
+	RCA_LOAD_OFFSET="--load-offset ${LOAD_OFFSET}"
+fi
+
 cd ${FE_ROOT}/aurora/root_cause_analysis
-cargo run --release --bin rca -- --eval-dir ${WORKDIR} --trace-dir ${WORKDIR} --monitor --rank-predicates
-cargo run --release --bin addr2line -- --eval-dir ${WORKDIR}
+cargo run --release --bin rca -- ${RCA_LOAD_OFFSET} --eval-dir ${WORKDIR} --trace-dir ${WORKDIR} --monitor --rank-predicates 
+cargo run --release --bin addr2line -- ${RCA_LOAD_OFFSET} --eval-dir ${WORKDIR} 

From c572aa32a5bfe52a3fa1dc2a07011c85bd57befe Mon Sep 17 00:00:00 2001
From: JP3BGY <6635381+JP3BGY@users.noreply.github.com>
Date: Fri, 1 Sep 2023 09:51:13 +0000
Subject: [PATCH 2/4] add php_cve-2019-11038

---
 .../methods/ConcFuzz/crash_tags.yaml          |  1 +
 targets/php_cve-2019-11038/README.md          | 22 +++++++++++
 targets/php_cve-2019-11038/build.sh           | 39 +++++++++++++++++++
 targets/php_cve-2019-11038/config.sh          |  6 +++
 targets/php_cve-2019-11038/preinstall.sh      |  4 ++
 .../php_cve-2019-11038/root_causes/locations  |  3 ++
 targets/php_cve-2019-11038/seeds/default      |  6 +++
 .../zend_portability.h.patch                  | 15 +++++++
 8 files changed, 96 insertions(+)
 create mode 100644 targets/php_cve-2019-11038/README.md
 create mode 100755 targets/php_cve-2019-11038/build.sh
 create mode 100755 targets/php_cve-2019-11038/config.sh
 create mode 100755 targets/php_cve-2019-11038/preinstall.sh
 create mode 100644 targets/php_cve-2019-11038/root_causes/locations
 create mode 100644 targets/php_cve-2019-11038/seeds/default
 create mode 100644 targets/php_cve-2019-11038/zend_portability.h.patch

diff --git a/data_augmentation/methods/ConcFuzz/crash_tags.yaml b/data_augmentation/methods/ConcFuzz/crash_tags.yaml
index 6c9365b..ac83277 100644
--- a/data_augmentation/methods/ConcFuzz/crash_tags.yaml
+++ b/data_augmentation/methods/ConcFuzz/crash_tags.yaml
@@ -5,3 +5,4 @@ libjpeg_cve-2017-15232: asan;0;oracle_source/jquant1.c:536
 libxml2_cve-2017-5969: asan;0;oracle_source/valid.c:1181
 readelf_cve-2019-9077: asan;0;binutils/readelf.c:16204
 mruby_hackerone-reports-185041: asan;4;error.c:290
+php_cve-2019-11038: asan;2;gd.c:2463
diff --git a/targets/php_cve-2019-11038/README.md b/targets/php_cve-2019-11038/README.md
new file mode 100644
index 0000000..af397e7
--- /dev/null
+++ b/targets/php_cve-2019-11038/README.md
@@ -0,0 +1,22 @@
+# CVE-2019-11038
+
+## references
+https://github.com/libgd/libgd/issues/501
+
+https://nvd.nist.gov/vuln/detail/CVE-2019-11038
+## description
+
+This bug is not in PHP source but in libgd source that is used as part of PHP.
+
+In gdImageCreateFromXbm(), a return value of sscanf is not checked and can be read an uninitialized value.
+
+## patch
+https://github.com/libgd/libgd/commit/e13a342c079aeb73e31dfa19eaca119761bac3f3
+
+## fixed file
+
+https://github.com/libgd/libgd/pull/503/files#diff-3e81469de02c28988a3c8b67060a48e741493db4412152dd141871eabe57aa61
+
+## Source of PoC
+
+https://bugs.php.net/bug.php?id=77973
diff --git a/targets/php_cve-2019-11038/build.sh b/targets/php_cve-2019-11038/build.sh
new file mode 100755
index 0000000..436fcbc
--- /dev/null
+++ b/targets/php_cve-2019-11038/build.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+set -eu
+
+. ${TARGET_ROOT}/config.sh
+
+if [ $# -lt 1 ]; then
+  echo "Usage: $0 <build dir name>" 1>&2
+  exit 1
+fi
+
+cd $TARGET_ROOT
+
+wget https://www.php.net/distributions/php-7.3.5.tar.gz
+tar xf php-7.3.5.tar.gz 
+mv php-7.3.5 $1
+cd $1
+
+patch ./Zend/zend_portability.h ${TARGET_ROOT}/zend_portability.h.patch
+
+TARGET_DEF_CFLAGS="${TARGET_DEF_CFLAGS-} -no-pie -fno-pie"
+TARGET_DEF_CXXFLAGS="${TARGET_DEF_CXXFLAGS-} -no-pie -fno-pie"
+TARGET_DEF_LDFLAGS="${TARGET_DEF_CXXFLAGS-} -no-pie -fno-pie"
+ARGS=""
+for var in "${!TARGET_DEF_@}"; do
+	tmp=${!var//\-fsanitize\=address/\-fsanitize\=memory}
+	tmp=${tmp//gcc/clang}
+	tmp=${tmp//g++/clang++}
+	ARGS="${ARGS} ${var#TARGET_DEF_}=\"$(echo ${tmp})\""
+done
+
+echo ${ARGS}
+
+eval ./configure CC=clang CXX=clang++ ${ARGS} --prefix=/dir_name/install --with-gd --enable-cli --without-pear
+eval make ${ARGS} -j$(nproc)
+
+#export ZEND_DONT_UNLOAD_MODULES=1
+#export USE_ZEND_ALLOC=0
+#UBSAN_OPTIONS="print_stacktrace=1" ./sapi/cli/php ../xbm.php
diff --git a/targets/php_cve-2019-11038/config.sh b/targets/php_cve-2019-11038/config.sh
new file mode 100755
index 0000000..ec4fbae
--- /dev/null
+++ b/targets/php_cve-2019-11038/config.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+set -eux
+
+export RELPATH=sapi/cli/php
+export ARGS=" @@"
+export LOAD_OFFSET=0x0000000000000000
diff --git a/targets/php_cve-2019-11038/preinstall.sh b/targets/php_cve-2019-11038/preinstall.sh
new file mode 100755
index 0000000..765117b
--- /dev/null
+++ b/targets/php_cve-2019-11038/preinstall.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+apt-get update
+DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends build-essential libxml2-dev libpng-dev wget patch clang llvm
diff --git a/targets/php_cve-2019-11038/root_causes/locations b/targets/php_cve-2019-11038/root_causes/locations
new file mode 100644
index 0000000..6b44db4
--- /dev/null
+++ b/targets/php_cve-2019-11038/root_causes/locations
@@ -0,0 +1,3 @@
+gd_xbm.c:139
+gd_xbm.c:140
+gd_xbm.c:141
diff --git a/targets/php_cve-2019-11038/seeds/default b/targets/php_cve-2019-11038/seeds/default
new file mode 100644
index 0000000..24c0fda
--- /dev/null
+++ b/targets/php_cve-2019-11038/seeds/default
@@ -0,0 +1,6 @@
+<?php
+$contents = hex2bin("23646566696e6520776964746820320a23646566696e652068656967687420320a737461746963206368617220626974735b5d203d7b0a7a7a787a7a");
+$filepath = dirname(__FILE__).DIRECTORY_SEPARATOR."test.xbm";
+file_put_contents($filepath, $contents);
+$xbm = imagecreatefromxbm($filepath);
+?>
diff --git a/targets/php_cve-2019-11038/zend_portability.h.patch b/targets/php_cve-2019-11038/zend_portability.h.patch
new file mode 100644
index 0000000..6cf4a94
--- /dev/null
+++ b/targets/php_cve-2019-11038/zend_portability.h.patch
@@ -0,0 +1,15 @@
+--- php-7.3.5/Zend/zend_portability.h	2019-04-30 17:37:26.000000000 +0900
++++ php-7.3.5-mod/Zend/zend_portability.h	2023-07-07 19:43:23.525984714 +0900
+@@ -512,6 +512,12 @@
+ #define ZEND_VALID_SOCKET(sock) ((sock) >= 0)
+ #endif
+ 
++#if __has_feature(memory_sanitizer) || __has_feature(thread_sanitizer) || \
++	__has_feature(dataflow_sanitizer)
++# undef HAVE_FUNC_ATTRIBUTE_IFUNC
++#endif
++
++
+ /* va_copy() is __va_copy() in old gcc versions.
+  * According to the autoconf manual, using
+  * memcpy(&dst, &src, sizeof(va_list))

From b2c9b210fdca0b647cbe77a7951162b1c02ea0e0 Mon Sep 17 00:00:00 2001
From: JP3BGY <6635381+JP3BGY@users.noreply.github.com>
Date: Wed, 6 Sep 2023 10:31:08 +0000
Subject: [PATCH 3/4] [php_cve-2019-11038] fuzzing only xbm file

---
 targets/php_cve-2019-11038/config.sh     |  2 +-
 targets/php_cve-2019-11038/poc.php       |  3 +++
 targets/php_cve-2019-11038/seeds/default | 10 ++++------
 3 files changed, 8 insertions(+), 7 deletions(-)
 create mode 100644 targets/php_cve-2019-11038/poc.php

diff --git a/targets/php_cve-2019-11038/config.sh b/targets/php_cve-2019-11038/config.sh
index ec4fbae..99b82b4 100755
--- a/targets/php_cve-2019-11038/config.sh
+++ b/targets/php_cve-2019-11038/config.sh
@@ -2,5 +2,5 @@
 set -eux
 
 export RELPATH=sapi/cli/php
-export ARGS=" @@"
+export ARGS="$TARGET_ROOT/poc.php @@"
 export LOAD_OFFSET=0x0000000000000000
diff --git a/targets/php_cve-2019-11038/poc.php b/targets/php_cve-2019-11038/poc.php
new file mode 100644
index 0000000..7e5c14e
--- /dev/null
+++ b/targets/php_cve-2019-11038/poc.php
@@ -0,0 +1,3 @@
+<?php
+$xbm = imagecreatefromxbm($argv[1]);
+?>
diff --git a/targets/php_cve-2019-11038/seeds/default b/targets/php_cve-2019-11038/seeds/default
index 24c0fda..0d37d53 100644
--- a/targets/php_cve-2019-11038/seeds/default
+++ b/targets/php_cve-2019-11038/seeds/default
@@ -1,6 +1,4 @@
-<?php
-$contents = hex2bin("23646566696e6520776964746820320a23646566696e652068656967687420320a737461746963206368617220626974735b5d203d7b0a7a7a787a7a");
-$filepath = dirname(__FILE__).DIRECTORY_SEPARATOR."test.xbm";
-file_put_contents($filepath, $contents);
-$xbm = imagecreatefromxbm($filepath);
-?>
+#define width 2
+#define height 2
+static char bits[] ={
+zzxzz
\ No newline at end of file

From aac3687fd3992af4f7714b3cfcaf22f0a1a581a0 Mon Sep 17 00:00:00 2001
From: JP3BGY <6635381+JP3BGY@users.noreply.github.com>
Date: Mon, 11 Sep 2023 08:35:18 +0000
Subject: [PATCH 4/4] delete echo command for debug

---
 targets/php_cve-2019-11038/build.sh | 2 --
 1 file changed, 2 deletions(-)

diff --git a/targets/php_cve-2019-11038/build.sh b/targets/php_cve-2019-11038/build.sh
index 436fcbc..19538e3 100755
--- a/targets/php_cve-2019-11038/build.sh
+++ b/targets/php_cve-2019-11038/build.sh
@@ -29,8 +29,6 @@ for var in "${!TARGET_DEF_@}"; do
 	ARGS="${ARGS} ${var#TARGET_DEF_}=\"$(echo ${tmp})\""
 done
 
-echo ${ARGS}
-
 eval ./configure CC=clang CXX=clang++ ${ARGS} --prefix=/dir_name/install --with-gd --enable-cli --without-pear
 eval make ${ARGS} -j$(nproc)