Implemented suggestion: moved allocation under request initialization to avoid unnecessary free call

Lung-Alexandra · Lung-Alexandra · commit f10a6baad121 · 2025-03-16T09:01:26.000+02:00
diff --git a/sapi/fuzzer/fuzzer-json.c b/sapi/fuzzer/fuzzer-json.c
@@ -31,15 +31,15 @@
 #include "ext/json/php_json_parser.h"
 
 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
-	char *data = malloc(Size+1);
-	memcpy(data, Data, Size);
-	data[Size] = '\0';
 
-	if (fuzzer_request_startup() == FAILURE) {
-        free(data);
+    if (fuzzer_request_startup() == FAILURE) {
 		return 0;
 	}
 
+    char *data = malloc(Size+1);
+    memcpy(data, Data, Size);
+    data[Size] = '\0';
+
 	for (int option = 0; option <=1; ++option) {
 		zval result;
 		php_json_parser parser;
diff --git a/sapi/fuzzer/fuzzer-mbregex.c b/sapi/fuzzer/fuzzer-mbregex.c
@@ -31,15 +31,15 @@
 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
 #ifdef HAVE_MBREGEX
 	char *args[2];
-	char *data = malloc(Size+1);
-	memcpy(data, Data, Size);
-	data[Size] = '\0';
-
+    
 	if (fuzzer_request_startup() == FAILURE) {
-        free(data);
 		return 0;
 	}
 
+    char *data = malloc(Size+1);
+	memcpy(data, Data, Size);
+	data[Size] = '\0';
+
 	fuzzer_setup_dummy_frame();
 
 	args[0] = data;
diff --git a/sapi/fuzzer/fuzzer-unserialize.c b/sapi/fuzzer/fuzzer-unserialize.c
@@ -30,15 +30,15 @@
 #include "ext/standard/php_var.h"
 
 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
-	unsigned char *orig_data = malloc(Size+1);
-	memcpy(orig_data, Data, Size);
-	orig_data[Size] = '\0';
 
-	if (fuzzer_request_startup() == FAILURE) {
-        free(orig_data)
+    if (fuzzer_request_startup() == FAILURE) {
 		return 0;
 	}
 
+    unsigned char *orig_data = malloc(Size+1);
+    memcpy(orig_data, Data, Size);
+    orig_data[Size] = '\0';
+
 	fuzzer_setup_dummy_frame();
 
 	{
diff --git a/sapi/fuzzer/fuzzer-unserializehash.c b/sapi/fuzzer/fuzzer-unserializehash.c
@@ -34,16 +34,15 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t FullSize) {
 	}
 	++Start;
 
-	size_t Size = (Data + FullSize) - Start;
-	unsigned char *orig_data = malloc(Size+1);
-	memcpy(orig_data, Start, Size);
-	orig_data[Size] = '\0';
-
 	if (fuzzer_request_startup() == FAILURE) {
-        free(orig_data);
 		return 0;
 	}
 
+    size_t Size = (Data + FullSize) - Start;
+    unsigned char *orig_data = malloc(Size+1);
+    memcpy(orig_data, Start, Size);
+    orig_data[Size] = '\0';
+
 	fuzzer_setup_dummy_frame();
 
 	{

Original file line number	Diff line number	Diff line change
`@@ -34,16 +34,15 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t FullSize) {`
`34`	`34`	`}`
`35`	`35`	`++Start;`
`36`	`36`
`37`		`- size_t Size = (Data + FullSize) - Start;`
`38`		`- unsigned char *orig_data = malloc(Size+1);`
`39`		`- memcpy(orig_data, Start, Size);`
`40`		`- orig_data[Size] = '\0';`
`41`		`-`
`42`	`37`	`if (fuzzer_request_startup() == FAILURE) {`
`43`		`- free(orig_data);`
`44`	`38`	`return 0;`
`45`	`39`	`}`
`46`	`40`
	`41`	`+ size_t Size = (Data + FullSize) - Start;`
	`42`	`+ unsigned char *orig_data = malloc(Size+1);`
	`43`	`+ memcpy(orig_data, Start, Size);`
	`44`	`+ orig_data[Size] = '\0';`
	`45`	`+`
`47`	`46`	`fuzzer_setup_dummy_frame();`
`48`	`47`
`49`	`48`	`{`