Looking at the recent PHP security issues, it is clear that many of them
are stemming from corner cases in various format-parsing code, and most
of them either is or can be found by fuzzers.
Thus, I've made an initial integration for PHP on OSS-fuzz project - a
fuzzing engine for testing open source projects. PHP configuration sits
and implementation of fuzzers is here:
So far we have three fuzzers enabled: JSON, EXIF and mbstring. I plan
also to add basic phar fuzzer soon. Everybody is welcome to add more
fuzzers - with priority on ones that actually deal with third-party
data, e.g. language parser fuzzer is not enabled right now, because
people usually do not run random byte streams as PHP scripts on their
servers. On the other hand, people do apply EXIF or gd functions to
third-party data, so a vulnerability in that code would be high priority.
That said, fuzzers can be run independently of OSS-Fuzz, so if you feel
inspired to add a fuzzer for any code please do so.