php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70083 Use after free with assign by ref to overloaded objects
Submitted: 2015-07-15 16:30 UTC Modified: 2015-07-15 21:01 UTC
From: brian dot carpenter at gmail dot com Assigned: bwoebi (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.0Git-2015-07-15 (Git) OS: Debian 7
Private report: No CVE-ID: None
 [2015-07-15 16:30 UTC] brian dot carpenter at gmail dot com
Description:
------------
While fuzzing PHP 7.0.0-dev (cli) (built: Jul 12 2015 03:27:06), I came across a script that causes a whole heap of trouble, most likely a buffer overflow of sorts, not sure how far the security implications go, but better safe than sorry, however, it doesn't appear to affect an older version such as PHP 5.4.41-0+deb7u1.

Test script:
---------------
<?php
class wp0{private$d;function __get($e){return$this;}}function ret_assoc(){}$wp0=new wp0;$wp0->i=&ret_assoc();

Expected result:
----------------
A graceful failure, easy to understand error message, obviously not this.

Actual result:
--------------
*** stack smashing detected ***: /home/geeknik/php-src/sapi/cli/php terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7ffff6aef0e7]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x0)[0x7ffff6aef0b0]
/home/geeknik/php-src/sapi/cli/php[0x16704b1]
/home/geeknik/php-src/sapi/cli/php(zend_hash_graceful_reverse_destroy+0x69f)[0x15c262f]
/home/geeknik/php-src/sapi/cli/php[0x14cf7df]
/home/geeknik/php-src/sapi/cli/php(zend_deactivate+0x118)[0x15444c8]
/home/geeknik/php-src/sapi/cli/php(php_request_shutdown+0x7b5)[0x12ebd25]
/home/geeknik/php-src/sapi/cli/php[0x18e0fb7]
/home/geeknik/php-src/sapi/cli/php[0x4593a5]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)[0x7ffff6a1dead]
/home/geeknik/php-src/sapi/cli/php[0x459475]
======= Memory map: ========
00400000-01da1000 r-xp 00000000 fe:01 941843                             /home/geeknik/php-src/sapi/cli/ph                                                         p
01fa0000-0203b000 rw-p 019a0000 fe:01 941843                             /home/geeknik/php-src/sapi/cli/ph                                                         p
0203b000-02162000 rw-p 00000000 00:00 0                                  [heap]
7ffff5dea000-7ffff5dff000 r-xp 00000000 fe:01 131581                     /lib/x86_64-linux-gnu/libgcc_s.so                                                         .1
7ffff5dff000-7ffff5fff000 ---p 00015000 fe:01 131581                     /lib/x86_64-linux-gnu/libgcc_s.so                                                         .1
7ffff5fff000-7ffff6000000 rw-p 00015000 fe:01 131581                     /lib/x86_64-linux-gnu/libgcc_s.so                                                         .1
7ffff6000000-7ffff6200000 rw-p 00000000 00:00 0
7ffff63a9000-7ffff63cb000 r-xp 00000000 fe:01 131572                     /lib/x86_64-linux-gnu/liblzma.so.                                                         5.0.0
7ffff63cb000-7ffff65ca000 ---p 00022000 fe:01 131572                     /lib/x86_64-linux-gnu/liblzma.so.                                                         5.0.0
7ffff65ca000-7ffff65cb000 r--p 00021000 fe:01 131572                     /lib/x86_64-linux-gnu/liblzma.so.                                                         5.0.0
7ffff65cb000-7ffff65cc000 rw-p 00022000 fe:01 131572                     /lib/x86_64-linux-gnu/liblzma.so.                                                         5.0.0
7ffff65cc000-7ffff65e2000 r-xp 00000000 fe:01 131569                     /lib/x86_64-linux-gnu/libz.so.1.2                                                         .7
7ffff65e2000-7ffff67e1000 ---p 00016000 fe:01 131569                     /lib/x86_64-linux-gnu/libz.so.1.2                                                         .7
7ffff67e1000-7ffff67e2000 r--p 00015000 fe:01 131569                     /lib/x86_64-linux-gnu/libz.so.1.2                                                         .7
7ffff67e2000-7ffff67e3000 rw-p 00016000 fe:01 131569                     /lib/x86_64-linux-gnu/libz.so.1.2                                                         .7
7ffff67e3000-7ffff67fa000 r-xp 00000000 fe:01 135025                     /lib/x86_64-linux-gnu/libpthread-                                                         2.13.so
7ffff67fa000-7ffff69f9000 ---p 00017000 fe:01 135025                     /lib/x86_64-linux-gnu/libpthread-                                                         2.13.so
7ffff69f9000-7ffff69fa000 r--p 00016000 fe:01 135025                     /lib/x86_64-linux-gnu/libpthread-                                                         2.13.so
7ffff69fa000-7ffff69fb000 rw-p 00017000 fe:01 135025                     /lib/x86_64-linux-gnu/libpthread-                                                         2.13.so
7ffff69fb000-7ffff69ff000 rw-p 00000000 00:00 0
7ffff69ff000-7ffff6b80000 r-xp 00000000 fe:01 131508                     /lib/x86_64-linux-gnu/libc-2.13.s                                                         o
7ffff6b80000-7ffff6d80000 ---p 00181000 fe:01 131508                     /lib/x86_64-linux-gnu/libc-2.13.s                                                         o
7ffff6d80000-7ffff6d84000 r--p 00181000 fe:01 131508                     /lib/x86_64-linux-gnu/libc-2.13.s                                                         o
7ffff6d84000-7ffff6d85000 rw-p 00185000 fe:01 131508                     /lib/x86_64-linux-gnu/libc-2.13.s                                                         o
7ffff6d85000-7ffff6d8a000 rw-p 00000000 00:00 0
7ffff6d8a000-7ffff6edf000 r-xp 00000000 fe:01 399049                     /usr/lib/x86_64-linux-gnu/libxml2                                                         .so.2.8.0
7ffff6edf000-7ffff70df000 ---p 00155000 fe:01 399049                     /usr/lib/x86_64-linux-gnu/libxml2                                                         .so.2.8.0
7ffff70df000-7ffff70e7000 r--p 00155000 fe:01 399049                     /usr/lib/x86_64-linux-gnu/libxml2                                                         .so.2.8.0
7ffff70e7000-7ffff70e9000 rw-p 0015d000 fe:01 399049                     /usr/lib/x86_64-linux-gnu/libxml2                                                         .so.2.8.0
7ffff70e9000-7ffff70ea000 rw-p 00000000 00:00 0
7ffff70ea000-7ffff70ff000 r-xp 00000000 fe:01 131447                     /lib/x86_64-linux-gnu/libnsl-2.13                                                         .so
7ffff70ff000-7ffff72fe000 ---p 00015000 fe:01 131447                     /lib/x86_64-linux-gnu/libnsl-2.13                                                         .so
7ffff72fe000-7ffff72ff000 r--p 00014000 fe:01 131447                     /lib/x86_64-linux-gnu/libnsl-2.13                                                         .so
7ffff72ff000-7ffff7300000 rw-p 00015000 fe:01 131447                     /lib/x86_64-linux-gnu/libnsl-2.13                                                         .so
7ffff7300000-7ffff7302000 rw-p 00000000 00:00 0
7ffff7302000-7ffff7304000 r-xp 00000000 fe:01 131553                     /lib/x86_64-linux-gnu/libdl-2.13.                                                         so
7ffff7304000-7ffff7504000 ---p 00002000 fe:01 131553                     /lib/x86_64-linux-gnu/libdl-2.13.                                                         so
7ffff7504000-7ffff7505000 r--p 00002000 fe:01 131553                     /lib/x86_64-linux-gnu/libdl-2.13.                                                         so
7ffff7505000-7ffff7506000 rw-p 00003000 fe:01 131553                     /lib/x86_64-linux-gnu/libdl-2.13.                                                         so
7ffff7506000-7ffff7587000 r-xp 00000000 fe:01 131121                     /lib/x86_64-linux-gnu/libm-2.13.s                                                         o
7ffff7587000-7ffff7786000 ---p 00081000 fe:01 131121                     /lib/x86_64-linux-gnu/libm-2.13.s                                                         o
7ffff7786000-7ffff7787000 r--p 00080000 fe:01 131121                     /lib/x86_64-linux-gnu/libm-2.13.s                                                         o
7ffff7787000-7ffff7788000 rw-p 00081000 fe:01 131121                     /lib/x86_64-linux-gnu/libm-2.13.s                                                         o
7ffff7788000-7ffff778f000 r-xp 00000000 fe:01 135021                     /lib/x86_64-linux-gnu/librt-2.13.                                                         so
7ffff778f000-7ffff798e000 ---p 00007000 fe:01 135021                     /lib/x86_64-linux-gnu/librt-2.13.                                                         so
7ffff798e000-7ffff798f000 r--p 00006000 fe:01 135021                     /lib/x86_64-linux-gnu/librt-2.13.                                                         so
7ffff798f000-7ffff7990000 rw-p 00007000 fe:01 135021                     /lib/x86_64-linux-gnu/librt-2.13.                                                         so
7ffff7990000-7ffff79a3000 r-xp 00000000 fe:01 131610                     /lib/x86_64-linux-gnu/libresolv-2                                                         .13.so
7ffff79a3000-7ffff7ba2000 ---p 00013000 fe:01 131610                     /lib/x86_64-linux-gnu/libresolv-2                                                         .13.so
7ffff7ba2000-7ffff7ba3000 r--p 00012000 fe:01 131610                     /lib/x86_64-linux-gnu/libresolv-2                                                         .13.so
7ffff7ba3000-7ffff7ba4000 rw-p 00013000 fe:01 131610                     /lib/x86_64-linux-gnu/libresolv-2                                                         .13.so
7ffff7ba4000-7ffff7ba6000 rw-p 00000000 00:00 0
7ffff7ba6000-7ffff7bae000 r-xp 00000000 fe:01 131556                     /lib/x86_64-linux-gnu/libcrypt-2.                                                         13.so
7ffff7bae000-7ffff7dad000 ---p 00008000 fe:01 131556                     /lib/x86_64-linux-gnu/libcrypt-2.                                                         13.so
7ffff7dad000-7ffff7dae000 r--p 00007000 fe:01 131556                     /lib/x86_64-linux-gnu/libcrypt-2.                                                         13.so
7ffff7dae000-7ffff7daf000 rw-p 00008000 fe:01 131556                     /lib/x86_64-linux-gnu/libcrypt-2.                                                         13.so
7ffff7daf000-7ffff7ddd000 rw-p 00000000 00:00 0
7ffff7ddd000-7ffff7dfd000 r-xp 00000000 fe:01 131607                     /lib/x86_64-linux-gnu/ld-2.13.so
7ffff7dfd000-7ffff7dff000 rw-p 00000000 00:00 0
7ffff7e00000-7ffff7e74000 rw-p 00000000 00:00 0
7ffff7e74000-7ffff7feb000 r--p 00000000 fe:01 393362                     /usr/lib/locale/locale-archive
7ffff7feb000-7ffff7ff2000 rw-p 00000000 00:00 0
7ffff7ff9000-7ffff7ffb000 rw-p 00000000 00:00 0
7ffff7ffb000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 0001f000 fe:01 131607                     /lib/x86_64-linux-gnu/ld-2.13.so
7ffff7ffd000-7ffff7ffe000 rw-p 00020000 fe:01 131607                     /lib/x86_64-linux-gnu/ld-2.13.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Program received signal SIGABRT, Aborted.
0x00007ffff6a31165 in *__GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff6a31165 in *__GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007ffff6a343e0 in *__GI_abort () at abort.c:92
#2  0x00007ffff6a6b39b in __libc_message (do_abort=<optimized out>, fmt=<optimized out>)
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
#3  0x00007ffff6aef0e7 in *__GI___fortify_fail (msg=0x7ffff6b4d0aa "stack smashing detected")
    at fortify_fail.c:32
#4  0x00007ffff6aef0b0 in __stack_chk_fail () at stack_chk_fail.c:29
#5  0x00000000016704b1 in gc_possible_root (ref=<optimized out>)
    at /home/geeknik/php-src/Zend/zend_gc.c:270
#6  0x00000000015c262f in _zend_hash_del_el_ex (prev=<optimized out>, p=<optimized out>, idx=7,
    ht=<optimized out>) at /home/geeknik/php-src/Zend/zend_hash.c:935
#7  _zend_hash_del_el (p=<optimized out>, idx=7, ht=0x2056cd0)
    at /home/geeknik/php-src/Zend/zend_hash.c:959
#8  zend_hash_graceful_reverse_destroy (ht=ht@entry=0x2056cd0)
    at /home/geeknik/php-src/Zend/zend_hash.c:1405
#9  0x00000000014cf7df in shutdown_executor () at /home/geeknik/php-src/Zend/zend_execute_API.c:279
#10 0x00000000015444c8 in zend_deactivate () at /home/geeknik/php-src/Zend/zend.c:964
#11 0x00000000012ebd25 in php_request_shutdown (dummy=dummy@entry=0x0)
    at /home/geeknik/php-src/main/main.c:1814
#12 0x00000000018e0fb7 in do_cli (argc=2, argv=0x205a9f0)
    at /home/geeknik/php-src/sapi/cli/php_cli.c:1139
#13 0x00000000004593a5 in main (argc=2, argv=0x205a9f0) at /home/geeknik/php-src/sapi/cli/php_cli.c:1338
(gdb) i r
rax            0x0      0
rbx            0x0      0
rcx            0xffffffffffffffff       -1
rdx            0x6      6
rsi            0x67f9   26617
rdi            0x67f9   26617
rbp            0x7fffffffcc70   0x7fffffffcc70
rsp            0x7fffffffc2a8   0x7fffffffc2a8
r8             0x7ffff6b44e40   140737332399680
r9             0x407a90 4225680
r10            0x8      8
r11            0x206    518
r12            0x8      8
r13            0x7fffffffc550   140737488340304
r14            0x4f     79
r15            0x5      5
rip            0x7ffff6a31165   0x7ffff6a31165 <*__GI_raise+53>
eflags         0x206    [ PF IF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-07-15 18:01 UTC] stas@php.net
-Type: Security +Type: Bug
 [2015-07-15 18:01 UTC] stas@php.net
-Assigned To: +Assigned To: dmitry
 [2015-07-15 18:30 UTC] brian dot carpenter at gmail dot com
FYI, the unminimized version of this script causes some issues in PHP 5.4.41:

geeknik@middlefingermafia:~/php-tmp/out/crashes$ valgrind -q /usr/bin/php test93
PHP Warning:  Unexpected character in input:  ' in /home/geeknik/php-tmp/out/crashes/test93 on line 7
PHP Warning:  Unexpected character in input:  ' in /home/geeknik/php-tmp/out/crashes/test93 on line 7
PHP Warning:  Unexpected character in input:  '' (ASCII=16) state=0 in /home/geeknik/php-tmp/out/crashes/test93 on line 7
PHP Warning:  Unexpected character in input:  ' in /home/geeknik/php-tmp/out/crashes/test93 on line 7
PHP Warning:  Unexpected character in input:  '' (ASCII=19) state=0 in /home/geeknik/php-tmp/out/crashes/test93 on line 10
PHP Notice:  Undefined variable: x in /home/geeknik/php-tmp/out/crashes/test93 on line 16
PHP Notice:  Object of class wpq could not be converted to int in /home/geeknik/php-tmp/out/crashes/test93 on line 16
PHP Notice:  Undefined variable: x in /home/geeknik/php-tmp/out/crashes/test93 on line 17
==11594== Conditional jump or move depends on uninitialised value(s)
==11594==    at 0x680B12: ??? (in /usr/bin/php5)
==11594==    by 0x7504A9: ??? (in /usr/bin/php5)
==11594==    by 0x70A066: execute (in /usr/bin/php5)
==11594==    by 0x6A8EDB: zend_execute_scripts (in /usr/bin/php5)
==11594==    by 0x648752: php_execute_script (in /usr/bin/php5)
==11594==    by 0x753042: ??? (in /usr/bin/php5)
==11594==    by 0x431B2E: ??? (in /usr/bin/php5)
==11594==    by 0x7ABDEAC: (below main) (libc-start.c:244)
==11594==
==11594== Use of uninitialised value of size 8
==11594==    at 0x680B75: ??? (in /usr/bin/php5)
==11594==    by 0x7504A9: ??? (in /usr/bin/php5)
==11594==    by 0x70A066: execute (in /usr/bin/php5)
==11594==    by 0x6A8EDB: zend_execute_scripts (in /usr/bin/php5)
==11594==    by 0x648752: php_execute_script (in /usr/bin/php5)
==11594==    by 0x753042: ??? (in /usr/bin/php5)
==11594==    by 0x431B2E: ??? (in /usr/bin/php5)
==11594==    by 0x7ABDEAC: (below main) (libc-start.c:244)
==11594==
==11594== Conditional jump or move depends on uninitialised value(s)
==11594==    at 0x680B79: ??? (in /usr/bin/php5)
==11594==    by 0x7504A9: ??? (in /usr/bin/php5)
==11594==    by 0x70A066: execute (in /usr/bin/php5)
==11594==    by 0x6A8EDB: zend_execute_scripts (in /usr/bin/php5)
==11594==    by 0x648752: php_execute_script (in /usr/bin/php5)
==11594==    by 0x753042: ??? (in /usr/bin/php5)
==11594==    by 0x431B2E: ??? (in /usr/bin/php5)
==11594==    by 0x7ABDEAC: (below main) (libc-start.c:244)
==11594==
==11594== Use of uninitialised value of size 8
==11594==    at 0x680934: ??? (in /usr/bin/php5)
==11594==    by 0x680BFF: ??? (in /usr/bin/php5)
==11594==    by 0x7504A9: ??? (in /usr/bin/php5)
==11594==    by 0x70A066: execute (in /usr/bin/php5)
==11594==    by 0x6A8EDB: zend_execute_scripts (in /usr/bin/php5)
==11594==    by 0x648752: php_execute_script (in /usr/bin/php5)
==11594==    by 0x753042: ??? (in /usr/bin/php5)
==11594==    by 0x431B2E: ??? (in /usr/bin/php5)
==11594==    by 0x7ABDEAC: (below main) (libc-start.c:244)
==11594==
==11594== Conditional jump or move depends on uninitialised value(s)
==11594==    at 0x68093F: ??? (in /usr/bin/php5)
==11594==    by 0x680BFF: ??? (in /usr/bin/php5)
==11594==    by 0x7504A9: ??? (in /usr/bin/php5)
==11594==    by 0x70A066: execute (in /usr/bin/php5)
==11594==    by 0x6A8EDB: zend_execute_scripts (in /usr/bin/php5)
==11594==    by 0x648752: php_execute_script (in /usr/bin/php5)
==11594==    by 0x753042: ??? (in /usr/bin/php5)
==11594==    by 0x431B2E: ??? (in /usr/bin/php5)
==11594==    by 0x7ABDEAC: (below main) (libc-start.c:244)
==11594==
==11594== Use of uninitialised value of size 8
==11594==    at 0x680A36: ??? (in /usr/bin/php5)
==11594==    by 0x680BFF: ??? (in /usr/bin/php5)
==11594==    by 0x7504A9: ??? (in /usr/bin/php5)
==11594==    by 0x70A066: execute (in /usr/bin/php5)
==11594==    by 0x6A8EDB: zend_execute_scripts (in /usr/bin/php5)
==11594==    by 0x648752: php_execute_script (in /usr/bin/php5)
==11594==    by 0x753042: ??? (in /usr/bin/php5)
==11594==    by 0x431B2E: ??? (in /usr/bin/php5)
==11594==    by 0x7ABDEAC: (below main) (libc-start.c:244)
==11594==
==11594== Invalid read of size 8
==11594==    at 0x680A36: ??? (in /usr/bin/php5)
==11594==    by 0x680BFF: ??? (in /usr/bin/php5)
==11594==    by 0x7504A9: ??? (in /usr/bin/php5)
==11594==    by 0x70A066: execute (in /usr/bin/php5)
==11594==    by 0x6A8EDB: zend_execute_scripts (in /usr/bin/php5)
==11594==    by 0x648752: php_execute_script (in /usr/bin/php5)
==11594==    by 0x753042: ??? (in /usr/bin/php5)
==11594==    by 0x431B2E: ??? (in /usr/bin/php5)
==11594==    by 0x7ABDEAC: (below main) (libc-start.c:244)
==11594==  Address 0x18 is not stack'd, malloc'd or (recently) free'd
==11594==
==11594==
==11594== Process terminating with default action of signal 11 (SIGSEGV)
==11594==  Access not within mapped region at address 0x18
==11594==    at 0x680A36: ??? (in /usr/bin/php5)
==11594==    by 0x680BFF: ??? (in /usr/bin/php5)
==11594==    by 0x7504A9: ??? (in /usr/bin/php5)
==11594==    by 0x70A066: execute (in /usr/bin/php5)
==11594==    by 0x6A8EDB: zend_execute_scripts (in /usr/bin/php5)
==11594==    by 0x648752: php_execute_script (in /usr/bin/php5)
==11594==    by 0x753042: ??? (in /usr/bin/php5)
==11594==    by 0x431B2E: ??? (in /usr/bin/php5)
==11594==    by 0x7ABDEAC: (below main) (libc-start.c:244)
==11594==  If you believe this happened as a result of a stack
==11594==  overflow in your program's main thread (unlikely but
==11594==  possible), you can try to increase the size of the
==11594==  main thread stack using the --main-stacksize= flag.
==11594==  The main thread stack size used in this run was 8388608.
Segmentation fault

It also produces a Code 139 on 3v4l.org with PHP 5.0.4, 5.0.5, 5.1.0 - 5.1.6,  5.4.0 - 5.5.26, 5.6.0 - 5.6.10.
 [2015-07-15 20:30 UTC] bwoebi@php.net
-Assigned To: dmitry +Assigned To: bwoebi
 [2015-07-15 20:33 UTC] bwoebi@php.net
-Summary: possible buffer overflow in php 7 +Summary: Use after free with assign by ref to overloaded objects
 [2015-07-15 20:36 UTC] bwoebi@php.net
Automatic comment on behalf of bobwei9@hotmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0af07333520f65def3a72f31effa38c907e962f9
Log: Fixed bug #70083 (Use after free with assign by ref on overloaded objects)
 [2015-07-15 20:36 UTC] bwoebi@php.net
-Status: Assigned +Status: Closed
 [2015-07-15 20:52 UTC] brian dot carpenter at gmail dot com
So no comment on the unminimized version of this test case crashes PHP 5.0.4, 5.0.5, 5.1.0 - 5.1.6,  5.4.0 - 5.5.26, 5.6.0 - 5.6.10? Should I open a new bug for those? Seems like it might be important.
 [2015-07-15 20:55 UTC] bwoebi@php.net
PHP 5.5 and below are in sec-fixes only mode. I fixed the bug in PHP 5.6 though; just didn't seem to be auto-added here:

http://git.php.net/?p=php-src.git;a=commitdiff;h=0af07333520f65def3a72f31effa38c907e962f9
 [2015-07-21 14:20 UTC] ab@php.net
Automatic comment on behalf of bobwei9@hotmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0af07333520f65def3a72f31effa38c907e962f9
Log: Fixed bug #70083 (Use after free with assign by ref on overloaded objects)
 [2016-07-20 11:37 UTC] davey@php.net
Automatic comment on behalf of bobwei9@hotmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0af07333520f65def3a72f31effa38c907e962f9
Log: Fixed bug #70083 (Use after free with assign by ref on overloaded objects)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 09:01:30 2024 UTC