PHP :: Bug #70089 :: segfault at ZEND_FETCH_DIM_W_SPEC_VAR_CONST

Bug #70089	segfault at ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER ()
Submitted:	2015-07-17 05:14 UTC	Modified:	2015-07-17 08:00 UTC
From:	brian dot carpenter at gmail dot com	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	7.0Git-2015-07-17 (Git)	OS:	Debian 7
Private report:	No	CVE-ID:	None

View Developer Edit

[2015-07-17 05:14 UTC] brian dot carpenter at gmail dot com

Description:
------------
While fuzzing PHP 7.0.0-dev (cli) (built: July 15 2015 16:00:56) with AFL (http://lcamtuf.coredump.cx/afl/), I found this script that segfaults at ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER (). Most likely a null ptr dereference.

Test script:
---------------
<?php
$a=ptr00tr();[];function ptr00tr(){for(;;){$o=chr(0)[0][]=0;}}

Expected result:
----------------
PHP 5.4.41-0+deb7u1 returns PHP Fatal error: Cannot use string offset as an array in test00-min on line 2.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x0000000001657b93 in ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER ()
(gdb) bt
#0  0x0000000001657b93 in ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER ()
#1  0x00000000015dc493 in execute_ex ()
#2  0x00000000017fdee5 in zend_execute ()
#3  0x000000000141373c in zend_execute_scripts ()
#4  0x00000000011bf190 in php_execute_script ()
#5  0x0000000001805679 in do_cli ()
    at /home/geeknik/php-src/sapi/cli/php_cli.c:971
#6  0x000000000043e2f1 in main ()
    at /home/geeknik/php-src/sapi/cli/php_cli.c:1338
(gdb) i r
rax            0x0	0
rbx            0x7ffff6013130	140737320661296
rcx            0x1	1
rdx            0x7ffff60554c0	140737320932544
rsi            0x7ffff6013140	140737320661312
rdi            0x4	4
rbp            0x7fffffffcfa0	0x7fffffffcfa0
rsp            0x7fffffffa920	0x7fffffffa920
r8             0x1fd37c0	33372096
r9             0x80	128
r10            0x0	0
r11            0x0	0
r12            0x7ffff60020f0	140737320591600
r13            0x1fd4820	33376288
r14            0x7ffff60130c0	140737320661184
r15            0x7ffff6086220	140737321132576
rip            0x1657b93	0x1657b93 <ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER+1267>
eflags         0x10246	[ PF ZF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-07-17 05:29 UTC] brian dot carpenter at gmail dot com

Valgrind was delayed due to having to compile a new version to get an accurate read on things:

==4945== Invalid read of size 4
==4945==    at 0x1657B93: ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:16978)
==4945==    by 0x15DC492: execute_ex (zend_vm_execute.h:406)
==4945==    by 0x17FDEE4: zend_execute (zend_vm_execute.h:450)
==4945==    by 0x141373B: zend_execute_scripts (zend.c:1399)
==4945==    by 0x11BF18F: php_execute_script (main.c:2475)
==4945==    by 0x1805678: do_cli (php_cli.c:971)
==4945==    by 0x43E2F0: main (php_cli.c:1338)
==4945==  Address 0x8 is not stack'd, malloc'd or (recently) free'd
==4945== 
==4945== 
==4945== Process terminating with default action of signal 11 (SIGSEGV)
==4945==  Access not within mapped region at address 0x8
==4945==    at 0x1657B93: ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER (zend_vm_execute.h:16978)
==4945==    by 0x15DC492: execute_ex (zend_vm_execute.h:406)
==4945==    by 0x17FDEE4: zend_execute (zend_vm_execute.h:450)
==4945==    by 0x141373B: zend_execute_scripts (zend.c:1399)
==4945==    by 0x11BF18F: php_execute_script (main.c:2475)
==4945==    by 0x1805678: do_cli (php_cli.c:971)
==4945==    by 0x43E2F0: main (php_cli.c:1338)
==4945==  If you believe this happened as a result of a stack
==4945==  overflow in your program's main thread (unlikely but
==4945==  possible), you can try to increase the size of the
==4945==  main thread stack using the --main-stacksize= flag.
==4945==  The main thread stack size used in this run was 8388608.
Segmentation fault

[2015-07-17 08:00 UTC] laruence@php.net

-Summary: segfault in PHP 7 at ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER () +Summary: segfault at ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER ()

[2015-07-17 08:01 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7d07afd6c18f3d83ec21248d65a076b387aa05e9
Log: Fixed bug #70089 (segfault at ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER ())

[2015-07-17 08:01 UTC] laruence@php.net

-Status: Open +Status: Closed

[2015-07-21 14:20 UTC] ab@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7d07afd6c18f3d83ec21248d65a076b387aa05e9
Log: Fixed bug #70089 (segfault at ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER ())

[2016-07-20 11:37 UTC] davey@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7d07afd6c18f3d83ec21248d65a076b387aa05e9
Log: Fixed bug #70089 (segfault at ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER ())

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 31 01:00:01 2025 UTC