|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2019-10-09 14:32 UTC] leigh@php.net
Description:
------------
Test script produces a SEGFAULT on branches PHP-7.3, PHP-7.4 and master but not in PHP-7.2. Compiled with `--disable-all`. Found using AFL.
In the test script by the time it gets to the string interpolation with "CCCC" the zval already appears to be corrupt.
The memory location of a stdClass object on the end of the string instead of the requested characters.
Test script:
---------------
<?php
$c = function(){};
$scope = "AAAA";
$c->bindTo(new stdClass, $scope);
$scope = "{$scope}BBBB";
$c->bindTo(new stdClass, $scope);
$scope = "{$scope}CCCC"; // var_dump($scope); // string(12) "AAAABBBB"
$c->bindTo(new stdClass, $scope);
Expected result:
----------------
Exit code 0
Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
zend_mm_gc (heap=0x7ffff7a00040) at /home/leigh/php-src/Zend/zend_alloc.c:1956
1956 ZEND_MM_CHECK(chunk->heap == heap, "zend_mm_heap corrupted");
(gdb) bt
#0 zend_mm_gc (heap=0x7ffff7a00040) at /home/leigh/php-src/Zend/zend_alloc.c:1956
#1 0x00005555557c950b in zend_mm_gc (heap=0x7ffff7a00040) at /home/leigh/php-src/Zend/zend_alloc.c:1946
#2 zend_mm_alloc_huge (heap=0x7ffff7a00040, size=93824997779152) at /home/leigh/php-src/Zend/zend_alloc.c:1808
#3 0x00005555557e73d1 in zend_string_alloc (persistent=0, len=93824997779120) at /home/leigh/php-src/Zend/zend_string.h:133
#4 zend_string_tolower_ex (str=0x7ffff7a6a938, persistent=persistent@entry=0) at /home/leigh/php-src/Zend/zend_operators.c:2686
#5 0x00005555557e29f7 in zend_lookup_class_ex (name=name@entry=0x7ffff7a6a938, key=key@entry=0x0, use_autoload=use_autoload@entry=1) at /home/leigh/php-src/Zend/zend_execute_API.c:851
#6 0x0000555555817293 in zim_Closure_bind (execute_data=<optimised out>, return_value=0x7fffffffa450) at /home/leigh/php-src/Zend/zend_closures.c:201
#7 0x000055555587375e in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER () at /home/leigh/php-src/Zend/zend_vm_execute.h:984
#8 execute_ex (ex=0x6262626261600000) at /home/leigh/php-src/Zend/zend_vm_execute.h:55493
#9 0x0000555555875230 in zend_execute (op_array=op_array@entry=0x7ffff7a7f2a0, return_value=0x0, return_value@entry=0x7ffff7a1d030) at /home/leigh/php-src/Zend/zend_vm_execute.h:60889
#10 0x00005555557f0239 in zend_execute_scripts (type=type@entry=8, retval=0x7ffff7a1d030, retval@entry=0x0, file_count=file_count@entry=3) at /home/leigh/php-src/Zend/zend.c:1568
#11 0x000055555578f440 in php_execute_script (primary_file=<optimised out>) at /home/leigh/php-src/main/main.c:2639
#12 0x000055555587770e in do_cli (argc=2, argv=0x555555a96860) at /home/leigh/php-src/sapi/cli/php_cli.c:997
#13 0x0000555555648bcd in main (argc=2, argv=0x555555a96860) at /home/leigh/php-src/sapi/cli/php_cli.c:1389
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Tue Oct 28 10:00:01 2025 UTC |
<?php $c = function(){}; $scope = "AAAA"; $scope = "{$scope}BBBB"; $c->bindTo(new stdClass, $scope); Valgrind: ==15287== Invalid read of size 4 ==15287== at 0xA2A3CF: zend_gc_delref (zend_types.h:995) ==15287== by 0xA2A6A4: i_zval_ptr_dtor (zend_variables.h:43) ==15287== by 0xA2A91E: zval_ptr_dtor (zend_variables.c:111) ==15287== by 0xA44610: _zend_hash_del_el_ex (zend_hash.c:1182) ==15287== by 0xA446F0: _zend_hash_del_el (zend_hash.c:1205) ==15287== by 0xA46034: zend_hash_graceful_reverse_destroy (zend_hash.c:1659) ==15287== by 0xA14CDA: shutdown_executor (zend_execute_API.c:289) ==15287== by 0xA2D1C8: zend_deactivate (zend.c:1104) ==15287== by 0x9926EC: php_request_shutdown (main.c:1930) ==15287== by 0xB0DBAA: do_cli (php_cli.c:1164) ==15287== by 0xB0E419: main (php_cli.c:1389) ==15287== Address 0x10ce6560 is 0 bytes inside a block of size 40 free'd ==15287== at 0x4C30D3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==15287== by 0x9F5D9A: _efree (zend_alloc.c:2515) ==15287== by 0xA2A832: zend_string_destroy (zend_variables.c:74) ==15287== by 0xA2A731: rc_dtor_func (zend_variables.c:65) ==15287== by 0xA8E215: zend_vm_stack_free_args (zend_execute.h:261) ==15287== by 0xA988B5: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:999) ==15287== by 0xB04EAD: execute_ex (zend_vm_execute.h:55493) ==15287== by 0xB0A492: zend_execute (zend_vm_execute.h:60889) ==15287== by 0xA2E798: zend_execute_scripts (zend.c:1568) ==15287== by 0x993CDD: php_execute_script (main.c:2639) ==15287== by 0xB0D2A2: do_cli (php_cli.c:997) ==15287== by 0xB0E419: main (php_cli.c:1389) ==15287== Block was alloc'd at ==15287== at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==15287== by 0x9F6A42: __zend_malloc (zend_alloc.c:2908) ==15287== by 0x9F5CF3: _emalloc (zend_alloc.c:2501) ==15287== by 0xA8C90C: zend_string_alloc (zend_string.h:133) ==15287== by 0xAEEFBF: ZEND_FAST_CONCAT_SPEC_CV_CONST_HANDLER (zend_vm_execute.h:41068) ==15287== by 0xB092FA: execute_ex (zend_vm_execute.h:59789) ==15287== by 0xB0A492: zend_execute (zend_vm_execute.h:60889) ==15287== by 0xA2E798: zend_execute_scripts (zend.c:1568) ==15287== by 0x993CDD: php_execute_script (main.c:2639) ==15287== by 0xB0D2A2: do_cli (php_cli.c:997) ==15287== by 0xB0E419: main (php_cli.c:1389) ==15287==