php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #54332 Crash in zend_mm_check_ptr // Heap corruption
Submitted: 2011-03-21 09:27 UTC Modified: 2011-07-11 05:48 UTC
From: decoder-php at own-hero dot net Assigned: dmitry (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.3.6 OS: Linux x86-64
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: decoder-php at own-hero dot net
New email:
PHP Version: OS:

 

 [2011-03-21 09:27 UTC] decoder-php at own-hero dot net
Description:
------------
The attached code causes a crash with memory corruption on PHP 5.3.6 (tested on 64 bit debug).

Test script:
---------------
<?php
number_format(1e300, 2006, '', ' ');
?>

Actual result:
--------------
==20238== Invalid read of size 8
==20238==    at 0x7B9570: zend_mm_check_ptr (zend_alloc.c:1357)
==20238==    by 0x7BB273: _zend_mm_realloc_int (zend_alloc.c:2055)
==20238==    by 0x7BC4AB: _erealloc (zend_alloc.c:2371)
==20238==    by 0x77006B: xbuf_format_converter (spprintf.c:775)
==20238==    by 0x303030303030302F: ???
==20238==    by 0x303030303030302F: ???
==20238==    by 0x303030303030302F: ???
==20238==    by 0x303030303030302F: ???
==20238==    by 0x303030303030302F: ???
==20238==    by 0x303030303030302F: ???
==20238==    by 0x303030303030302F: ???
==20238==    by 0x303030303030331B: ???
==20238==  Address 0x3030303030302fe8 is not stack'd, malloc'd or (recently) free'd
==20238== 
==20238== 
==20238== Process terminating with default action of signal 11 (SIGSEGV)
==20238==  General Protection Fault


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-07-10 14:39 UTC] felipe@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry
 [2011-07-11 05:48 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2011-07-11 05:48 UTC] dmitry@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-04-18 09:49 UTC] laruence@php.net
Automatic comment on behalf of dmitry
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8171e1d81e14ff881e27ba0dc8dd67dad1d0ea05
Log: Fixed bug #54332 (Crash in zend_mm_check_ptr // Heap corruption)
 [2012-07-24 23:41 UTC] rasmus@php.net
Automatic comment on behalf of dmitry
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8171e1d81e14ff881e27ba0dc8dd67dad1d0ea05
Log: Fixed bug #54332 (Crash in zend_mm_check_ptr // Heap corruption)
 [2013-11-17 09:37 UTC] laruence@php.net
Automatic comment on behalf of dmitry
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8171e1d81e14ff881e27ba0dc8dd67dad1d0ea05
Log: Fixed bug #54332 (Crash in zend_mm_check_ptr // Heap corruption)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Nov 23 08:01:28 2024 UTC