PHP :: Bug #75034 :: memory corrupton

Bug #75034	memory corrupton
Submitted:	2017-08-04 04:31 UTC	Modified:	2017-08-04 05:49 UTC
From:	zhihua dot yao at dbappsecurity dot com dot cn	Assigned:
Status:	Duplicate	Package:	Reproducible crash
PHP Version:	7.1.8	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	zhihua dot yao at dbappsecurity dot com dot cn
New email:
PHP Version:		OS:

New/Additional Comment:

[2017-08-04 04:31 UTC] zhihua dot yao at dbappsecurity dot com dot cn

Description:
------------
It cause deinal of service.

Test script:
---------------
<?php
class A {
       
         public $a;
         
         public function __destruct() {
              $this->a=new A ;               
        }
        
}


$class=unserialize('O:8:"stdClass":1:{s:1:"a";O:1:"A":0:{}}');


Expected result:
----------------
NO CRASH 

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
EAX: 0xbf800000 
EBX: 0xbf8002d0 
ECX: 0xbf800270 
EDX: 0xb454db8c --> 0xb440300c --> 0x6d697402 
ESI: 0xb440300c --> 0x6d697402 
EDI: 0x0 
EBP: 0xbf800158 
ESP: 0xbf7fffb0 
EIP: 0x9ba47c8 (<zend_call_function+72>:	mov    DWORD PTR [ebp-0x18c],eax)
EFLAGS: 0x210282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x9ba47b6 <zend_call_function+54>:	lea    eax,[ebp-0x158]
   0x9ba47bc <zend_call_function+60>:	sub    esp,0x19c
   0x9ba47c2 <zend_call_function+66>:	mov    edi,DWORD PTR ds:0xac55ca0
=> 0x9ba47c8 <zend_call_function+72>:	mov    DWORD PTR [ebp-0x18c],eax
   0x9ba47ce <zend_call_function+78>:	test   edi,edi
   0x9ba47d0 <zend_call_function+80>:	
    jne    0x9bae338 <zend_call_function+39864>
   0x9ba47d6 <zend_call_function+86>:	xchg   ax,ax
   0x9ba47d8 <zend_call_function+88>:	lea    esp,[esp-0x10]
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0xbf7fffb0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x09ba47c8 in zend_call_function (fci=0xbf800270, fci_cache=0xbf8001f0)
    at /home/hjy/Desktop/php-7.1.8/Zend/zend_execute_API.c:677
677	{

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-08-04 04:37 UTC] zhihua dot yao at dbappsecurity dot com dot cn

Please closed,duplicate report.

[2017-08-04 05:49 UTC] requinix@php.net

-Status: Open +Status: Duplicate

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Oct 25 10:00:01 2025 UTC