php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #42817 buffer under- and overflow on clone(null)+array_push()
Submitted: 2007-10-01 17:13 UTC Modified: 2007-10-04 23:49 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: victor dot stinner at inl dot fr Assigned: iliaa (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5.2.4 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: victor dot stinner at inl dot fr
New email:
PHP Version: OS:

 

 [2007-10-01 17:13 UTC] victor dot stinner at inl dot fr 
Description:
------------
Hi,

I found a critical bug (security issue) in my web application. The 
code to reproduce it is quite simple (see above). With apache, the 
result is a line in error.log: [notice] child pid 14988 exit signal 
Segmentation fault (11).

My config: Ubuntu Feisty on Intel Celeron M 420 (32-bit).

Victor Stinner
http://www.inl.fr/

Reproduce code:
---------------
<?php $a = clone(null); array_push($a->b, $c); ?>

Expected result:
----------------
no crash

Actual result:
--------------
Warning: array_push(): First argument should be an array in 
crash.php on line 3
---------------------------------------
/home/haypo/php-5.2.4/Zend/zend_variables.c(175) : Block 0x084774b8 
status:
/home/haypo/php-5.2.4/Zend/zend_execute.h(70) : Actual location 
(location was relayed)
Beginning:      Freed (magic=0x00000000, expected=0x99954317)
    Start:      Overflown (magic=0x084774A4 instead of 0x496A04CC)
                At least 4 bytes overflown
      End:      Overflown (magic=0x00000000 instead of 0x39D5CB7E)
                At least 4 bytes overflown
---------------------------------------

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-10-02 14:56 UTC] victor dot stinner at inl dot fr 
Hum, I forget to specify PHP version: 5.2.4 (latest). I compiled it 
on source from source code with "./configure --enable-debug" to 
detect the overflow.

Victor Stinner
 [2007-10-02 14:57 UTC] misc at inl dot fr 
I can also reproduce the problem on a box running mandriva 2007.0, with this version of php :
apache-mod_php-5.1.6-2mdv2007.0

and i have this error in the log :

[Tue Oct 02 16:51:35 2007] [error] [client 194.167.18.244] PHP Warning:  __clone method called on non-object in /home/users/misc/public_html/test.php on line 1
[Tue Oct 02 16:51:35 2007] [error] [client 194.167.18.244] PHP Warning:  array_push() [<a href='function.array-push'>function.array-push</a>]: First argument should be an array in /home/users/misc/public_html/test.php on line 1
[Tue Oct 02 16:51:36 2007] [notice] child pid 30185 exit signal Segmentation fault (11)
 [2007-10-04 23:26 UTC] iliaa@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 [2007-10-04 23:49 UTC] victor dot stinner at inl dot fr 
"Bug fixed in CVS", great! I saw that you added 3 unit tests:
<?php $a = clone(null); array_push($a->b, $c); ?>
<?php $foo = clone(array()); ?>
<?php $a = clone 0; $a[0]->b = 0; ?>

So there are more cases than just the one in my bug report :-) I 
hope that the next release will be released quickly because my 
error.log is full of segfault messages :-)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Dec 03 17:01:29 2024 UTC