php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #69868 Invalid read of size 1 in zend_compile_short_circuiting
Submitted: 2015-06-18 08:18 UTC Modified: 2015-06-18 09:08 UTC
From: arjen at react dot com Assigned: bwoebi (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 7.0Git-2015-06-18 (Git) OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: arjen at react dot com
New email:
PHP Version: OS:

 

 [2015-06-18 08:18 UTC] arjen at react dot com 
Description:
------------
Valgrind reports invalid read.

USE_ZEND_ALLOC=0 valgrind --tool=memcheck --smc-check=all --error-limit=no --num-callers=30 --track-origins=yes --num-callers=30 --leak-check=full php-src/sapi/cli/php shortcircuit.php

Caused by https://github.com/php/php-src/commit/3cfa58367b1b85d346d9be6cf9ae116c63571247

Test script:
---------------
<?php

class A
{
	public static function get(array $v, $r)
	{
		if (!isset($r))
			return array_shift($v);

		foreach ($r['allowed'] as $allowed)
		{
			if (in_array($allowed, $v))
				return $allowed;

			foreach ($v as $version)
				if (0 === strpos($version, $allowed .'.'))
					return $version;
		}


		foreach ($r['ranges'] as $range)
		{
			foreach ($v as $version)
			{
				if ($range['min'] != '' && version_compare($range['min'], $version, '>'))
					continue;

				if ($range['max'] != '' && version_compare($range['max'], $version, '<') && (0 !== strpos($version, $range['max'] .'.')))
					continue;

				if (in_array($version, $r['blocked']))
					continue;

				return $version;
			}
		}
	}
}


Expected result:
----------------
No invalid read.

Actual result:
--------------
==12725== Invalid read of size 1
==12725==    at 0x9261AA: zend_compile_short_circuiting (zend_compile.c:5914)
==12725==    by 0x929691: zend_compile_expr (zend_compile.c:7013)
==12725==    by 0x91FD69: zend_compile_if (zend_compile.c:3851)
==12725==    by 0x9291A2: zend_compile_stmt (zend_compile.c:6904)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x91FC10: zend_compile_foreach (zend_compile.c:3817)
==12725==    by 0x929191: zend_compile_stmt (zend_compile.c:6901)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x91FC10: zend_compile_foreach (zend_compile.c:3817)
==12725==    by 0x929191: zend_compile_stmt (zend_compile.c:6901)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x9227DC: zend_compile_func_decl (zend_compile.c:4717)
==12725==    by 0x9291EB: zend_compile_stmt (zend_compile.c:6917)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x9239A8: zend_compile_class_decl (zend_compile.c:5122)
==12725==    by 0x92922C: zend_compile_stmt (zend_compile.c:6929)
==12725==    by 0x928E8A: zend_compile_top_stmt (zend_compile.c:6839)
==12725==    by 0x928E6C: zend_compile_top_stmt (zend_compile.c:6834)
==12725==    by 0x8F13CF: compile_file (zend_language_scanner.l:607)
==12725==    by 0x7711D8: phar_compile_file (phar.c:3310)
==12725==    by 0x947185: zend_execute_scripts (zend.c:1383)
==12725==    by 0x8B88B0: php_execute_script (main.c:2475)
==12725==    by 0xA04906: do_cli (php_cli.c:967)
==12725==    by 0xA058CE: main (php_cli.c:1334)
==12725==  Address 0xc3eb2ff is 2,015 bytes inside a block of size 2,048 free'd
==12725==    at 0x4C2C29E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==12725==    by 0x9146C3: _erealloc (zend_alloc.c:2233)
==12725==    by 0x932BA1: op_array_alloc_ops (zend_opcode.c:48)
==12725==    by 0x933EA0: get_next_op (zend_opcode.c:433)
==12725==    by 0x91CD1E: zend_compile_args (zend_compile.c:2761)
==12725==    by 0x91CF19: zend_compile_call_common (zend_compile.c:2821)
==12725==    by 0x91E36B: zend_compile_call (zend_compile.c:3220)
==12725==    by 0x929986: zend_compile_var (zend_compile.c:7100)
==12725==    by 0x9295A1: zend_compile_expr (zend_compile.c:6980)
==12725==    by 0x9258D7: zend_compile_binary_op (zend_compile.c:5728)
==12725==    by 0x929631: zend_compile_expr (zend_compile.c:6998)
==12725==    by 0x9260A9: zend_compile_short_circuiting (zend_compile.c:5897)
==12725==    by 0x929691: zend_compile_expr (zend_compile.c:7013)
==12725==    by 0x91FD69: zend_compile_if (zend_compile.c:3851)
==12725==    by 0x9291A2: zend_compile_stmt (zend_compile.c:6904)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x91FC10: zend_compile_foreach (zend_compile.c:3817)
==12725==    by 0x929191: zend_compile_stmt (zend_compile.c:6901)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x91FC10: zend_compile_foreach (zend_compile.c:3817)
==12725==    by 0x929191: zend_compile_stmt (zend_compile.c:6901)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x9227DC: zend_compile_func_decl (zend_compile.c:4717)
==12725==    by 0x9291EB: zend_compile_stmt (zend_compile.c:6917)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x9239A8: zend_compile_class_decl (zend_compile.c:5122)
==12725== 
==12725== Invalid read of size 4
==12725==    at 0x926231: zend_compile_short_circuiting (zend_compile.c:5914)
==12725==    by 0x929691: zend_compile_expr (zend_compile.c:7013)
==12725==    by 0x91FD69: zend_compile_if (zend_compile.c:3851)
==12725==    by 0x9291A2: zend_compile_stmt (zend_compile.c:6904)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x91FC10: zend_compile_foreach (zend_compile.c:3817)
==12725==    by 0x929191: zend_compile_stmt (zend_compile.c:6901)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x91FC10: zend_compile_foreach (zend_compile.c:3817)
==12725==    by 0x929191: zend_compile_stmt (zend_compile.c:6901)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x9227DC: zend_compile_func_decl (zend_compile.c:4717)
==12725==    by 0x9291EB: zend_compile_stmt (zend_compile.c:6917)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x9239A8: zend_compile_class_decl (zend_compile.c:5122)
==12725==    by 0x92922C: zend_compile_stmt (zend_compile.c:6929)
==12725==    by 0x928E8A: zend_compile_top_stmt (zend_compile.c:6839)
==12725==    by 0x928E6C: zend_compile_top_stmt (zend_compile.c:6834)
==12725==    by 0x8F13CF: compile_file (zend_language_scanner.l:607)
==12725==    by 0x7711D8: phar_compile_file (phar.c:3310)
==12725==    by 0x947185: zend_execute_scripts (zend.c:1383)
==12725==    by 0x8B88B0: php_execute_script (main.c:2475)
==12725==    by 0xA04906: do_cli (php_cli.c:967)
==12725==    by 0xA058CE: main (php_cli.c:1334)
==12725==  Address 0xc3eb2f0 is 2,000 bytes inside a block of size 2,048 free'd
==12725==    at 0x4C2C29E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==12725==    by 0x9146C3: _erealloc (zend_alloc.c:2233)
==12725==    by 0x932BA1: op_array_alloc_ops (zend_opcode.c:48)
==12725==    by 0x933EA0: get_next_op (zend_opcode.c:433)
==12725==    by 0x91CD1E: zend_compile_args (zend_compile.c:2761)
==12725==    by 0x91CF19: zend_compile_call_common (zend_compile.c:2821)
==12725==    by 0x91E36B: zend_compile_call (zend_compile.c:3220)
==12725==    by 0x929986: zend_compile_var (zend_compile.c:7100)
==12725==    by 0x9295A1: zend_compile_expr (zend_compile.c:6980)
==12725==    by 0x9258D7: zend_compile_binary_op (zend_compile.c:5728)
==12725==    by 0x929631: zend_compile_expr (zend_compile.c:6998)
==12725==    by 0x9260A9: zend_compile_short_circuiting (zend_compile.c:5897)
==12725==    by 0x929691: zend_compile_expr (zend_compile.c:7013)
==12725==    by 0x91FD69: zend_compile_if (zend_compile.c:3851)
==12725==    by 0x9291A2: zend_compile_stmt (zend_compile.c:6904)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x91FC10: zend_compile_foreach (zend_compile.c:3817)
==12725==    by 0x929191: zend_compile_stmt (zend_compile.c:6901)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x91FC10: zend_compile_foreach (zend_compile.c:3817)
==12725==    by 0x929191: zend_compile_stmt (zend_compile.c:6901)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x9227DC: zend_compile_func_decl (zend_compile.c:4717)
==12725==    by 0x9291EB: zend_compile_stmt (zend_compile.c:6917)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x9239A8: zend_compile_class_decl (zend_compile.c:5122)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-18 09:08 UTC] kalle@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: bwoebi
 [2015-06-18 09:08 UTC] kalle@php.net 
Hi Bob, as you were the committer of the patch, could you give your input on this?
 [2015-06-18 09:51 UTC] arjen at react dot com 
This also fails:

<?php

$a = ['test' => true];

if (isset($a['test']) && 0)
	echo "failure";
else
	echo "success";
 [2015-06-18 12:01 UTC] laruence@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c58c5e779a3ef32e8cf4c18890982403210abff3
Log: Fixed bug #69868 (Invalid read of size 1 in zend_compile_short_circuiting)
 [2015-06-18 12:01 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2015-06-23 18:04 UTC] ab@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c58c5e779a3ef32e8cf4c18890982403210abff3
Log: Fixed bug #69868 (Invalid read of size 1 in zend_compile_short_circuiting)
 [2016-07-20 11:38 UTC] davey@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c58c5e779a3ef32e8cf4c18890982403210abff3
Log: Fixed bug #69868 (Invalid read of size 1 in zend_compile_short_circuiting)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 11:01:29 2024 UTC