|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2015-08-22 17:29 UTC] bwoebi@php.net
-Status: Open
+Status: Not a bug
[2015-08-22 17:29 UTC] bwoebi@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Thu Jul 03 10:01:33 2025 UTC |
Description: ------------ While fuzzing PHP 7.0.0-dev (cli) (built: Aug 19 2015 16:48:48) with AFL, I found this script that causes a segfault in xbuf_format_converter (spprintf.c:204). Test script: --------------- <?php function SG0s0G00000y0G0h(){($___=__FUNCTION__)&&!$_ and list($_)=array_values(array_filter($GLOBALS,$___))and 0?(0):((0));}SG0s0G00000y0G0h(); Expected result: ---------------- No crash. Actual result: -------------- The GDB output goes on infinitely: Program received signal SIGSEGV, Segmentation fault. 0x00000000011e3562 in xbuf_format_converter () (gdb) bt #0 0x00000000011e3562 in xbuf_format_converter () #1 0x00000000011e974c in vspprintf () #2 0x00000000011ca899 in php_error_cb () #3 0x000000000043e7f1 in zend_error_noreturn () at /home/geeknik/php-src/Zend/zend.c:1166 #4 0x00000000016419a5 in ZEND_BOOL_NOT_SPEC_CV_HANDLER () at /home/geeknik/php-src/Zend/zend_execute.c:252 #5 0x00000000015e3ec3 in execute_ex () at /home/geeknik/php-src/Zend/zend_vm_execute.h:406 #6 0x00000000013bdd02 in zend_call_function () #7 0x0000000000f7f413 in zif_array_filter () #8 0x0000000001634545 in ZEND_DO_ICALL_SPEC_HANDLER () at /home/geeknik/php-src/Zend/zend_vm_execute.h:577 #9 0x00000000015e3ec3 in execute_ex () at /home/geeknik/php-src/Zend/zend_vm_execute.h:406 #10 0x00000000013bdd02 in zend_call_function () #11 0x0000000000f7f413 in zif_array_filter () #12 0x0000000001634545 in ZEND_DO_ICALL_SPEC_HANDLER () at /home/geeknik/php-src/Zend/zend_vm_execute.h:577 #13 0x00000000015e3ec3 in execute_ex () at /home/geeknik/php-src/Zend/zend_vm_execute.h:406 #14 0x00000000013bdd02 in zend_call_function () #15 0x0000000000f7f413 in zif_array_filter () #16 0x0000000001634545 in ZEND_DO_ICALL_SPEC_HANDLER () valgrind -q ~/php-src/sapi/cli/php test00-min ==63869== Stack overflow in thread #1: can't grow stack to 0xffe801000 ==63869== ==63869== Process terminating with default action of signal 11 (SIGSEGV) ==63869== Access not within mapped region at address 0xFFE801EF8 ==63869== Stack overflow in thread #1: can't grow stack to 0xffe801000 ==63869== at 0x11E3562: xbuf_format_converter (spprintf.c:204) ==63869== If you believe this happened as a result of a stack ==63869== overflow in your program's main thread (unlikely but ==63869== possible), you can try to increase the size of the ==63869== main thread stack using the --main-stacksize= flag. ==63869== The main thread stack size used in this run was 8388608. ==63869== Stack overflow in thread #1: can't grow stack to 0xffe801000 ==63869== ==63869== Process terminating with default action of signal 11 (SIGSEGV) ==63869== Access not within mapped region at address 0xFFE801EE8 ==63869== Stack overflow in thread #1: can't grow stack to 0xffe801000 ==63869== at 0x4A22620: _vgnU_freeres (vg_preloaded.c:58) ==63869== If you believe this happened as a result of a stack ==63869== overflow in your program's main thread (unlikely but ==63869== possible), you can try to increase the size of the ==63869== main thread stack using the --main-stacksize= flag. ==63869== The main thread stack size used in this run was 8388608. Segmentation fault