|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2015-11-12 04:18 UTC] laruence@php.net
-Assigned To:
+Assigned To: ab
[2015-11-12 06:19 UTC] laruence@php.net
[2015-11-12 06:19 UTC] laruence@php.net
-Status: Assigned
+Status: Closed
[2015-11-12 06:39 UTC] laruence@php.net
[2016-07-20 11:35 UTC] davey@php.net
[2016-07-20 11:35 UTC] davey@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sat Dec 21 11:01:30 2024 UTC |
Description: ------------ This might be related to #70895 which was just fixed, however, the crash points to a different location despite the test case similarities. Regardless, this was found while fuzzing PHP 7.1.0-dev (cli) (built: Nov 12 2015 01:37:06) ( NTS ) with American Fuzzy Lop. Test script: --------------- <?php function i(){(0);}function m($f,$a){return array_map($f,0);}echo implode(m("",m("",m("",m("",m("0000000000000000000000000000000000",(""))))))); Expected result: ---------------- No crash. PHP 5.4.45-0+deb7u2 (cli) (built: Oct 17 2015 08:26:31) returns the following: PHP Warning: array_map() expects parameter 1 to be a valid callback, function '0000000000000000000000000000000000' not found or invalid function name in /home/geeknik/php-tmp/out/crashes/test00 on line 1 PHP Warning: array_map() expects parameter 1 to be a valid callback, function '' not found or invalid function name in /home/geeknik/php-tmp/out/crashes/test00 on line 1 PHP Warning: array_map() expects parameter 1 to be a valid callback, function '' not found or invalid function name in /home/geeknik/php-tmp/out/crashes/test00 on line 1 PHP Warning: array_map() expects parameter 1 to be a valid callback, function '' not found or invalid function name in /home/geeknik/php-tmp/out/crashes/test00 on line 1 PHP Warning: array_map() expects parameter 1 to be a valid callback, function '' not found or invalid function name in /home/geeknik/php-tmp/out/crashes/test00 on line 1 PHP Warning: implode(): Argument must be an array in /home/geeknik/php-tmp/out/crashes/test00 on line 1 Actual result: -------------- Warning: array_map() expects parameter 1 to be a valid callback, function '0000000000000000000000000000000000' not found or invalid function name in /home/geeknik/php-tmp/out/crashes/test00 on line 1 Warning: array_map() expects parameter 1 to be a valid callback, function '' not found or invalid function name in /home/geeknik/php-tmp/out/crashes/test00 on line 1 Warning: array_map() expects parameter 1 to be a valid callback, function '' not found or invalid function name in /home/geeknik/php-tmp/out/crashes/test00 on line 1 Warning: array_map() expects parameter 1 to be a valid callback, function '' not found or invalid function name in /home/geeknik/php-tmp/out/crashes/test00 on line 1 Warning: array_map() expects parameter 1 to be a valid callback, function '' not found or invalid function name in /home/geeknik/php-tmp/out/crashes/test00 on line 1 Program received signal SIGBUS, Bus error. zend_mm_alloc_small (bin_num=8, heap=0x7ffff6000040, size=<optimized out>) at /home/geeknik/php-src/Zend/zend_alloc.c:1291 1291 heap->free_slot[bin_num] = p->next_free_slot; (gdb) bt #0 zend_mm_alloc_small (bin_num=8, heap=0x7ffff6000040, size=<optimized out>) at /home/geeknik/php-src/Zend/zend_alloc.c:1291 #1 zend_mm_alloc_heap (size=<optimized out>, heap=0x7ffff6000040) at /home/geeknik/php-src/Zend/zend_alloc.c:1358 #2 zend_mm_realloc_heap (heap=0x7ffff6000040, ptr=<optimized out>, size=<optimized out>, copy_size=<optimized out>) at /home/geeknik/php-src/Zend/zend_alloc.c:1454 #3 0x0000000001329805 in xbuf_format_converter (xbuf=xbuf@entry=0x7fffffffaa10, is_char=is_char@entry=1 '\001', fmt=0x1cea044 "s: %s", ap=ap@entry=0x7fffffffaa50) at /home/geeknik/php-src/main/spprintf.c:818 #4 0x000000000132b7fc in vspprintf (pbuf=0x7fffffffab98, max_len=0, format=<optimized out>, ap=ap@entry=0x7fffffffaa50) at /home/geeknik/php-src/main/spprintf.c:847 #5 0x000000000132bc3a in spprintf (pbuf=pbuf@entry=0x7fffffffab98, max_len=max_len@entry=0, format=format@entry=0x1cea043 "%s: %s") at /home/geeknik/php-src/main/spprintf.c:871 #6 0x000000000043fed3 in php_verror (docref=0x7ffff6070100 "function.implode", params=params@entry=0x1d00f2f "", type=2, format=<optimized out>, args=args@entry=0x7fffffffac00) at /home/geeknik/php-src/main/main.c:855 #7 0x0000000000440b16 in php_error_docref0 (docref=<optimized out>, type=<optimized out>, format=<optimized out>) at /home/geeknik/php-src/main/main.c:896 #8 0x0000000001796b79 in ZEND_DO_ICALL_SPEC_HANDLER (execute_data=0x7ffff6013030) at /home/geeknik/php-src/Zend/zend_vm_execute.h:586 #9 0x0000000001722558 in execute_ex (ex=<optimized out>) at /home/geeknik/php-src/Zend/zend_vm_execute.h:417 #10 0x00000000018f25eb in zend_execute (op_array=op_array@entry=0x7ffff607f000, return_value=return_value@entry=0x0) at /home/geeknik/php-src/Zend/zend_vm_execute.h:458 #11 0x00000000015665e1 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /home/geeknik/php-src/Zend/zend.c:1428 #12 0x00000000013176b8 in php_execute_script (primary_file=primary_file@entry=0x7fffffffd270) at /home/geeknik/php-src/main/main.c:2471 #13 0x00000000018fa5d5 in do_cli (argc=2, argv=0x20739e0) at /home/geeknik/php-src/sapi/cli/php_cli.c:974 #14 0x0000000000469035 in main (argc=2, argv=0x20739e0) at /home/geeknik/php-src/sapi/cli/php_cli.c:1345 %%% valgrind -q ~/php-src/sapi/cli/php test00 ==19727== Conditional jump or move depends on uninitialised value(s) ==19727== at 0x15F0EBE: zend_hash_find (zend_hash.c:439) ==19727== by 0x171683C: zend_do_inheritance (zend_inheritance.c:602) ==19727== by 0x158E35A: zend_register_internal_class_ex (zend_API.c:2682) ==19727== by 0x164DB9E: zend_register_default_exception (zend_exceptions.c:862) ==19727== by 0x1706A75: zend_register_default_classes (zend_default_classes.c:34) ==19727== by 0x161B6B9: zm_startup_core (zend_builtin_functions.c:340) ==19727== by 0x157F517: zend_startup_module_ex (zend_API.c:1849) ==19727== by 0x15DC2C5: zend_hash_apply (zend_hash.c:1464) ==19727== by 0x1583FA5: zend_startup_modules (zend_API.c:1975) ==19727== by 0x1314EE9: php_module_startup (main.c:2194) ==19727== by 0x18F5DA4: php_cli_startup (php_cli.c:423) ==19727== by 0x468487: main (php_cli.c:1325) ==19727== ==19727== Conditional jump or move depends on uninitialised value(s) ==19727== at 0x15F125D: zend_hash_find (zend_hash.c:439) ==19727== by 0x171683C: zend_do_inheritance (zend_inheritance.c:602) ==19727== by 0x158E35A: zend_register_internal_class_ex (zend_API.c:2682) ==19727== by 0x164DB9E: zend_register_default_exception (zend_exceptions.c:862) ==19727== by 0x1706A75: zend_register_default_classes (zend_default_classes.c:34) ==19727== by 0x161B6B9: zm_startup_core (zend_builtin_functions.c:340) ==19727== by 0x157F517: zend_startup_module_ex (zend_API.c:1849) ==19727== by 0x15DC2C5: zend_hash_apply (zend_hash.c:1464) ==19727== by 0x1583FA5: zend_startup_modules (zend_API.c:1975) ==19727== by 0x1314EE9: php_module_startup (main.c:2194) ==19727== by 0x18F5DA4: php_cli_startup (php_cli.c:423) ==19727== by 0x468487: main (php_cli.c:1325) ==19727== ==19727== Conditional jump or move depends on uninitialised value(s) ==19727== at 0x15F0EBE: zend_hash_find (zend_hash.c:439) ==19727== by 0x171683C: zend_do_inheritance (zend_inheritance.c:602) ==19727== by 0x158E35A: zend_register_internal_class_ex (zend_API.c:2682) ==19727== by 0x164E01D: zend_register_default_exception (zend_exceptions.c:880) ==19727== by 0x1706A75: zend_register_default_classes (zend_default_classes.c:34) ==19727== by 0x161B6B9: zm_startup_core (zend_builtin_functions.c:340) ==19727== by 0x157F517: zend_startup_module_ex (zend_API.c:1849) ==19727== by 0x15DC2C5: zend_hash_apply (zend_hash.c:1464) ==19727== by 0x1583FA5: zend_startup_modules (zend_API.c:1975) ==19727== by 0x1314EE9: php_module_startup (main.c:2194) ==19727== by 0x18F5DA4: php_cli_startup (php_cli.c:423) ==19727== by 0x468487: main (php_cli.c:1325) ==19727== ==19727== Conditional jump or move depends on uninitialised value(s) ==19727== at 0x15F125D: zend_hash_find (zend_hash.c:439) ==19727== by 0x171683C: zend_do_inheritance (zend_inheritance.c:602) ==19727== by 0x158E35A: zend_register_internal_class_ex (zend_API.c:2682) ==19727== by 0x164E01D: zend_register_default_exception (zend_exceptions.c:880) ==19727== by 0x1706A75: zend_register_default_classes (zend_default_classes.c:34) ==19727== by 0x161B6B9: zm_startup_core (zend_builtin_functions.c:340) ==19727== by 0x157F517: zend_startup_module_ex (zend_API.c:1849) ==19727== by 0x15DC2C5: zend_hash_apply (zend_hash.c:1464) ==19727== by 0x1583FA5: zend_startup_modules (zend_API.c:1975) ==19727== by 0x1314EE9: php_module_startup (main.c:2194) ==19727== by 0x18F5DA4: php_cli_startup (php_cli.c:423) ==19727== by 0x468487: main (php_cli.c:1325) ==19727== ==19727== Conditional jump or move depends on uninitialised value(s) ==19727== at 0x15F0EBE: zend_hash_find (zend_hash.c:439) ==19727== by 0x171683C: zend_do_inheritance (zend_inheritance.c:602) ==19727== by 0x158E35A: zend_register_internal_class_ex (zend_API.c:2682) ==19727== by 0x164E1DF: zend_register_default_exception (zend_exceptions.c:884) ==19727== by 0x1706A75: zend_register_default_classes (zend_default_classes.c:34) ==19727== by 0x161B6B9: zm_startup_core (zend_builtin_functions.c:340) ==19727== by 0x157F517: zend_startup_module_ex (zend_API.c:1849) ==19727== by 0x15DC2C5: zend_hash_apply (zend_hash.c:1464) ==19727== by 0x1583FA5: zend_startup_modules (zend_API.c:1975) ==19727== by 0x1314EE9: php_module_startup (main.c:2194) ==19727== by 0x18F5DA4: php_cli_startup (php_cli.c:423) ==19727== by 0x468487: main (php_cli.c:1325) ==19727== ==19727== Conditional jump or move depends on uninitialised value(s) ==19727== at 0x15F125D: zend_hash_find (zend_hash.c:439) ==19727== by 0x171683C: zend_do_inheritance (zend_inheritance.c:602) ==19727== by 0x158E35A: zend_register_internal_class_ex (zend_API.c:2682) ==19727== by 0x164E1DF: zend_register_default_exception (zend_exceptions.c:884) ==19727== by 0x1706A75: zend_register_default_classes (zend_default_classes.c:34) ==19727== by 0x161B6B9: zm_startup_core (zend_builtin_functions.c:340) ==19727== by 0x157F517: zend_startup_module_ex (zend_API.c:1849) ==19727== by 0x15DC2C5: zend_hash_apply (zend_hash.c:1464) ==19727== by 0x1583FA5: zend_startup_modules (zend_API.c:1975) ==19727== by 0x1314EE9: php_module_startup (main.c:2194) ==19727== by 0x18F5DA4: php_cli_startup (php_cli.c:423) ==19727== by 0x468487: main (php_cli.c:1325) ==19727== ==19727== Conditional jump or move depends on uninitialised value(s) ==19727== at 0x15F0EBE: zend_hash_find (zend_hash.c:439) ==19727== by 0x171683C: zend_do_inheritance (zend_inheritance.c:602) ==19727== by 0x158E35A: zend_register_internal_class_ex (zend_API.c:2682) ==19727== by 0x164E3AE: zend_register_default_exception (zend_exceptions.c:888) ==19727== by 0x1706A75: zend_register_default_classes (zend_default_classes.c:34) ==19727== by 0x161B6B9: zm_startup_core (zend_builtin_functions.c:340) ==19727== by 0x157F517: zend_startup_module_ex (zend_API.c:1849) ==19727== by 0x15DC2C5: zend_hash_apply (zend_hash.c:1464) ==19727== by 0x1583FA5: zend_startup_modules (zend_API.c:1975) ==19727== by 0x1314EE9: php_module_startup (main.c:2194) ==19727== by 0x18F5DA4: php_cli_startup (php_cli.c:423) ==19727== by 0x468487: main (php_cli.c:1325) ==19727== ==19727== Conditional jump or move depends on uninitialised value(s) ==19727== at 0x15F125D: zend_hash_find (zend_hash.c:439) ==19727== by 0x171683C: zend_do_inheritance (zend_inheritance.c:602) ==19727== by 0x158E35A: zend_register_internal_class_ex (zend_API.c:2682) ==19727== by 0x164E3AE: zend_register_default_exception (zend_exceptions.c:888) ==19727== by 0x1706A75: zend_register_default_classes (zend_default_classes.c:34) ==19727== by 0x161B6B9: zm_startup_core (zend_builtin_functions.c:340) ==19727== by 0x157F517: zend_startup_module_ex (zend_API.c:1849) ==19727== by 0x15DC2C5: zend_hash_apply (zend_hash.c:1464) ==19727== by 0x1583FA5: zend_startup_modules (zend_API.c:1975) ==19727== by 0x1314EE9: php_module_startup (main.c:2194) ==19727== by 0x18F5DA4: php_cli_startup (php_cli.c:423) ==19727== by 0x468487: main (php_cli.c:1325) ==19727== ==19727== Conditional jump or move depends on uninitialised value(s) ==19727== at 0x15F0EBE: zend_hash_find (zend_hash.c:439) ==19727== by 0x171683C: zend_do_inheritance (zend_inheritance.c:602) ==19727== by 0x158E35A: zend_register_internal_class_ex (zend_API.c:2682) ==19727== by 0x164E57A: zend_register_default_exception (zend_exceptions.c:892) ==19727== by 0x1706A75: zend_register_default_classes (zend_default_classes.c:34) ==19727== by 0x161B6B9: zm_startup_core (zend_builtin_functions.c:340) ==19727== by 0x157F517: zend_startup_module_ex (zend_API.c:1849) ==19727== by 0x15DC2C5: zend_hash_apply (zend_hash.c:1464) ==19727== by 0x1583FA5: zend_startup_modules (zend_API.c:1975) ==19727== by 0x1314EE9: php_module_startup (main.c:2194) ==19727== by 0x18F5DA4: php_cli_startup (php_cli.c:423) ==19727== by 0x468487: main (php_cli.c:1325) ==19727== ==19727== Conditional jump or move depends on uninitialised value(s) ==19727== at 0x15F125D: zend_hash_find (zend_hash.c:439) ==19727== by 0x171683C: zend_do_inheritance (zend_inheritance.c:602) ==19727== by 0x158E35A: zend_register_internal_class_ex (zend_API.c:2682) ==19727== by 0x164E57A: zend_register_default_exception (zend_exceptions.c:892) ==19727== by 0x1706A75: zend_register_default_classes (zend_default_classes.c:34) ==19727== by 0x161B6B9: zm_startup_core (zend_builtin_functions.c:340) ==19727== by 0x157F517: zend_startup_module_ex (zend_API.c:1849) ==19727== by 0x15DC2C5: zend_hash_apply (zend_hash.c:1464) ==19727== by 0x1583FA5: zend_startup_modules (zend_API.c:1975) ==19727== by 0x1314EE9: php_module_startup (main.c:2194) ==19727== by 0x18F5DA4: php_cli_startup (php_cli.c:423) ==19727== by 0x468487: main (php_cli.c:1325) ==19727== ==19727== Conditional jump or move depends on uninitialised value(s) ==19727== at 0x15F0EBE: zend_hash_find (zend_hash.c:439) ==19727== by 0x171683C: zend_do_inheritance (zend_inheritance.c:602) ==19727== by 0x158E35A: zend_register_internal_class_ex (zend_API.c:2682) ==19727== by 0x16A45AC: zend_register_generator_ce (zend_generators.c:1124) ==19727== by 0x161B6B9: zm_startup_core (zend_builtin_functions.c:340) ==19727== by 0x157F517: zend_startup_module_ex (zend_API.c:1849) ==19727== by 0x15DC2C5: zend_hash_apply (zend_hash.c:1464) ==19727== by 0x1583FA5: zend_startup_modules (zend_API.c:1975) ==19727== by 0x1314EE9: php_module_startup (main.c:2194) ==19727== by 0x18F5DA4: php_cli_startup (php_cli.c:423) ==19727== by 0x468487: main (php_cli.c:1325) ==19727== ==19727== Conditional jump or move depends on uninitialised value(s) ==19727== at 0x15F125D: zend_hash_find (zend_hash.c:439) ==19727== by 0x171683C: zend_do_inheritance (zend_inheritance.c:602) ==19727== by 0x158E35A: zend_register_internal_class_ex (zend_API.c:2682) ==19727== by 0x16A45AC: zend_register_generator_ce (zend_generators.c:1124) ==19727== by 0x161B6B9: zm_startup_core (zend_builtin_functions.c:340) ==19727== by 0x157F517: zend_startup_module_ex (zend_API.c:1849) ==19727== by 0x15DC2C5: zend_hash_apply (zend_hash.c:1464) ==19727== by 0x1583FA5: zend_startup_modules (zend_API.c:1975) ==19727== by 0x1314EE9: php_module_startup (main.c:2194) ==19727== by 0x18F5DA4: php_cli_startup (php_cli.c:423) ==19727== by 0x468487: main (php_cli.c:1325) ==19727== Warning: array_map() expects parameter 1 to be a valid callback, function '0000000000000000000000000000000000' not found or invalid function name in /home/geeknik/php-tmp/out/crashes/test00 on line 1 Warning: array_map() expects parameter 1 to be a valid callback, function '' not found or invalid function name in /home/geeknik/php-tmp/out/crashes/test00 on line 1 Warning: array_map() expects parameter 1 to be a valid callback, function '' not found or invalid function name in /home/geeknik/php-tmp/out/crashes/test00 on line 1 Warning: array_map() expects parameter 1 to be a valid callback, function '' not found or invalid function name in /home/geeknik/php-tmp/out/crashes/test00 on line 1 Warning: array_map() expects parameter 1 to be a valid callback, function '' not found or invalid function name in /home/geeknik/php-tmp/out/crashes/test00 on line 1 ==19727== Invalid read of size 8 ==19727== at 0x14686D4: zend_mm_realloc_heap (zend_alloc.c:1291) ==19727== by 0x1329804: xbuf_format_converter (spprintf.c:818) ==19727== by 0x132B7FB: vspprintf (spprintf.c:847) ==19727== by 0x132BC39: spprintf (spprintf.c:871) ==19727== by 0x43FED2: php_verror (main.c:855) ==19727== by 0x440B15: php_error_docref0 (main.c:896) ==19727== by 0x1796B78: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) ==19727== by 0x1722557: execute_ex (zend_vm_execute.h:417) ==19727== by 0x18F25EA: zend_execute (zend_vm_execute.h:458) ==19727== by 0x15665E0: zend_execute_scripts (zend.c:1428) ==19727== by 0x13176B7: php_execute_script (main.c:2471) ==19727== by 0x18FA5D4: do_cli (php_cli.c:974) ==19727== Address 0x2061206562206f74 is not stack'd, malloc'd or (recently) free'd ==19727== ==19727== ==19727== Process terminating with default action of signal 11 (SIGSEGV) ==19727== General Protection Fault ==19727== at 0x14686D4: zend_mm_realloc_heap (zend_alloc.c:1291) ==19727== by 0x1329804: xbuf_format_converter (spprintf.c:818) ==19727== by 0x132B7FB: vspprintf (spprintf.c:847) ==19727== by 0x132BC39: spprintf (spprintf.c:871) ==19727== by 0x43FED2: php_verror (main.c:855) ==19727== by 0x440B15: php_error_docref0 (main.c:896) ==19727== by 0x1796B78: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) ==19727== by 0x1722557: execute_ex (zend_vm_execute.h:417) ==19727== by 0x18F25EA: zend_execute (zend_vm_execute.h:458) ==19727== by 0x15665E0: zend_execute_scripts (zend.c:1428) ==19727== by 0x13176B7: php_execute_script (main.c:2471) ==19727== by 0x18FA5D4: do_cli (php_cli.c:974) Segmentation fault