|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2017-09-21 01:28 UTC] brian dot carpenter at gmail dot com
-Status: Open
+Status: Closed
[2017-09-21 01:28 UTC] brian dot carpenter at gmail dot com
|
|||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Thu Jul 03 08:01:34 2025 UTC |
Description: ------------ This script, created and minimized by American Fuzzy Lop, triggers a segfault in PHP 7.1.0-dev. Looking at the output from gdb, there might also be a null ptr deref happening in xbuf_format_converter (spprintf.c:818), but please correct me if I'm wrong with that diagnosis. Test script: --------------- <?php $e=new PharData('0.0/000000000000000000000000000000000000000000/0000000000000000000000000@000000000',0); Expected result: ---------------- No crash. PHP 5.6.17-0+deb8u1 responds with the following: geeknik@debian:~/php-tmp/out/4/crashes$ php test11 zend_mm_heap corrupted geeknik@debian:~/php-tmp/out/4/crashes$ USE_ZEND_ALLOC=0 php test11 PHP Fatal error: Uncaught exception 'UnexpectedValueException' with message 'RecursiveDirectoryIterator::__construct(phar://...@00000): failed to open dir: operation failed' in /home/geeknik/php-tmp/out/4/crashes/test11:2 Stack trace: #0 [internal function]: RecursiveDirectoryIterator->__construct('phar:///home/ge...', 0) #1 /home/geeknik/php-tmp/out/4/crashes/test11(2): PharData->__construct('0.0/00000000000...', 0) #2 {main} thrown in /home/geeknik/php-tmp/out/4/crashes/test11 on line 2 Actual result: -------------- valgrind -q ~/php-src/sapi/cli/php test11 ==95687== Invalid read of size 8 ==95687== at 0x1364848: zend_mm_alloc_small (zend_alloc.c:1291) ==95687== by 0x1364848: zend_mm_alloc_heap (zend_alloc.c:1362) ==95687== by 0x1364848: zend_mm_realloc_heap (zend_alloc.c:1458) ==95687== by 0x1364848: _erealloc (zend_alloc.c:2475) ==95687== by 0x12103D8: xbuf_format_converter (spprintf.c:818) ==95687== by 0x12120DB: vspprintf (spprintf.c:847) ==95687== by 0x1212519: spprintf (spprintf.c:871) ==95687== by 0x43D93E: php_verror (main.c:866) ==95687== by 0x43EAF9: php_error_docref1 (main.c:921) ==95687== by 0x12795D3: php_stream_display_wrapper_errors (streams.c:207) ==95687== by 0x1287021: _php_stream_opendir (streams.c:1994) ==95687== by 0xECED36: spl_filesystem_dir_open (spl_directory.c:236) ==95687== by 0xEDC279: spl_filesystem_object_construct (spl_directory.c:724) ==95687== by 0xEDC279: zim_spl_RecursiveDirectoryIterator___construct (spl_directory.c:1563) ==95687== by 0x13EA210: zend_call_function (zend_execute_API.c:878) ==95687== by 0x152B677: zend_call_method (zend_interfaces.c:103) ==95687== Address 0x7461726574497972 is not stack'd, malloc'd or (recently) free'd ==95687== ==95687== ==95687== Process terminating with default action of signal 11 (SIGSEGV) ==95687== General Protection Fault ==95687== at 0x1364848: zend_mm_alloc_small (zend_alloc.c:1291) ==95687== by 0x1364848: zend_mm_alloc_heap (zend_alloc.c:1362) ==95687== by 0x1364848: zend_mm_realloc_heap (zend_alloc.c:1458) ==95687== by 0x1364848: _erealloc (zend_alloc.c:2475) ==95687== by 0x12103D8: xbuf_format_converter (spprintf.c:818) ==95687== by 0x12120DB: vspprintf (spprintf.c:847) ==95687== by 0x1212519: spprintf (spprintf.c:871) ==95687== by 0x43D93E: php_verror (main.c:866) ==95687== by 0x43EAF9: php_error_docref1 (main.c:921) ==95687== by 0x12795D3: php_stream_display_wrapper_errors (streams.c:207) ==95687== by 0x1287021: _php_stream_opendir (streams.c:1994) ==95687== by 0xECED36: spl_filesystem_dir_open (spl_directory.c:236) ==95687== by 0xEDC279: spl_filesystem_object_construct (spl_directory.c:724) ==95687== by 0xEDC279: zim_spl_RecursiveDirectoryIterator___construct (spl_directory.c:1563) ==95687== by 0x13EA210: zend_call_function (zend_execute_API.c:878) ==95687== by 0x152B677: zend_call_method (zend_interfaces.c:103) Segmentation fault (gdb) r test11 Starting program: /home/geeknik/php-src/sapi/cli/php test11 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. zend_mm_alloc_small (size=<optimized out>, bin_num=8, heap=0x7ffff6000040) at /home/geeknik/php-src/Zend/zend_alloc.c:1291 1291 heap->free_slot[bin_num] = p->next_free_slot; (gdb) bt #0 zend_mm_alloc_small (size=<optimized out>, bin_num=8, heap=0x7ffff6000040) at /home/geeknik/php-src/Zend/zend_alloc.c:1291 #1 zend_mm_alloc_heap (size=<optimized out>, heap=0x7ffff6000040) at /home/geeknik/php-src/Zend/zend_alloc.c:1362 #2 zend_mm_realloc_heap (copy_size=<optimized out>, size=<optimized out>, ptr=0x0, heap=0x7ffff6000040) at /home/geeknik/php-src/Zend/zend_alloc.c:1458 #3 _erealloc (ptr=0x0, size=<optimized out>) at /home/geeknik/php-src/Zend/zend_alloc.c:2475 #4 0x00000000012103d9 in xbuf_format_converter (xbuf=0x7fffffffa140, is_char=8 '\b', is_char@entry=1 '\001', fmt=0x1 <error: Cannot access memory at address 0x1>, ap=0x4) at /home/geeknik/php-src/main/spprintf.c:818 #5 0x00000000012120dc in vspprintf (pbuf=0x7fffffffa2a8, max_len=0, format=<optimized out>, ap=<optimized out>) at /home/geeknik/php-src/main/spprintf.c:847 #6 0x000000000121251a in spprintf (pbuf=<optimized out>, max_len=<optimized out>, format=<optimized out>) at /home/geeknik/php-src/main/spprintf.c:871 #7 0x000000000043d93f in php_verror ( docref=0x7ffff606a100 "recursivedirectoryiterator.construct", params=0x0, type=30186880, format=0x1cc9d80 <bin_data_size> "\b", args=0x7ffff6000080, args@entry=0x7fffffffa310) at /home/geeknik/php-src/main/main.c:866 #8 0x000000000043eafa in php_error_docref1 (docref=docref@entry=0x0, param1=param1@entry=0x7ffff6085000 "phar://...@00000", type=type@entry=2, format=format@entry=0x1c77a03 "%s: %s") at /home/geeknik/php-src/main/main.c:921 #9 0x00000000012795d4 in php_stream_display_wrapper_errors ( wrapper=wrapper@entry=0x1fecc00 <php_stream_phar_wrapper>, path=path@entry=0x7ffff6077018 "phar:///home/geeknik/php-tmp/out/4/crashes/0.0/", '0' <repeats 42 times>, "/", '0' <repeats 25 times>, "@00000", caption=caption@entry=0x1cbb5af "failed to open dir") at /home/geeknik/php-src/main/streams/streams.c:207 #10 0x0000000001287022 in _php_stream_opendir ( path=path@entry=0x7ffff6077018 "phar:///home/geeknik/php-tmp/out/4/crashes/0.0/", '0' <repeats 42 times>, "/", '0' <repeats 25 times>, "@00000", options=options@entry=8, context=0x0) at /home/geeknik/php-src/main/streams/streams.c:1994 #11 0x0000000000eced37 in spl_filesystem_dir_open ( intern=intern@entry=0x7ffff6078000, path=0x7ffff6077018 "phar:///home/geeknik/php-tmp/out/4/crashes/0.0/", '0' <repeats 42 times>, "/", '0' <repeats 25 times>, "@00000") at /home/geeknik/php-src/ext/spl/spl_directory.c:236 #12 0x0000000000edc27a in spl_filesystem_object_construct (ctor_flags=1, return_value=<optimized out>, execute_data=<optimized out>) at /home/geeknik/php-src/ext/spl/spl_directory.c:724 #13 zim_spl_RecursiveDirectoryIterator___construct ( execute_data=<optimized out>, return_value=<optimized out>) at /home/geeknik/php-src/ext/spl/spl_directory.c:1563 #14 0x00000000013ea211 in zend_call_function (fci=fci@entry=0x7fffffffa6c0, fci_cache=fci_cache@entry=0x7fffffffa690) at /home/geeknik/php-src/Zend/zend_execute_API.c:878 #15 0x000000000152b678 in zend_call_method (object=0x7ffff60130f0, obj_ce=<optimized out>, fn_proxy=<optimized out>, function_name=0x18b3f1d "__construct", function_name_len=<optimized out>, retval_ptr=0x0, param_count=2, arg1=0x7fffffffa7f0, arg2=0x7fffffffa800) at /home/geeknik/php-src/Zend/zend_interfaces.c:103 #16 0x0000000000d6d652 in zim_Phar___construct (execute_data=0x5e4a0, return_value=0x8) at /home/geeknik/php-src/ext/phar/phar_object.c:1219 #17 0x00000000017a1f0f in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER () at /home/geeknik/php-src/Zend/zend_vm_execute.h:1027 #18 0x0000000001614533 in execute_ex (ex=<optimized out>) at /home/geeknik/php-src/Zend/zend_vm_execute.h:423 #19 0x000000000187e655 in zend_execute ( op_array=op_array@entry=0x7ffff60732a0, return_value=return_value@entry=0x0) at /home/geeknik/php-src/Zend/zend_vm_execute.h:467 #20 0x00000000014510d8 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=-167694288, file_count@entry=3) at /home/geeknik/php-src/Zend/zend.c:1427 #21 0x00000000011ffe90 in php_execute_script (primary_file=0x7fffffffcf10) at /home/geeknik/php-src/main/main.c:2487 #22 0x00000000018878e1 in do_cli (argc=386208, argv=0x8) at /home/geeknik/php-src/sapi/cli/php_cli.c:974 #23 0x00000000004507f1 in main (argc=386208, argv=0x8) at /home/geeknik/php-src/sapi/cli/php_cli.c:1345 (gdb) list 1286 } while (0); 1287 #endif 1288 1289 if (EXPECTED(heap->free_slot[bin_num] != NULL)) { 1290 zend_mm_free_slot *p = heap->free_slot[bin_num]; 1291 heap->free_slot[bin_num] = p->next_free_slot; 1292 return (void*)p; 1293 } else { 1294 return zend_mm_alloc_small_slow(heap, bin_num ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC); 1295 } (gdb) i r rax 0x0 0 rbx 0x7ffff6000040 140737320583232 rcx 0x4 4 rdx 0x1cc9d80 30186880 rsi 0x8 8 rdi 0x5e4a0 386208 rbp 0x0 0x0 rsp 0x7fffffff97d0 0x7fffffff97d0 r8 0x7ffff6000080 140737320583296 r9 0x0 0 r10 0x0 0 r11 0x7461726574497972 8386109761208809842 r12 0x58228 361000 r13 0x20 32 r14 0x0 0 r15 0x8 8 rip 0x1364848 0x1364848 <_erealloc+8904> eflags 0x10206 [ PF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs