|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2016-03-17 09:16 UTC] brian dot carpenter at gmail dot com
Description:
------------
While fuzzing PHP 7.1.0-dev (cli) (built: Mar 16 2016 17:03:41) with American Fuzzy Lop, I encountered a null pointer dereference and segfault.
Test script:
---------------
<?0&~e&~r;6&&~_?>
Expected result:
----------------
No crash.
Actual result:
--------------
geeknik@debian:~/php-tmp/out/4/crashes$ valgrind -q ~/php-src/sapi/cli/php test01
==55572== Invalid write of size 8
==55572== at 0x1877A42: ZEND_RETURN_SPEC_CONST_HANDLER (zend_vm_execute.h:3479)
==55572== by 0x1615532: execute_ex (zend_vm_execute.h:423)
==55572== by 0x187F654: zend_execute (zend_vm_execute.h:467)
==55572== by 0x14520D7: zend_execute_scripts (zend.c:1427)
==55572== by 0x11FFE8F: php_execute_script (main.c:2487)
==55572== by 0x18888E4: do_cli (php_cli.c:974)
==55572== by 0x4507F0: main (php_cli.c:1344)
==55572== Address 0x3 is not stack'd, malloc'd or (recently) free'd
==55572==
==55572==
==55572== Process terminating with default action of signal 11 (SIGSEGV)
==55572== Access not within mapped region at address 0x3
==55572== at 0x1877A42: ZEND_RETURN_SPEC_CONST_HANDLER (zend_vm_execute.h:3479)
==55572== by 0x1615532: execute_ex (zend_vm_execute.h:423)
==55572== by 0x187F654: zend_execute (zend_vm_execute.h:467)
==55572== by 0x14520D7: zend_execute_scripts (zend.c:1427)
==55572== by 0x11FFE8F: php_execute_script (main.c:2487)
==55572== by 0x18888E4: do_cli (php_cli.c:974)
==55572== by 0x4507F0: main (php_cli.c:1344)
==55572== If you believe this happened as a result of a stack
==55572== overflow in your program's main thread (unlikely but
==55572== possible), you can try to increase the size of the
==55572== main thread stack using the --main-stacksize= flag.
==55572== The main thread stack size used in this run was 8388608.
Segmentation fault
(gdb) r test01
Starting program: /home/geeknik/php-src/sapi/cli/php test01
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x0000000001877a42 in ZEND_RETURN_SPEC_CONST_HANDLER () at /home/geeknik/php-src/Zend/zend_vm_execute.h:3479
3479 ZVAL_COPY_VALUE(EX(return_value), retval_ptr);
(gdb) bt
#0 0x0000000001877a42 in ZEND_RETURN_SPEC_CONST_HANDLER () at /home/geeknik/php-src/Zend/zend_vm_execute.h:3479
#1 0x0000000001615533 in execute_ex (ex=<optimized out>) at /home/geeknik/php-src/Zend/zend_vm_execute.h:423
#2 0x000000000187f655 in zend_execute (op_array=op_array@entry=0x7ffff6085140, return_value=return_value@entry=0x0)
at /home/geeknik/php-src/Zend/zend_vm_execute.h:467
#3 0x00000000014520d8 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=-167694288, file_count@entry=3)
at /home/geeknik/php-src/Zend/zend.c:1427
#4 0x00000000011ffe90 in php_execute_script (primary_file=0x7fffffffcf10) at /home/geeknik/php-src/main/main.c:2487
#5 0x00000000018888e5 in do_cli (argc=4, argv=0x1) at /home/geeknik/php-src/sapi/cli/php_cli.c:974
#6 0x00000000004507f1 in main (argc=4, argv=0x1) at /home/geeknik/php-src/sapi/cli/php_cli.c:1344
(gdb) list
3474 zval_dtor_func_for_ptr(Z_COUNTED_P(free_op1));
3475 }
3476 }
3477 } else {
3478 if ((IS_CONST & (IS_CONST|IS_TMP_VAR))) {
3479 ZVAL_COPY_VALUE(EX(return_value), retval_ptr);
3480 if (IS_CONST == IS_CONST) {
3481 if (UNEXPECTED(Z_OPT_COPYABLE_P(EX(return_value)))) {
3482 zval_copy_ctor_func(EX(return_value));
3483 }
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 12:01:29 2024 UTC |
actually, this also have problems in 5.6 which could be fixed by : diff --git a/ext/opcache/Optimizer/block_pass.c b/ext/opcache/Optimizer/block_pass.c index c146d0c..bf3f144 100644 --- a/ext/opcache/Optimizer/block_pass.c +++ b/ext/opcache/Optimizer/block_pass.c @@ -716,8 +716,11 @@ static void zend_optimize_block(zend_code_block *block, zend_op_array *op_array, if (src->opcode == ZEND_BOOL) { if (ZEND_OP1_TYPE(src) == IS_CONST) { literal_dtor(&ZEND_OP1_LITERAL(src)); + } else if (ZEND_OP1_TYPE(src) == IS_TMP_VAR) { + src->opcode = ZEND_FREE; + } else { + MAKE_NOP(src); } - MAKE_NOP(src); MAKE_NOP(opline); } } thanks