php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #72705 AddressSanitizer: negative-size-param in zend_compile_stmt
Submitted: 2016-07-29 07:18 UTC Modified: 2020-01-03 09:53 UTC
From: pranjal dot jumde at gmail dot com Assigned: nikic (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.1Git-2016-07-29 (Git) OS: All
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: pranjal dot jumde at gmail dot com
New email:
PHP Version: OS:

 

 [2016-07-29 07:18 UTC] pranjal dot jumde at gmail dot com 
Description:
------------
=38807==ERROR: AddressSanitizer: negative-size-param: (size=-2147483648)
    #0 0x1107632f2 in printf_common(void*, char const*, __va_list_tag*) (libclang_rt.asan_osx_dynamic.dylib+0x1b2f2)
    #1 0x110763c5b in wrap_vsprintf (libclang_rt.asan_osx_dynamic.dylib+0x1bc5b)
    #2 0x110764956 in wrap_sprintf (libclang_rt.asan_osx_dynamic.dylib+0x1c956)
    #3 0x10f89206f in zend_compile_stmt zend_compile.c:7785
    #4 0x10f8a9a86 in zend_compile_top_stmt zend_compile.c:7691
    #5 0x10f8a9a51 in zend_compile_top_stmt zend_compile.c:7686
    #6 0x10f816a14 in zend_compile zend_language_scanner.l:600
    #7 0x10f818713 in compile_string zend_language_scanner.l:765
    #8 0x10fbb90be in zend_include_or_eval zend_execute.c:2857

Test script:
---------------
 <?php
ini_set('memory_limit', '-1');
$newClassName = str_repeat("a", 2147483647);

eval("class $newClassName {
    function hello() {
        return \"Hello\";
    }
};");
 ?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-29 08:23 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-10-19 04:39 UTC] krakjoe@php.net 
I'm not able to reproduce (because I don't have a 32bit machine).

I'm not sure that the trace looks like a bug in PHP, compile_stmt doesn't call any printing functions, so it looks like asan is trying to output some debugging string in compile_stmt, and it's asan itself is overflowing, possibly.
 [2020-01-03 09:53 UTC] nikic@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2020-01-03 09:53 UTC] nikic@php.net 
I can't repro this either. On a 32-bit build this OOMs when concating the string (thus never reaching the eval), on a 64-bit build it is clean under asan. I'm assuming this was already resolved in the meantime.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Sep 20 08:00:02 2025 UTC