|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-08-17 20:08 UTC] stas@php.net
-Type: Security
+Type: Bug
[2016-11-21 20:03 UTC] brian dot carpenter at gmail dot com
-Status: Open
+Status: Closed
[2016-11-21 20:03 UTC] brian dot carpenter at gmail dot com
|
|||||||||||||||||||||||||||
Copyright © 2001-2026 The PHP GroupAll rights reserved. |
Last updated: Tue Jan 27 18:00:01 2026 UTC |
Description: ------------ Fuzzing PHP 5.6.24 (x64) with American Fuzzy Lop, ASAN and libdislocator.so. Test script: --------------- <?php $poc='a:4:{i:0;i:0;i:1;a:1:{i:0;O:4:"ryat":2:0s:4:"ryat";R:3;s:4:"chtg";i:0;}}i:1;i:0;i:0;R:5;}';$t=unserialize($poc);gc_collect_cycles();$l=ptr2str(0);$a=ptr2str();$f="";$f="";class ryat{var$t;var$g;function __destruct(){$this->chtg=$this->ryat;}}function ptr2str($ptr){$u='';for(;$i<8;$i++){$t=chr(0);$ptr=0;}return$t;} Expected result: ---------------- No crash. Actual result: -------------- geeknik@debian:~/php-tmp/crashers/070816$ ./php segfault__zend_mm_free_int Warning: Missing argument 1 for ptr2str(), called in /home/geeknik/php-tmp/crashers/070816/segfault__zend_mm_free_int on line 2 and defined in /home/geeknik/php-tmp/crashers/070816/segfault__zend_mm_free_int on line 2 ASAN:SIGSEGV ================================================================= ==44044==ERROR: AddressSanitizer: SEGV on unknown address 0x7f05ce8ee640 (pc 0x0000014c7bb8 bp 0x7f05ce8ee640 sp 0x7fff6acb3230 T0) #0 0x14c7bb7 in _zend_mm_free_int /home/geeknik/php-5.6.24/Zend/zend_alloc.c:2104:6 #1 0x14ccb17 in _efree /home/geeknik/php-5.6.24/Zend/zend_alloc.c:2440:2 #2 0x15a6bc1 in _zval_dtor_func /home/geeknik/php-5.6.24/Zend/zend_variables.c:37:4 #3 0x155991a in _zval_dtor /home/geeknik/php-5.6.24/Zend/zend_variables.h:35:2 #4 0x155991a in i_zval_ptr_dtor /home/geeknik/php-5.6.24/Zend/zend_execute.h:79 #5 0x155991a in _zval_ptr_dtor /home/geeknik/php-5.6.24/Zend/zend_execute_API.c:424 #6 0x15f4075 in zend_hash_destroy /home/geeknik/php-5.6.24/Zend/zend_hash.c:548:4 #7 0x15a6c71 in _zval_dtor_func /home/geeknik/php-5.6.24/Zend/zend_variables.c:45:6 #8 0x155991a in _zval_dtor /home/geeknik/php-5.6.24/Zend/zend_variables.h:35:2 #9 0x155991a in i_zval_ptr_dtor /home/geeknik/php-5.6.24/Zend/zend_execute.h:79 #10 0x155991a in _zval_ptr_dtor /home/geeknik/php-5.6.24/Zend/zend_execute_API.c:424 #11 0x15f4075 in zend_hash_destroy /home/geeknik/php-5.6.24/Zend/zend_hash.c:548:4 #12 0x15a6c71 in _zval_dtor_func /home/geeknik/php-5.6.24/Zend/zend_variables.c:45:6 #13 0x155991a in _zval_dtor /home/geeknik/php-5.6.24/Zend/zend_variables.h:35:2 #14 0x155991a in i_zval_ptr_dtor /home/geeknik/php-5.6.24/Zend/zend_execute.h:79 #15 0x155991a in _zval_ptr_dtor /home/geeknik/php-5.6.24/Zend/zend_execute_API.c:424 #16 0x15f5185 in i_zend_hash_bucket_delete /home/geeknik/php-5.6.24/Zend/zend_hash.c:182:3 #17 0x15f5185 in zend_hash_bucket_delete /home/geeknik/php-5.6.24/Zend/zend_hash.c:192 #18 0x15f5581 in zend_hash_graceful_reverse_destroy /home/geeknik/php-5.6.24/Zend/zend_hash.c:613:3 #19 0x155a230 in shutdown_executor /home/geeknik/php-5.6.24/Zend/zend_execute_API.c:244:3 #20 0x15b0f83 in zend_deactivate /home/geeknik/php-5.6.24/Zend/zend.c:960:2 #21 0x13b807e in php_request_shutdown /home/geeknik/php-5.6.24/main/main.c:1899:2 #22 0x1908b17 in do_cli /home/geeknik/php-5.6.24/sapi/cli/php_cli.c:1177:3 #23 0x190474d in main /home/geeknik/php-5.6.24/sapi/cli/php_cli.c:1378:18 #24 0x7effccee5b44 in __libc_start_main /build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c:287 #25 0x5095ac in _start (/home/geeknik/php-5.6.24/sapi/cli/php+0x5095ac) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/geeknik/php-5.6.24/Zend/zend_alloc.c:2104 _zend_mm_free_int ==44044==ABORTING