|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2017-05-12 06:46 UTC] requinix@php.net
-Status: Open
+Status: Duplicate
[2017-05-12 06:46 UTC] requinix@php.net
[2018-02-28 18:34 UTC] contacto at agora-security dot com
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Tue Mar 11 19:01:31 2025 UTC |
Description: ------------ This bug only exists in php7.This can result in denial of service or other problem. Test script: --------------- <?php ini_set('memory_limit',-1); $a=str_repeat("a",0x7ffffe00); $a.=$a; Expected result: ---------------- no crash Actual result: -------------- [----------------------------------registers-----------------------------------] EAX: 0xfffffc00 EBX: 0xb7013050 --> 0x36c00000 ECX: 0x80000000 EDX: 0x36c00010 ESI: 0xb7013050 --> 0x36c00000 EDI: 0x36c00000 EBP: 0x7ffffe00 ESP: 0xbfffc080 --> 0x0 EIP: 0x83b7b09 (<concat_function+393>: mov DWORD PTR [edi+0x8],0x0) EFLAGS: 0x210286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x83b7b00 <concat_function+384>: mov edi,eax 0x83b7b02 <concat_function+386>: mov eax,DWORD PTR [esp+0x18] 0x83b7b06 <concat_function+390>: lea edx,[edi+0x10] => 0x83b7b09 <concat_function+393>: mov DWORD PTR [edi+0x8],0x0 0x83b7b10 <concat_function+400>: mov DWORD PTR [esp+0x2c],edx 0x83b7b14 <concat_function+404>: mov DWORD PTR [edi+0xc],eax 0x83b7b17 <concat_function+407>: jmp 0x83b7a56 <concat_function+214> 0x83b7b1c <concat_function+412>: mov ecx,DWORD PTR [esp+0x20] [------------------------------------stack-------------------------------------] 0000| 0xbfffc080 --> 0x0 0004| 0xbfffc084 --> 0x5 0008| 0xbfffc088 --> 0xbfffc1a8 --> 0x1 0012| 0xbfffc08c --> 0xbfffc110 --> 0xb70543f0 --> 0xb70543d8 --> 0xb70543a8 --> 0xb7054420 (--> ...) 0016| 0xbfffc090 --> 0xb705e320 --> 0x0 0020| 0xbfffc094 --> 0x7ffffe00 0024| 0xbfffc098 --> 0xfffffc00 0028| 0xbfffc09c --> 0xb7013050 --> 0x36c00000 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV zend_string_extend (persistent=0x0, len=0xfffffc00, s=0x36c00000) at /root/php-7.1.5/Zend/zend_string.h:210 210 zend_string_forget_hash_val(ret); gdb-peda$ bt #0 zend_string_extend (persistent=0x0, len=0xfffffc00, s=0x36c00000) at /root/php-7.1.5/Zend/zend_string.h:210 #1 concat_function (result=0xb7013050, op1=0xb7013050, op2=0xb7013050) at /root/php-7.1.5/Zend/zend_operators.c:1759 #2 0x08439dba in zend_binary_assign_op_helper_SPEC_CV_CV ( binary_op=0x83b7980 <concat_function>, execute_data=0xb7013020) at /root/php-7.1.5/Zend/zend_vm_execute.h:44196 #3 0x0840969e in execute_ex (ex=0xb7013020) at /root/php-7.1.5/Zend/zend_vm_execute.h:432 #4 0x08457abf in zend_execute (op_array=0xb7069180, return_value=0x0) at /root/php-7.1.5/Zend/zend_vm_execute.h:474 #5 0x083c1890 in zend_execute_scripts (type=0x8, retval=0x0, file_count=0x3) at /root/php-7.1.5/Zend/zend.c:1476 #6 0x08362cad in php_execute_script (primary_file=0xbfffe464) at /root/php-7.1.5/main/main.c:2537 #7 0x08459bd4 in do_cli (argc=0x3, argv=0x8a8e868) at /root/php-7.1.5/sapi/cli/php_cli.c:993 #8 0x080785ad in main (argc=0x3, argv=0x8a8e868) at /root/php-7.1.5/sapi/cli/php_cli.c:1381 #9 0xb791daf3 in __libc_start_m