|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2017-09-10 21:34 UTC] cmb@php.net
-Status: Open
+Status: Duplicate
-Assigned To:
+Assigned To: cmb
[2017-09-10 21:34 UTC] cmb@php.net
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Tue May 13 17:01:27 2025 UTC |
Description: ------------ The bug is related to bug#74310.But I find the bug still exists in php7.1.5 which is the latest version. Test script: --------------- <?php $array=array(); $$array[99999999]=$Array="AAA"; $$array[1]=$$Array="BBB"; Expected result: ---------------- no crash Actual result: -------------- root@hackyzh-virtual-machine:~# gdb -q --args ./php-7.1.5/sapi/cli/php -n poc2.php Reading symbols from /root/php-7.1.5/sapi/cli/php...done. gdb-peda$ r [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1". Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 100000020 bytes) in /root/poc2.php on line 4 Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] EAX: 0xb7013060 --> 0xb0e00000 EBX: 0x8a8ae48 --> 0x1 ECX: 0xb0e00000 EDX: 0x0 ESI: 0xc0 EDI: 0xb70561c8 --> 0x0 EBP: 0xb70561c0 --> 0xb7013060 --> 0xb0e00000 ESP: 0xbfffe06c --> 0x83d205c (<zend_hash_graceful_reverse_destroy+300>: mov eax,DWORD PTR [esp+0x14]) EIP: 0x83b1d12 (<zend_unclean_zval_ptr_dtor+18>: mov edx,DWORD PTR [ecx]) EFLAGS: 0x210202 (carry parity adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x83b1d0a <zend_unclean_zval_ptr_dtor+10>: test BYTE PTR [eax+0x9],0x4 0x83b1d0e <zend_unclean_zval_ptr_dtor+14>: je 0x83b1d32 <zend_unclean_zval_ptr_dtor+50> 0x83b1d10 <zend_unclean_zval_ptr_dtor+16>: mov ecx,DWORD PTR [eax] => 0x83b1d12 <zend_unclean_zval_ptr_dtor+18>: mov edx,DWORD PTR [ecx] 0x83b1d14 <zend_unclean_zval_ptr_dtor+20>: sub edx,0x1 0x83b1d17 <zend_unclean_zval_ptr_dtor+23>: test edx,edx 0x83b1d19 <zend_unclean_zval_ptr_dtor+25>: mov DWORD PTR [ecx],edx 0x83b1d1b <zend_unclean_zval_ptr_dtor+27>: je 0x83b1d40 <zend_unclean_zval_ptr_dtor+64> [------------------------------------stack-------------------------------------] 0000| 0xbfffe06c --> 0x83d205c (<zend_hash_graceful_reverse_destroy+300>: mov eax,DWORD PTR [esp+0x14]) 0004| 0xbfffe070 --> 0xbfffe0a0 --> 0xb7013060 --> 0xb0e00000 0008| 0xbfffe074 --> 0x0 0012| 0xbfffe078 --> 0x1 0016| 0xbfffe07c --> 0xb7fff938 --> 0x0 0020| 0xbfffe080 --> 0x1 0024| 0xbfffe084 --> 0x8 0028| 0xbfffe088 --> 0x0 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV i_zval_ptr_dtor (zval_ptr=0xb7013060) at /root/php-7.1.5/Zend/zend_variables.h:47 47 if (!Z_DELREF_P(zval_ptr)) { gdb-peda$ bt #0 i_zval_ptr_dtor (zval_ptr=0xb7013060) at /root/php-7.1.5/Zend/zend_variables.h:47 #1 zend_unclean_zval_ptr_dtor (zv=0xb7013060) at /root/php-7.1.5/Zend/zend_execute_API.c:210 #2 0x083d205c in _zend_hash_del_el_ex (prev=<optimized out>, p=<optimized out>, idx=<optimized out>, ht=<optimized out>) at /root/php-7.1.5/Zend/zend_hash.c:998 #3 _zend_hash_del_el (p=<optimized out>, idx=0xc0, ht=0x8a8ae48) at /root/php-7.1.5/Zend/zend_hash.c:1021 #4 zend_hash_graceful_reverse_destroy (ht=0x8a8ae48) at /root/php-7.1.5/Zend/zend_hash.c:1477 #5 0x083b2341 in shutdown_executor () at /root/php-7.1.5/Zend/zend_execute_API.c:279 #6 0x083c161c in zend_deactivate () at /root/php-7.1.5/Zend/zend.c:999 #7 0x08361a97 in php_request_shutdown (dummy=0x0) at /root/php-7.1.5/main/main.c:1877 #8 0x08458fc0 in do_cli (argc=0x3, argv=0x8a8e868) at /root/php-7.1.5/sapi/cli/php_cli.c:1160 #9 0x080785ad in main (argc=0x3, argv=0x8a8e868) at /root/php-7.1.5/sapi/cli/php_cli.c:1381 #10 0xb791daf3 in __libc_start_main () from /lib/i386-linux-gnu/libc.so.6 #11 0x08078641 in _start ()