|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2017-07-27 03:25 UTC] laruence@php.net
[2017-07-27 03:25 UTC] laruence@php.net
-Status: Open
+Status: Closed
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 15:01:30 2024 UTC |
Description: ------------ null deref triggered with afl. compiled with afl-clang-fast on fedora 26 x64. Test script: --------------- ./php -r '$f=function(stdClass$x):s{};$r=new ReflectionMethod($f,'__invoke');var_dump();$f=function():s{};var_dump($r->getParameters()[0]->getClass());echo$r?>[' Actual result: -------------- Warning: var_dump() expects at least 1 parameter, 0 given in Command line code on line 1 /root/php-7.1.7/Zend/zend_hash.c:1291:41: runtime error: left shift of 32768 by 16 places cannot be represented in type 'int' SUMMARY: AddressSanitizer: undefined-behavior /root/php-7.1.7/Zend/zend_hash.c:1291:41 in object(ReflectionClass)#4 (1) { ["name"]=> string(8) "stdClass" } /root/php-7.1.7/ext/reflection/php_reflection.c:865:40: runtime error: member access within misaligned address 0xffffffffffffffff for type 'zend_class_entry' (aka 'struct _zend_class_entry'), which requires 8 byte alignment 0xffffffffffffffff: note: pointer points here <memory cannot be printed> SUMMARY: AddressSanitizer: undefined-behavior /root/php-7.1.7/ext/reflection/php_reflection.c:865:40 in /root/php-7.1.7/ext/reflection/php_reflection.c:865:40: runtime error: load of misaligned address 0x000000000007 for type 'zend_string *' (aka 'struct _zend_string *'), which requires 8 byte alignment 0x000000000007: note: pointer points here <memory cannot be printed> SUMMARY: AddressSanitizer: undefined-behavior /root/php-7.1.7/ext/reflection/php_reflection.c:865:40 in ASAN:DEADLYSIGNAL ================================================================= ==12003==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000007 (pc 0x000001357adc bp 0x7ffd3b75d5f0 sp 0x7ffd3b75d4c0 T0) ==12003==The signal is caused by a READ memory access. ==12003==Hint: address points to the zero page. #0 0x1357adb in _function_string /root/php-7.1.7/ext/reflection/php_reflection.c:865:40 #1 0x1399d66 in zim_reflection_method___toString /root/php-7.1.7/ext/reflection/php_reflection.c:3186:2 #2 0x1d61f71 in zend_call_function /root/php-7.1.7/Zend/zend_execute_API.c #3 0x1ff4d17 in zend_call_method /root/php-7.1.7/Zend/zend_interfaces.c:99:12 #4 0x212f47c in zend_std_cast_object_tostring /root/php-7.1.7/Zend/zend_object_handlers.c:1631:6 #5 0x1db49f3 in _zval_get_string_func /root/php-7.1.7/Zend/zend_operators.c:887:9 #6 0x231823d in ZEND_ECHO_SPEC_CV_HANDLER /root/php-7.1.7/Zend/zend_vm_execute.h:34709:22 #7 0x21a9e8a in execute_ex /root/php-7.1.7/Zend/zend_vm_execute.h:432:7 #8 0x21ab3f7 in zend_execute /root/php-7.1.7/Zend/zend_vm_execute.h:474:2 #9 0x1d6dc24 in zend_eval_stringl /root/php-7.1.7/Zend/zend_execute_API.c:1120:4 #10 0x1d6ea20 in zend_eval_stringl_ex /root/php-7.1.7/Zend/zend_execute_API.c:1161:11 #11 0x1d6ea20 in zend_eval_string_ex /root/php-7.1.7/Zend/zend_execute_API.c:1172 #12 0x2982f44 in do_cli /root/php-7.1.7/sapi/cli/php_cli.c:1024:8 #13 0x2980752 in main /root/php-7.1.7/sapi/cli/php_cli.c:1381:18 #14 0x7f986c29b4d9 in __libc_start_main /usr/src/debug/glibc-2.25-24-g49f97e6/csu/../csu/libc-start.c:295 #15 0x43aad9 in _start (/root/php-7.1.7/sapi/cli/php+0x43aad9) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /root/php-7.1.7/ext/reflection/php_reflection.c:865:40 in _function_string ==12003==ABORTING