php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #75033 memory corrupton
Submitted: 2017-08-04 04:30 UTC Modified: 2017-08-11 20:58 UTC
From: zhihua dot yao at dbappsecurity dot com dot cn Assigned:
Status: Duplicate Package: Reproducible crash
PHP Version: 7.1.8 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: zhihua dot yao at dbappsecurity dot com dot cn
New email:
PHP Version: OS:

 

 [2017-08-04 04:30 UTC] zhihua dot yao at dbappsecurity dot com dot cn 
Description:
------------
It cause deinal of service.

Test script:
---------------
<?php
class A {
       
         public $a;
         
         public function __destruct() {
              $this->a=new A ;               
        }
        
}


$class=unserialize('O:8:"stdClass":1:{s:1:"a";O:1:"A":0:{}}');


Expected result:
----------------
NO CRASH 

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
EAX: 0xbf800000 
EBX: 0xbf8002d0 
ECX: 0xbf800270 
EDX: 0xb454db8c --> 0xb440300c --> 0x6d697402 
ESI: 0xb440300c --> 0x6d697402 
EDI: 0x0 
EBP: 0xbf800158 
ESP: 0xbf7fffb0 
EIP: 0x9ba47c8 (<zend_call_function+72>:	mov    DWORD PTR [ebp-0x18c],eax)
EFLAGS: 0x210282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x9ba47b6 <zend_call_function+54>:	lea    eax,[ebp-0x158]
   0x9ba47bc <zend_call_function+60>:	sub    esp,0x19c
   0x9ba47c2 <zend_call_function+66>:	mov    edi,DWORD PTR ds:0xac55ca0
=> 0x9ba47c8 <zend_call_function+72>:	mov    DWORD PTR [ebp-0x18c],eax
   0x9ba47ce <zend_call_function+78>:	test   edi,edi
   0x9ba47d0 <zend_call_function+80>:	
    jne    0x9bae338 <zend_call_function+39864>
   0x9ba47d6 <zend_call_function+86>:	xchg   ax,ax
   0x9ba47d8 <zend_call_function+88>:	lea    esp,[esp-0x10]
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0xbf7fffb0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x09ba47c8 in zend_call_function (fci=0xbf800270, fci_cache=0xbf8001f0)
    at /home/hjy/Desktop/php-7.1.8/Zend/zend_execute_API.c:677
677	{

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-08-11 20:58 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 [2017-08-11 20:58 UTC] nikic@php.net 
Duplicate of bug #64280.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri May 09 09:01:26 2025 UTC