php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #75189 Invalid read in zend_string_release()
Submitted: 2017-09-11 15:07 UTC Modified: 2021-07-02 10:20 UTC
From: fumfi dot 255 at gmail dot com Assigned:
Status: Wont fix Package: *General Issues
PHP Version: 7.1.9 OS: Xubuntu 16.04 x64
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: fumfi dot 255 at gmail dot com
New email:
PHP Version: OS:

 

 [2017-09-11 15:07 UTC] fumfi dot 255 at gmail dot com 
Description:
------------
After some fuzz testing I found a crashing test case.

Version: 7.18

Command: php php_ir_zend_string_release.php

Faulting PHP script: https://frankowicz.me/storage/crashes/php_ir_zend_string_release.txt

ASAN:

==3643==ERROR: AddressSanitizer: SEGV on unknown address 0x7f22bb400005 (pc 0x00000184bce4 bp 0x000002767b60 sp 0x7ffed871ccf0 T0)
==3643==The signal is caused by a READ memory access.
    #0 0x184bce3 in zend_string_release XYZ/php-7.1.8/Zend/zend_string.h:270:7
    #1 0x184bce3 in zend_array_destroy XYZ/php-7.1.8/Zend/zend_hash.c:1311
    #2 0x192c600 in zend_object_std_dtor XYZ/php-7.1.8/Zend/zend_objects.c:60:5
    #3 0x1949bb5 in zend_objects_store_del XYZ/php-7.1.8/Zend/zend_objects_API.c:178:8
    #4 0x17c742f in _zval_dtor_func XYZ/php-7.1.8/Zend/zend_variables.c:56:5
    #5 0x184b84c in i_zval_ptr_dtor XYZ/php-7.1.8/Zend/zend_variables.h:48:4
    #6 0x184b84c in zend_array_destroy XYZ/php-7.1.8/Zend/zend_hash.c:1305
    #7 0x17c7463 in _zval_dtor_func XYZ/php-7.1.8/Zend/zend_variables.c:43:5
    #8 0x1767a30 in i_zval_ptr_dtor XYZ/php-7.1.8/Zend/zend_variables.h:48:4
    #9 0x1767a30 in zend_unclean_zval_ptr_dtor XYZ/php-7.1.8/Zend/zend_execute_API.c:210
    #10 0x1851027 in _zend_hash_del_el_ex XYZ/php-7.1.8/Zend/zend_hash.c:997:3
    #11 0x1851027 in _zend_hash_del_el XYZ/php-7.1.8/Zend/zend_hash.c:1020
    #12 0x1851027 in zend_hash_graceful_reverse_destroy XYZ/php-7.1.8/Zend/zend_hash.c:1476
    #13 0x1767f89 in shutdown_executor XYZ/php-7.1.8/Zend/zend_execute_API.c:279:3
    #14 0x17ce8ca in zend_deactivate XYZ/php-7.1.8/Zend/zend.c:999:2
    #15 0x1564144 in php_request_shutdown XYZ/php-7.1.8/main/main.c:1877:2
    #16 0x1c4215c in do_cli XYZ/php-7.1.8/sapi/cli/php_cli.c:1160:3
    #17 0x1c418e5 in main XYZ/php-7.1.8/sapi/cli/php_cli.c:1381:18
    #18 0x7f22c87c782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #19 0x43ac28 in _start (/usr/local/bin/php+0x43ac28)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/php-7.1.8/Zend/zend_string.h:270:7 in zend_string_release
==3643==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-09-12 13:39 UTC] laruence@php.net
-Status: Open +Status: Analyzed
 [2017-09-12 13:39 UTC] laruence@php.net 
this is similar as https://bugs.php.net/bug.php?id=75128
 [2017-09-13 23:02 UTC] cmb@php.net
-Summary: Inwalid read in zend_string_release() +Summary: Invalid read in zend_string_release()
 [2021-07-02 10:20 UTC] nikic@php.net
-Status: Analyzed +Status: Wont fix
 [2021-07-02 10:20 UTC] nikic@php.net 
The reproducer no longer works, and as it is a non-reduced one, it's hard to guess at what the issue here was originally.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Jul 01 17:01:34 2025 UTC