PHP :: Bug #76410 :: SIGV in zend_mm_alloc

Bug #76410	SIGV in zend_mm_alloc_small
Submitted:	2018-06-03 11:24 UTC	Modified:	2018-06-03 22:47 UTC
From:	daniel dot teuchert at rub dot de	Assigned:	dmitry (profile)
Status:	Closed	Package:	Arrays related
PHP Version:	7.2.6	OS:	Linux/Ubuntu
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	daniel dot teuchert at rub dot de
New email:
PHP Version:		OS:

New Comment:

[2018-06-03 11:24 UTC] daniel dot teuchert at rub dot de

Description:
------------
When executing the test script PHP crashes.

Test script:
---------------
<?php
$b = timezone_abbreviations_list();
extract($b);
timezone_abbreviations_list();
?>


Actual result:
--------------
Backtrace:
#0  0x0000000001918d3e in zend_mm_alloc_small (size=0, heap=<optimized out>, 
    bin_num=<optimized out>) at Zend/zend_alloc.c:1273
#1  _emalloc_56 () at Zend/zend_alloc.c:2352
#2  0x0000000001a78a0f in _array_init (arg=0x7fffffff99a0, size=0) at Zend/zend_API.c:1090
#3  0x000000000051c220 in zif_timezone_abbreviations_list (execute_data=<optimized out>, 
    return_value=<optimized out>) at ext/date/php_date.c:4830
#4  0x0000000001ea9d23 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (execute_data=<optimized out>)
    at Zend/zend_vm_execute.h:573
#5  0x0000000001c126d6 in execute_ex (ex=<optimized out>) at Zend/zend_vm_execute.h:59723
#6  0x0000000001c1312f in zend_execute (op_array=<optimized out>, return_value=<optimized out>)
    at Zend/zend_vm_execute.h:63760
#7  0x0000000001a6678e in zend_execute_scripts (type=-3184, retval=0x0, file_count=<optimized out>)
    at Zend/zend.c:1496
#8  0x00000000017e108a in php_execute_script (primary_file=0x7fffffffc560) at main/main.c:2590
#9  0x000000000200dba7 in do_cli (argc=<optimized out>, argv=<optimized out>)
    at sapi/cli/php_cli.c:1011
#10 0x000000000200aa8d in main (argc=<optimized out>, argv=<optimized out>)
    at sapi/cli/php_cli.c:1404

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-06-03 13:01 UTC] cmb@php.net

-Status: Open +Status: Verified

[2018-06-03 16:10 UTC] cmb@php.net

-Package: Date/time related +Package: Arrays related -Assigned To: +Assigned To: dmitry

[2018-06-03 16:10 UTC] cmb@php.net

This does not appear to be particularly related to
timezone_abbreviations_list(), since the following test script
shows the same UAF issues under valgrind:

  <?php
  $b = array_flip(range('a', 'c'));
  debug_zval_dump($b); // just to check the refcount
  extract($b);

Actually it does not matter how the array is created; it just
needs to have the key 'b', and the debug_zval_dump() should show a
refcount of 2.

Apparently, the bad behavior has been intruced with commit
1f7bf2b[1]. Dmitry, could you please take at look at this issue?

[1] <http://git.php.net/?p=php-src.git;a=commit;h=1f7bf2bfd63d94ddf4e28f903c692850232ef798>

[2018-06-03 22:47 UTC] stas@php.net

-Type: Security +Type: Bug

[2018-06-05 09:17 UTC] laruence@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=951e29f66ec61c21588e10ab202f867f302d572e
Log: Fixed bug #76410 (SIGV in zend_mm_alloc_small)

[2018-06-05 09:17 UTC] laruence@php.net

-Status: Verified +Status: Closed

[2018-06-05 09:20 UTC] laruence@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=951e29f66ec61c21588e10ab202f867f302d572e
Log: Fixed bug #76410 (SIGV in zend_mm_alloc_small)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Oct 28 14:00:01 2025 UTC