php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #76997 divide zero in array.c:2224
Submitted: 2018-10-11 07:30 UTC Modified: 2018-10-11 16:47 UTC
From: zzw20124321 at gmail dot com Assigned: cmb (profile)
Status: Duplicate Package: Arrays related
PHP Version: 7.0.32 OS: Ubuntu 16.04.5 LTS \n \l
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: zzw20124321 at gmail dot com
New email:
PHP Version: OS:

 

 [2018-10-11 07:30 UTC] zzw20124321 at gmail dot com 
Description:
------------
php -v
PHP 7.0.32 (cli) (built: Oct  9 2018 15:37:43) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies


~/Downloads/php-7.0.32/sapi/cli/php crash.php 
Floating point exception (core dumped)

gdb info:

```
[----------------------------------registers-----------------------------------]
RAX: 0x12 
RBX: 0xffffffff390 --> 0x0 
RCX: 0x12 
RDX: 0x0 
RSI: 0x0 
RDI: 0x7fffea413110 --> 0x12 
RBP: 0x7fffffff9da0 --> 0x1e4d750 --> 0x0 
RSP: 0x7fffffff9c40 --> 0x7fffffffc8d0 --> 0x7fffea4730b0 --> 0x0 
RIP: 0xc56627 (<zif_range+4775>:	div    r8)
R8 : 0x0 
R9 : 0x52df907 
R10: 0x60800007c8b8 --> 0x463a96833b2bd391 
R11: 0x60800007c8a0 --> 0x60800007c920 --> 0x60800007c9a0 --> 0x60800007caa0 --> 0x0 
R12: 0x7fffffff9c80 --> 0x41b58ab3 
R13: 0x0 
R14: 0x7fffea413090 --> 0x0 
R15: 0x7fffffff9c80 --> 0x41b58ab3
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xc5661c <zif_range+4764>:	cmp    r8,rax
   0xc5661f <zif_range+4767>:	ja     0xc55aa8 <zif_range+1832>
   0xc56625 <zif_range+4773>:	xor    edx,edx
=> 0xc56627 <zif_range+4775>:	div    r8
   0xc5662a <zif_range+4778>:	cmp    rax,0x7ffffffe
   0xc56630 <zif_range+4784>:	ja     0xc570ae <zif_range+7470>
   0xc56636 <zif_range+4790>:	lea    r9d,[rax+0x1]
   0xc5663a <zif_range+4794>:	mov    rdi,r14
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff9c40 --> 0x7fffffffc8d0 --> 0x7fffea4730b0 --> 0x0 
0008| 0x7fffffff9c48 --> 0x687945145230b425 
0016| 0x7fffffff9c50 --> 0x1e4d750 --> 0x0 
0024| 0x7fffffff9c58 --> 0x7fffffffc8d0 --> 0x7fffea4730b0 --> 0x0 
0032| 0x7fffffff9c60 --> 0x7fffea4730b0 --> 0x0 
0040| 0x7fffffff9c68 --> 0x7ffff7de6ac6 (<_dl_fixup+214>:	mov    r8,rax)
0048| 0x7fffffff9c70 --> 0x1 
0056| 0x7fffffff9c78 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGFPE
0x0000000000c56627 in zif_range (execute_data=<optimized out>, return_value=0x7fffea413090) at /home/fan/Downloads/php-7.0.32/ext/standard/array.c:2224
2224				RANGE_CHECK_LONG_INIT_ARRAY(high, low);
gdb-peda$ bt
#0  0x0000000000c56627 in zif_range (execute_data=<optimized out>, return_value=0x7fffea413090) at /home/fan/Downloads/php-7.0.32/ext/standard/array.c:2224
#1  0x0000000001035800 in ZEND_DO_ICALL_SPEC_HANDLER () at /home/fan/Downloads/php-7.0.32/Zend/zend_vm_execute.h:586
#2  0x0000000000ff650e in execute_ex (ex=<optimized out>) at /home/fan/Downloads/php-7.0.32/Zend/zend_vm_execute.h:414
#3  0x000000000113c09e in zend_execute (op_array=op_array@entry=0x7fffea482000, return_value=return_value@entry=0x0) at /home/fan/Downloads/php-7.0.32/Zend/zend_vm_execute.h:458
#4  0x0000000000f3aac3 in zend_execute_scripts (type=0xea413030, type@entry=0x8, retval=retval@entry=0x0, file_count=file_count@entry=0x3) at /home/fan/Downloads/php-7.0.32/Zend/zend.c:1445
#5  0x0000000000e42ba0 in php_execute_script (primary_file=primary_file@entry=0x7fffffffc8d0) at /home/fan/Downloads/php-7.0.32/main/main.c:2516
#6  0x000000000113fc31 in do_cli (argc=<optimized out>, argv=<optimized out>) at /home/fan/Downloads/php-7.0.32/sapi/cli/php_cli.c:977
#7  0x000000000045d059 in main (argc=argc@entry=0x2, argv=0x60300000da80, argv@entry=0x7fffffffde28) at /home/fan/Downloads/php-7.0.32/sapi/cli/php_cli.c:1347
#8  0x00007ffff351b830 in __libc_start_main (main=0x45c910 <main>, argc=0x2, argv=0x7fffffffde28, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffde18)
    at ../csu/libc-start.c:291
#9  0x000000000045d329 in _start ()
gdb-peda$ q

```

Test script:
---------------
cat crash.php 
<?php
	range(null, 18, "1.844674407371e195b");
?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-10-11 14:16 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Type: Security +Type: Bug -Assigned To: +Assigned To: cmb
 [2018-10-11 14:16 UTC] cmb@php.net 
Duplicate of bug #76390.  This is not a security issue, and
therefore non-actively supported versions[1] will not be patched.

[1] <http://php.net/supported-versions.php>
 [2018-10-11 15:05 UTC] spam2 at rhsoft dot net 
outside of the php world issues which can lead to reproducable segfaults and so denial of service are always considered as security bugs!
 [2018-10-11 16:28 UTC] cmb@php.net 
We cannot consider *everything* that might be misused to be a
security issue (consider, for instance, `include
$_GET[$filename]`).  Users should validate/sanitize all user
supplied input; in this case they should make sure that the passed
$step value is actually numeric (and is not so small, that the
result of the range() call would create a huge array).  If,
however, the $step value has not been user supplied input, the
programmer should quickly note the mistake, since the segfault is
reproducible.
 [2018-10-11 16:29 UTC] spam2 at rhsoft dot net 
irrelevant - unsanitized input may lead to damage / delete data and son on BUT it must not CRASH the php binary itself
 [2018-10-11 16:47 UTC] cmb@php.net 
This is whishful thinking.  For instance, it is documented that
PHP does *not* protect from too deeply nested funcion call
recursion[1], so a recursive implementation of fac() requires to
validate user supplied $n.

[1] <http://php.net/manual/en/functions.user-defined.php>
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Jan 15 11:01:31 2025 UTC