PHP :: Bug #77666 :: Segmentation fault on include file with very long string variable

Bug #77666

Segmentation fault on include file with very long string variable

Submitted:

2019-02-25 19:51 UTC

Modified:

2021-04-21 10:16 UTC

Votes:	4
Avg. Score:	4.0 ± 0.7
Reproduced:	4 of 4 (100.0%)
Same Version:	0 (0.0%)
Same OS:	2 (50.0%)

From:

alexxwiz at yandex dot ru

Assigned:

Status:

Open

Package:

Reproducible crash

PHP Version:

7.2.15

OS:

Ubuntu 16.04

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	alexxwiz at yandex dot ru
New email:
PHP Version:		OS:

New Comment:

[2019-02-25 19:51 UTC] alexxwiz at yandex dot ru

Description:
------------
Reproducible on two versions at least:

PHP 7.1.26-1+ubuntu14.04.1+deb.sury.org+1 (cli) (built: Jan 11 2019 14:35:37) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.1.0, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.1.26-1+ubuntu14.04.1+deb.sury.org+1, Copyright (c) 1999-2018, by Zend Technologies

and

PHP 7.2.15-1+ubuntu16.04.1+deb.sury.org+1 (cli) (built: Feb  8 2019 15:37:29) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.2.15-1+ubuntu16.04.1+deb.sury.org+1, Copyright (c) 1999-2018, by Zend Technologies
    with Xdebug v2.6.1, Copyright (c) 2002-2018, by Derick Rethans


When I try to include file with very long (6.5Mb size) string variable I got segfault.

Variable is like in example (generated by some cache engine).



Test script:
---------------
<?php
include "test_long_string.php";
echo $datecreate;

//file test_long_string.php is like 6.5 Mb in size: 

<?php
$ser_content = 'a:2:{s:7:"CONTENT";s:0:"";s:4:"VARS";a:159:{i:2;a:24:{s:2:"ID";s:1:"2";s:6:"ACTIVE";s:1:"N";s:4:"NAME";s:35:"Фабрика - Вебмастер";s:4:"CODE";N;s:11:"DESCRIPTION";s:46:"Фабрика Фабрика Фабрика Фабрика ";s:4:"SORT";s:3:"100";s:7:"SITE_ID";s:2:"s1";s:6:"DOMAIN";s:11:"auto-mex.ru";s:8:"IS_HTTPS";s:1:"Y";s:6:"PLUGIN";s:16:"YANDEX_WEBMASTER";s:6:"FORMAT";s:23:"YANDEX_WEBMASTER_SIMPLE";s:14:"LAST_IBLOCK_ID";s:1:"1";s:17:"LAST_SETTINGS_TAB";s:17:"subtab_categories";s:6:"PARAMS";a:13:{s:11:"AUTO_DELETE";s:1:"Y";s:9:"SHOP_NAME";s:29:"Фабрика Фабрика ";s:12:"SHOP_COMPANY";s:29:"Фабрика Фабрика";s:8:"DELIVERY";a:3:{s:4:"COST";s:3:"275";s:4:"DAYS";s:1:"1";s:12:"ORDER_BEFORE";s:0:"";}s:21:"ENABLE_AUTO_DISCOUNTS";s:1:"N";s:16:"EXPORT_FILE_NAME";s:24:"/upload/webmaster-ya.xml";s:8:"ENCODING";s:5:"UTF-8";s:15:"COMPRESS_TO_ZIP";s:1:"N";s:17:"DELETE_XML_IF_ZIP";s:1:"N";s:18:"SHOW_JUST_CATALOGS";s:1:"Y";s:28:"CATEGORIES_REDEFINITION_MODE";s:1:"1";s:25:"CATEGORIES_EXPORT_PARENTS";s:1:"N";s:8:"CURRENCY";a:2:{s:15:"TARGET_CURRENCY";s:3:"RUB";s:12:"RATES_SOURCE";s:4:"CBRF";}}s:13:"AUTO_GENERATE";s:1:"Y";s:6:"LOCKED";s:1:"N";s:12:"DATE_CREATED";O:25:"Bitrix\\Main\\Type\\DateTime":1:{s:8:"'.chr(0).'*'.chr(0).'value";O:8:"DateTime":3:{s:4:"date";s:26:"2018-10-11 16:12:37.000000";s:13:"timezone_type";i:3;s:8:"timezone";s:13:"Europe/Moscow";}}s:13:"DATE_MODIFIED";O:25:"Bitrix\\Main\\Type\\DateTime":1:{s:8:"'.chr(0).'*'.chr(0);

Expected result:
----------------
If this string is too long I'll expect "out of memory" or "memory limit exceeded", but not segfault.

Actual result:
--------------
Segmentation fault (core dumped)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-02-25 19:55 UTC] spam2 at rhsoft dot net

http://php.net/supported-versions.php

can you reproduce that with a supported version?

[2019-02-25 20:05 UTC] alexxwiz at yandex dot ru

-Operating System: Ubuntu 14.04 +Operating System: Ubuntu 16.04 -PHP Version: 7.1.26 +PHP Version: 7.2.15

[2019-02-25 20:05 UTC] alexxwiz at yandex dot ru

Stacktrace:
Core was generated by `php -d short_open_tag=On test_segfault.php'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00005607e6adcdcc in zend_compile_binary_op (
    result=result@entry=0x7fffc440d0e0, ast=ast@entry=0x7fa4858cbf00)
    at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:7021

[2019-02-25 20:08 UTC] alexxwiz at yandex dot ru

More stacktrace:

#0  0x00005607e6adcdcc in zend_compile_binary_op (result=result@entry=0x7fffc440d0e0, ast=ast@entry=0x7fa4858cbf00) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:7021
#1  0x00005607e6adaa6f in zend_compile_expr (result=result@entry=0x7fffc440d0e0, ast=0x7fa4858cbf00) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:8265
#2  0x00005607e6adce00 in zend_compile_binary_op (result=result@entry=0x7fffc440d210, ast=ast@entry=0x7fa4858cbf30) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:7027
#3  0x00005607e6adaa6f in zend_compile_expr (result=result@entry=0x7fffc440d210, ast=0x7fa4858cbf30) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:8265
#4  0x00005607e6adce00 in zend_compile_binary_op (result=result@entry=0x7fffc440d340, ast=ast@entry=0x7fa4858cbfc0) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:7027
#5  0x00005607e6adaa6f in zend_compile_expr (result=result@entry=0x7fffc440d340, ast=0x7fa4858cbfc0) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:8265
#6  0x00005607e6adce00 in zend_compile_binary_op (result=result@entry=0x7fffc440d470, ast=ast@entry=0x7fa4858cbff0) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:7027
#7  0x00005607e6adaa6f in zend_compile_expr (result=result@entry=0x7fffc440d470, ast=0x7fa4858cbff0) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:8265
#8  0x00005607e6adce00 in zend_compile_binary_op (result=result@entry=0x7fffc440d5a0, ast=ast@entry=0x7fa4858cc080) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:7027
#9  0x00005607e6adaa6f in zend_compile_expr (result=result@entry=0x7fffc440d5a0, ast=0x7fa4858cc080) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:8265
#10 0x00005607e6adce00 in zend_compile_binary_op (result=result@entry=0x7fffc440d6d0, ast=ast@entry=0x7fa4858cc0b0) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:7027
#11 0x00005607e6adaa6f in zend_compile_expr (result=result@entry=0x7fffc440d6d0, ast=0x7fa4858cc0b0) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:8265
#12 0x00005607e6adce00 in zend_compile_binary_op (result=result@entry=0x7fffc440d800, ast=ast@entry=0x7fa4858cc140) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:7027
#13 0x00005607e6adaa6f in zend_compile_expr (result=result@entry=0x7fffc440d800, ast=0x7fa4858cc140) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:8265
#14 0x00005607e6adce00 in zend_compile_binary_op (result=result@entry=0x7fffc440d930, ast=ast@entry=0x7fa4858cc170) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:7027
#15 0x00005607e6adaa6f in zend_compile_expr (result=result@entry=0x7fffc440d930, ast=0x7fa4858cc170) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:8265
#16 0x00005607e6adce00 in zend_compile_binary_op (result=result@entry=0x7fffc440da60, ast=ast@entry=0x7fa4858cc200) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:7027
#17 0x00005607e6adaa6f in zend_compile_expr (result=result@entry=0x7fffc440da60, ast=0x7fa4858cc200) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:8265
#18 0x00005607e6adce00 in zend_compile_binary_op (result=result@entry=0x7fffc440db90, ast=ast@entry=0x7fa4858cc230) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:7027
#19 0x00005607e6adaa6f in zend_compile_expr (result=result@entry=0x7fffc440db90, ast=0x7fa4858cc230) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:8265
#20 0x00005607e6adce00 in zend_compile_binary_op (result=result@entry=0x7fffc440dcc0, ast=ast@entry=0x7fa4858cc2c0) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:7027
#21 0x00005607e6adaa6f in zend_compile_expr (result=result@entry=0x7fffc440dcc0, ast=0x7fa4858cc2c0) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:8265
#22 0x00005607e6adce00 in zend_compile_binary_op (result=result@entry=0x7fffc440ddf0, ast=ast@entry=0x7fa4858cc2f0) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:7027
#23 0x00005607e6adaa6f in zend_compile_expr (result=result@entry=0x7fffc440ddf0, ast=0x7fa4858cc2f0) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:8265
#24 0x00005607e6adce00 in zend_compile_binary_op (result=result@entry=0x7fffc440df20, ast=ast@entry=0x7fa4858cc380) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:7027
#25 0x00005607e6adaa6f in zend_compile_expr (result=result@entry=0x7fffc440df20, ast=0x7fa4858cc380) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:8265
#26 0x00005607e6adce00 in zend_compile_binary_op (result=result@entry=0x7fffc440e050, ast=ast@entry=0x7fa4858cc3b0) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:7027
#27 0x00005607e6adaa6f in zend_compile_expr (result=result@entry=0x7fffc440e050, ast=0x7fa4858cc3b0) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:8265
#28 0x00005607e6adce00 in zend_compile_binary_op (result=result@entry=0x7fffc440e180, ast=ast@entry=0x7fa4858cc440) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:7027
#29 0x00005607e6adaa6f in zend_compile_expr (result=result@entry=0x7fffc440e180, ast=0x7fa4858cc440) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:8265
#30 0x00005607e6adce00 in zend_compile_binary_op (result=result@entry=0x7fffc440e2b0, ast=ast@entry=0x7fa4858cc470) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:7027
#31 0x00005607e6adaa6f in zend_compile_expr (result=result@entry=0x7fffc440e2b0, ast=0x7fa4858cc470) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:8265
#32 0x00005607e6adce00 in zend_compile_binary_op (result=result@entry=0x7fffc440e3e0, ast=ast@entry=0x7fa4858cc500) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:7027
#33 0x00005607e6adaa6f in zend_compile_expr (result=result@entry=0x7fffc440e3e0, ast=0x7fa4858cc500) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:8265
#34 0x00005607e6adce00 in zend_compile_binary_op (result=result@entry=0x7fffc440e510, ast=ast@entry=0x7fa4858cc530) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:7027
#35 0x00005607e6adaa6f in zend_compile_expr (result=result@entry=0x7fffc440e510, ast=0x7fa4858cc530) at /build/php7.2-AL4wdD/php7.2-7.2.15/Zend/zend_compile.c:8265

[2021-04-21 10:16 UTC] cmb@php.net

That is a compile time issue caused by too many . (concat)
operators, leading to too deep recursion.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 15:01:30 2024 UTC