PHP :: Bug #78507 :: Segmentation Fault at zend

Bug #78507	Segmentation Fault at zend_strtod
Submitted:	2019-09-06 21:41 UTC	Modified:	2019-09-06 21:49 UTC
From:	ryan at amezmo dot com	Assigned:
Status:	Not a bug	Package:	Reproducible crash
PHP Version:	7.2.22	OS:	Ubutun 16.04.6
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	ryan at amezmo dot com
New email:
PHP Version:		OS:

New Comment:

[2019-09-06 21:41 UTC] ryan at amezmo dot com

Description:
------------
Reproducible Segmentation Fault on PHP 7.22.2. 

Test script:
---------------
https://gist.github.com/rmccullagh/da48753127b8628318e291628fe14be8

$crasher = new PhpVersionCollection();

var_dump($crasher->exists('7.2'));


Expected result:
----------------
bool(true)

Actual result:
--------------
Segmentation fault: 11


-- BEGIN GDB OUTPUT--

Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `php-fpm: pool www                                                            `
Program terminated with signal SIGSEGV, Segmentation fault.

#0  0x000055b766a11bc0 in _is_numeric_string_ex (str=<optimized out>, length=<optimized out>, lval=0x7ffdf198b068, dval=0x7ffdf198b078, allow_errors=0, oflow_info=0x7ffdf198b060)
    at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_operators.c:2952
#1  0x000055b766a12703 in is_numeric_string_ex (oflow_info=0x7ffdf198b060, allow_errors=0, dval=0x7ffdf198b078, lval=0x7ffdf198b068, length=<optimized out>, str=0x7f834505e618 "7.2")
    at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_operators.h:142
#2  zendi_smart_strcmp (s1=0x7f834505e600, s2=0x7f832300dce0) at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_operators.c:2769
#3  0x000055b766938a9d in fast_equal_check_string (op2=0x7f8323f8f4f8, op1=0x7f8331cf8be0) at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_operators.h:798
#4  php_search_array (behavior=0, return_value=0x7f8331cf8b80, execute_data=0x7f8331cf8b90) at /build/php7.2-PSQlLg/php7.2-7.2.22/ext/standard/array.c:1614
#5  zif_in_array (execute_data=0x7f8331cf8b90, return_value=0x7f8331cf8b80) at /build/php7.2-PSQlLg/php7.2-7.2.22/ext/standard/array.c:1653
#6  0x000055b766acaca6 in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER () at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_vm_execute.h:816
#7  execute_ex (ex=0x7f834505e618) at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_vm_execute.h:59762
#8  0x000055b766a0a8f2 in zend_call_function (fci=0x7f8331cf8b20, fci@entry=0x7ffdf198b310, fci_cache=fci_cache@entry=0x7ffdf198b2e0) at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_execute_API.c:820
#9  0x000055b766a39cf4 in zend_call_method (object=object@entry=0x7ffdf198b3f0, obj_ce=<optimized out>, obj_ce@entry=0x7f8332dc5400, fn_proxy=fn_proxy@entry=0x0,
    function_name=function_name@entry=0x55b766b00bec "offsetexists", function_name_len=function_name_len@entry=12, retval_ptr=retval_ptr@entry=0x7f8331cf8b10, param_count=1, arg1=0x7ffdf198b3e0,
    arg2=0x0) at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_interfaces.c:100
#10 0x000055b766a55e74 in zend_std_read_dimension (object=<optimized out>, offset=<optimized out>, type=3, rv=0x7f8331cf8b10) at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_object_handlers.c:795
#11 0x000055b766a6645f in zend_fetch_dimension_address_read (slow=0, support_strings=1, type=3, dim_type=16, dim=0x7f8331cf8af0, container=0x7f8331cf8b00, result=0x7f8331cf8b10)
    at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_execute.c:1826
#12 zend_fetch_dimension_address_read_IS (result=0x7f8331cf8b10, container=container@entry=0x7f8331cf8b00, dim=<optimized out>, dim_type=dim_type@entry=16)
    at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_execute.c:1860
#13 0x000055b766a66a06 in ZEND_FETCH_DIM_IS_SPEC_TMPVAR_CV_HANDLER () at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_vm_execute.h:52145
#14 0x000055b766ac7e8b in execute_ex (ex=0x7f834505e618) at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_vm_execute.h:63467
#15 0x000055b766a0a8f2 in zend_call_function (fci=0x7f8331cf8aa0, fci@entry=0x7ffdf198b660, fci_cache=fci_cache@entry=0x7ffdf198b630) at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_execute_API.c:820
#16 0x000055b766a39cf4 in zend_call_method (object=object@entry=0x7ffdf198b740, obj_ce=<optimized out>, obj_ce@entry=0x7f8332dc5400, fn_proxy=fn_proxy@entry=0x0,
    function_name=function_name@entry=0x55b766b00bd8 "offsetget", function_name_len=function_name_len@entry=9, retval_ptr=retval_ptr@entry=0x7f8331cf8a90, param_count=1, arg1=0x7ffdf198b730, arg2=0x0)
    at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_interfaces.c:100
#17 0x000055b766a55df3 in zend_std_read_dimension (object=<optimized out>, offset=<optimized out>, type=3, rv=0x7f8331cf8a90) at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_object_handlers.c:810
#18 0x000055b766a6645f in zend_fetch_dimension_address_read (slow=0, support_strings=1, type=3, dim_type=16, dim=0x7f8331cf8a70, container=0x7f8331cf8a80, result=0x7f8331cf8a90)
    at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_execute.c:1826
#19 zend_fetch_dimension_address_read_IS (result=0x7f8331cf8a90, container=container@entry=0x7f8331cf8a80, dim=<optimized out>, dim_type=dim_type@entry=16)
    at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_execute.c:1860
#20 0x000055b766a66a06 in ZEND_FETCH_DIM_IS_SPEC_TMPVAR_CV_HANDLER () at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_vm_execute.h:52145
#21 0x000055b766ac7e8b in execute_ex (ex=0x7f834505e618) at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_vm_execute.h:63467
#22 0x000055b766a0a8f2 in zend_call_function (fci=0x7f8331cf8a20, fci@entry=0x7ffdf198b9b0, fci_cache=fci_cache@entry=0x7ffdf198b980) at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_execute_API.c:820
#23 0x000055b766a39cf4 in zend_call_method (object=object@entry=0x7ffdf198ba90, obj_ce=<optimized out>, obj_ce@entry=0x7f8332dc5400, fn_proxy=fn_proxy@entry=0x0,
    function_name=function_name@entry=0x55b766b00bd8 "offsetget", function_name_len=function_name_len@entry=9, retval_ptr=retval_ptr@entry=0x7f8331cf8a10, param_count=1, arg1=0x7ffdf198ba80, arg2=0x0)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-09-06 21:49 UTC] nikic@php.net

-Status: Open +Status: Not a bug

[2019-09-06 21:49 UTC] nikic@php.net

This is an infinite recursion stack overflow. Your offsetGet() implementation uses $this[$key] ?? null, which will in turn call offsetGet().

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Jul 03 12:01:33 2025 UTC