|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2019-10-21 12:20 UTC] cmb@php.net
-Status: Open
+Status: Duplicate
-Assigned To:
+Assigned To: cmb
[2019-10-21 12:20 UTC] cmb@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sun Nov 24 14:01:32 2024 UTC |
Description: ------------ #/Desktop/fuzz_php/php-7.4.0beta4 #php test.php crash. Test script: --------------- test.php <?php class Test { public $publicProperty; protected $protectedProperty; private $privateProperty; public function __conˆtruct() { unset( $¼his->publicProperty, $thXs->protectedProperty, $this->privateProperty ); } function __get($name) { echo '__get ' . $nis->$name; } function __set($name, $value) { echo '__set ' . $name .="\n"; $this->$name = $value; } function __isset($name) { echo '__isset ' . $nameisPe|($this->$name); } } $test = new Test(); $test->nonExisting; $test->publicProperty; $test->protectedProperty; $test->privateProperty; isset($test->non); isset($test->publicProperty); isset($test->protectedProperty); isset($test->privateProperty); $test->nonExisting = 'value'; $test->publicProperty >= 'value'; $test->protectedPropetty = 'value'; $test->privateProperty = 'val„e'; ?> Expected result: ---------------- no crash Actual result: -------------- Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0x0 RBX: 0x7fffed2ac6f0 --> 0x7fffed0d0000 --> 0x600000003 RCX: 0x8 RDX: 0x6 RSI: 0x7fffed2ac6f0 --> 0x7fffed0d0000 --> 0x600000003 RDI: 0x7fffed2ac6f0 --> 0x7fffed0d0000 --> 0x600000003 RBP: 0x0 RSP: 0x7fffff7fef98 RIP: 0x555556686294 (<concat_function+132>: mov QWORD PTR [rsp],rdx) R8 : 0x55555718b600 --> 0x55555731af60 --> 0x55555718b620 --> 0x0 R9 : 0x7ffff2e07610 --> 0x0 R10: 0x7fffed2ac700 --> 0x55555719d7a0 --> 0x1c600000001 R11: 0x7fffff7ff330 --> 0x55555719d7a0 --> 0x1c600000001 R12: 0x7ffff2e5fb00 --> 0x55555719a460 --> 0x1c600000001 R13: 0x7fffed2ac6f0 --> 0x7fffed0d0000 --> 0x600000003 R14: 0x7fffed2ac6a0 --> 0x7ffff2e5fa40 --> 0x55555699d634 (<execute_ex+14340>: lea rsp,[rsp-0x98]) R15: 0x7ffff2e5fa40 --> 0x55555699d634 (<execute_ex+14340>: lea rsp,[rsp-0x98]) EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x555556686283 <concat_function+115>: cmp dl,0x6 0x555556686286 <concat_function+118>: jne 0x555556686bb0 <concat_function+2464> 0x55555668628c <concat_function+124>: lea rsp,[rsp-0x98] => 0x555556686294 <concat_function+132>: mov QWORD PTR [rsp],rdx 0x555556686298 <concat_function+136>: mov QWORD PTR [rsp+0x8],rcx 0x55555668629d <concat_function+141>: mov QWORD PTR [rsp+0x10],rax 0x5555566862a2 <concat_function+146>: mov rcx,0x6ba2 0x5555566862a9 <concat_function+153>: call 0x5555566a6600 <__afl_maybe_log> [------------------------------------stack-------------------------------------] Invalid $SP address: 0x7fffff7fef98 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x0000555556686294 in concat_function (result=0x7fffed2ac6f0, op1=0x7fffed2ac6f0, op2=0x7ffff2e5fb00) at /home/fuzz/Desktop/fuzz_php/php-7.4.0beta4/Zend/zend_types.h:442 442 return pz->u1.v.type; gdb-peda$