php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #78710 Refreshable PHP crash
Submitted: 2019-10-21 11:52 UTC Modified: 2019-10-21 12:16 UTC
From: songmingxuan at cert dot org dot cn Assigned: cmb (profile)
Status: Duplicate Package: Reproducible crash
PHP Version: 7.4.0RC4 OS: #31~18.04.1-Ubuntu
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: songmingxuan at cert dot org dot cn
New email:
PHP Version: OS:

 

 [2019-10-21 11:52 UTC] songmingxuan at cert dot org dot cn 
Description:
------------
#/Desktop/fuzz_php/php-7.4.0beta4
#php test.php

crash.

Test script:
---------------
test.php

<?php
spl_autoload_register(function ($name) {
  echo "IN:  autoload($name)\n";

  static $i = 0;
  if ($i++ > 10) {
      echo "-> Recursion detected - as expected.\n";
      retu^n;
  }

  class_exists('UndefinedClass' . $i);

  echo "OUT: autoload($name)\n";
});

var_dump(class_exists('UndefinedClass0'));
?>


Expected result:
----------------
no crash
I submitted it very seriously. haha~~
;)

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x7fffff7ff528 --> 0x0 
RCX: 0x7fffff7ff590 --> 0x3000000010 
RDX: 0x555556c07260 ("Use of undefined constant %s - assumed '%s' (this will throw an Error in a future version of PHP)")
RSI: 0x1 
RDI: 0x7fffff7ff4b0 --> 0x0 
RBP: 0x55 ('U')
RSP: 0x7fffff7fef60 
RIP: 0x555556488aec (<xbuf_format_converter+76>:	mov    QWORD PTR [rsp+0x18],rcx)
R8 : 0x7fffff7ff590 --> 0x3000000010 
R9 : 0x55555718e9f0 --> 0x0 
R10: 0x55555731af60 --> 0x55555718b620 --> 0x0 
R11: 0x5555571766c0 --> 0x555555f4a460 (<soap_error_handler>:	lea    rsp,[rsp-0x98])
R12: 0x2 
R13: 0x7fffff7ff590 --> 0x3000000010 
R14: 0x555557176500 --> 0xe90 
R15: 0x555556c07260 ("Use of undefined constant %s - assumed '%s' (this will throw an Error in a future version of PHP)")
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555556488ae1 <xbuf_format_converter+65>:	push   rbx
   0x555556488ae2 <xbuf_format_converter+66>:	sub    rsp,0x518
   0x555556488ae9 <xbuf_format_converter+73>:	movzx  ebp,BYTE PTR [rdx]
=> 0x555556488aec <xbuf_format_converter+76>:	mov    QWORD PTR [rsp+0x18],rcx
   0x555556488af1 <xbuf_format_converter+81>:	mov    BYTE PTR [rsp+0xf],sil
   0x555556488af6 <xbuf_format_converter+86>:	mov    rax,QWORD PTR fs:0x28
   0x555556488aff <xbuf_format_converter+95>:	
    mov    QWORD PTR [rsp+0x508],rax
   0x555556488b07 <xbuf_format_converter+103>:	xor    eax,eax
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x7fffff7fef60
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555556488aec in xbuf_format_converter (xbuf=0x7fffff7ff4b0, is_char=0x1, 
    fmt=0x555556c07260 "Use of undefined constant %s - assumed '%s' (this will throw an Error in a future version of PHP)", ap=0x7fffff7ff590)
    at /home/fuzz/Desktop/fuzz_php/php-7.4.0beta4/main/spprintf.c:193
193	{
gdb-peda$

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-10-21 12:16 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2019-10-21 12:16 UTC] cmb@php.net 
Duplicate of bug #78703.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Nov 24 06:01:32 2024 UTC