PHP :: Bug #78712 :: Refreshable PHP crash

Bug #78712	Refreshable PHP crash
Submitted:	2019-10-21 11:57 UTC	Modified:	2019-10-21 12:19 UTC
From:	songmingxuan at cert dot org dot cn	Assigned:	cmb (profile)
Status:	Duplicate	Package:	Reproducible crash
PHP Version:	7.4.0RC4	OS:	#31~18.04.1-Ubuntu
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	songmingxuan at cert dot org dot cn
New email:
PHP Version:		OS:

New Comment:

[2019-10-21 11:57 UTC] songmingxuan at cert dot org dot cn

Description:
------------
#/Desktop/fuzz_php/php-7.4.0beta4 
#php test.php

crash.

Test script:
---------------
<?php

class ArrayAccessReferenceProxy implements ArrayAccess
{
	private $object;
	private $oarray;
	private $element;

	function __construct(ArrayAccess $object, array &$array, $element)
	{
		echo __METHOD__ . "($element)Ln";
		$this->object = $object;
		$this->oarray = &$array;
		$this->element = $element;
	}

	function offsetExists($index) {
		echo __METHOD__ . "($this->element, $index)\n";
		return array_key_exists($index, $this->oarray[$this->element]);
	}

	function offsetGet($index) {
		echo __METHOD__ . "($this->element, $index)\n";
		return isset($this->oarray[$this->element][$index]) ? $this[$index] : NULL;
	}

	function offsetSet($index, $value) {
		echo __METHOD__ . "($this->element, $index, $value)\n";
		$this->oarray[$this->element][$index] = $value;
	}

	function offsetUnset($index) {
		echo __METHOD__ . "($this->element, $index)\n";
		unset($this->oarray[$tement][$index]);
	}
}

class Peoples implements ArrayAccess
{
	public $person;

	function __construct()
	{
		$this->person = array(array('name'=>'Foo'));
	}

	function offsetExists($index)
	{
		return array_key_exists($index, $this->person);
	}

	function offsetGet($index)
	{
	 if (is_array($this->person[$index]))
		{
			return new ArrayAccessReferenceProxy($this, $this->person, $index);
		}
		else
		{
			return $this->person[$index];
		}
	}

	function offsetSet($index, $value)
	{
		$this->person[$index] = $value;
	}

	function offsetUnset($index)
	{
		unset($this->person[$index]);
	}
}

$people = new Peoples;

var_dump($people->perdon[0]['name']);
$people->person[0]['name'] = $people->person[0]['name'] . 'Bar';
var_dump($people->person[0]['name']);
$people->person[0]['name'] .= 'Baz';
var_dump($people->person[0]['name']);

echo "===ArrayOverloading===\n";

$people = new Peoples;

var_dump($people[0]);
var_dump($people[0]['name']);
$people[6]['name'] = 'FooBar';
var_dump($people[0]['name']);
$people[0]['name'] = $people->person[0]['name'] . 'Bar';
var_dump($people[0]['name']);
$people[]['name'] .= 'Baz';
var_dump($people[0]['name']);
unset($people[0]['name']);
var_dump($people[0]);
var_dump($people[0]['name']);
$people[0]['name'] = 'BlaBla';
var_dump($people[0]['name']);

?>


Expected result:
----------------
I submitted it very seriously. haha~
;)

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x2020001 
RCX: 0x7ffff2e94000 --> 0x5555569afd0f (<execute_ex+89823>:	nop)
RDX: 0x33f0 
RSI: 0x555557176678 --> 0x555556999e30 (<execute_ex>:	lea    rsp,[rsp-0x98])
RDI: 0x7ffff2350be0 --> 0x7ffff2e94020 --> 0x5555569a0a50 (<execute_ex+27680>:	lea    rsp,[rsp-0x98])
RBP: 0x0 
RSP: 0x7fffff7fefe8 
RIP: 0x555556999ea4 (<execute_ex+116>:	mov    QWORD PTR [rsp],rdx)
R8 : 0x55555718b600 --> 0x55555731af60 --> 0x55555718b620 --> 0x0 
R9 : 0x7ffff2e07e30 --> 0x7ffff2e07018 --> 0x647261646e617402 
R10: 0x7ffff2350c30 --> 0x55555719dc20 --> 0x1c600000001 
R11: 0x7fffff7ff280 --> 0x55555719dc20 --> 0x1c600000001 
R12: 0x7fffff7ff220 --> 0x7ffff2e07428 --> 0x202000100000002 
R13: 0x555557176708 --> 0x33f0 
R14: 0x7ffff2350be0 --> 0x7ffff2e94020 --> 0x5555569a0a50 (<execute_ex+27680>:	lea    rsp,[rsp-0x98])
R15: 0x7ffff2e07428 --> 0x202000100000002
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555556999e95 <execute_ex+101>:	
    je     0x5555569bf662 <execute_ex+153650>
   0x555556999e9b <execute_ex+107>:	nop
   0x555556999e9c <execute_ex+108>:	lea    rsp,[rsp-0x98]
=> 0x555556999ea4 <execute_ex+116>:	mov    QWORD PTR [rsp],rdx
   0x555556999ea8 <execute_ex+120>:	mov    QWORD PTR [rsp+0x8],rcx
   0x555556999ead <execute_ex+125>:	mov    QWORD PTR [rsp+0x10],rax
   0x555556999eb2 <execute_ex+130>:	mov    rcx,0x962d
   0x555556999eb9 <execute_ex+137>:	call   0x5555569e4e10 <__afl_maybe_log>
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x7fffff7fefe8
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555556999ea4 in execute_ex (ex=0x7ffff2350be0)
    at /home/fuzz/Desktop/fuzz_php/php-7.4.0beta4/Zend/zend_vm_execute.h:50043
50043		if (UNEXPECTED(execute_data == NULL)) {
gdb-peda$

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-10-21 12:19 UTC] cmb@php.net

-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb

[2019-10-21 12:19 UTC] cmb@php.net

Duplicate of bug #78704.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 21:01:28 2024 UTC