PHP :: Bug #79214 :: Seg fault in php_var_export

Bug #79214

Seg fault in php_var_export_ex

Submitted:

2020-02-03 02:20 UTC

Modified:

2020-02-07 22:38 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

changochen1 at gmail dot com

Assigned:

Status:

Verified

Package:

Scripting Engine problem

PHP Version:

master-Git-2020-02-03 (Git)

OS:

ALL

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	changochen1 at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2020-02-03 02:20 UTC] changochen1 at gmail dot com

Description:
------------
The following poc causes a seg fault in php_var_export_ex.(run with `php -f poc.php`)

Stack dump:
---
==248221==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000bc961e bp 0x7fffeef12990 sp 0x7fffeef11d80 T0)
    #0 0xbc961d in php_var_export_ex (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xbc961d)
    #1 0xbc5658 in php_array_element_export (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xbc5658)
    #2 0xbca1be in php_var_export_ex (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xbca1be)
    #3 0xbc5658 in php_array_element_export (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xbc5658)
    #4 0xbca1be in php_var_export_ex (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xbca1be)
    #5 0xbcd1a6 in zif_var_export (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xbcd1a6)
    #6 0x123c2d1 in execute_ex (/home/rxz226/php-src/bld_asan/sapi/cli/php+0x123c2d1)
    #7 0xdf5a2f in zend_call_function (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xdf5a2f)
    #8 0xe6de12 in zend_fcall_info_call (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xe6de12)
    #9 0xce8f9b in php_output_handler_op (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xce8f9b)
    #10 0xcea7df in php_output_stack_pop (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xcea7df)
    #11 0xce426e in php_output_end_all (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xce426e)
    #12 0xca8df5 in php_request_shutdown (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xca8df5)
    #13 0x1281d33 in do_cli (/home/rxz226/php-src/bld_asan/sapi/cli/php+0x1281d33)
    #14 0x1282acb in main (/home/rxz226/php-src/bld_asan/sapi/cli/php+0x1282acb)
    #15 0x7f9d7b3e782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #16 0x428a78 in _start (/home/rxz226/php-src/bld_asan/sapi/cli/php+0x428a78)
---

Test script:
---------------
<?                                for (   $GLOBALS =  $a      ;
                                  ;
                                                             (  $b   .  set_error_handler ( function () {                           for (  $GLOBALS [] =  $c  ;                           $d < 10 ;                           $d ++ )      list ( $a [] ,   $a  [ $e  ]  ) = array ()   ;                                       }
                               )  )  [ ob_start ( function () {                           $a [ $d ] <  var_export ( $GLOBALS [] = & $GLOBALS ,  list ( var_dump ( [] ) [ var_export ( $GLOBALS [] = $GLOBALS ,  $f  ) ]    ) = array () [ $$g ]  )   ;                            }
                               ) ]                                              ) ;

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-02-07 22:34 UTC] googleguy@php.net

-Status: Open +Status: Feedback

[2020-02-07 22:34 UTC] googleguy@php.net

All that code does is produce undefined variable warnings. I cannot reproduce your segfault. Please provide a debug backtrace along with this bug report. See https://bugs.php.net/bugs-generating-backtrace.php for details.

[2020-02-07 22:38 UTC] nikic@php.net

-Status: Feedback +Status: Verified

[2020-02-07 22:38 UTC] nikic@php.net

@googleguy: You need to either use an asan build, or run test cases through valgrind. I can reproduce valgrind warnings from a quick check.

[2023-05-06 07:04 UTC] shikshainstitute29 at gmail dot com

Shiksha Institute are sharing latest news about education, teaching, college university, exam, school etc. More info to visit:(https://shiksha-institute.com)github.com

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri May 09 13:01:28 2025 UTC