php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #79793 Use after free if string used in undefined index warning is changed
Submitted: 2020-07-04 18:52 UTC Modified: 2020-07-07 14:12 UTC
From: changochen1 at gmail dot com Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 8.0Git-2020-07-04 (Git) OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: changochen1 at gmail dot com
New email:
PHP Version: OS:

 

 [2020-07-04 18:52 UTC] changochen1 at gmail dot com 
Description:
------------
LOG:
---
php: /home/yongheng/php_clean/Zend/zend_types.h:1162: uint32_t zend_gc_delref(zend_refcounted_h *): Assertion `p->refcount > 0' failed.
---

Test script:
---------------
<?
ob_start (
    function ( $a ) use ( & $c ) {
        $c .= $a ;
    }
, 20 ) ;
for ( ;;
ob_start (
    function () {
        b  ;
    }
, $d [  $c  ]  ++ )   )
    var_dump ( get_declared_classes () )  ;

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-07-07 14:12 UTC] nikic@php.net
-Summary: Assertion `p->refcount > 0' failed. +Summary: Use after free if string used in undefined index warning is changed -Status: Open +Status: Verified
 [2020-07-07 14:12 UTC] nikic@php.net 
Reduced:

<?php
$key = "foo";
set_error_handler(function () use (&$key) {
    $key .= "bar";
});
$ary[$key]++;

Valgrind:

==1215619== Invalid read of size 4
==1215619==    at 0x9D8AF8: _zend_hash_add_or_update_i (zend_hash.c:736)
==1215619==    by 0x9D93A2: zend_hash_add_new (zend_hash.c:911)
==1215619==    by 0x9F3AEE: zend_fetch_dimension_address_inner (zend_execute.c:2136)
==1215619==    by 0x9F3DA3: zend_fetch_dimension_address (zend_execute.c:2197)
==1215619==    by 0x9F4471: zend_fetch_dimension_address_RW (zend_execute.c:2306)
==1215619==    by 0xA60543: ZEND_FETCH_DIM_RW_SPEC_CV_CV_HANDLER (zend_vm_execute.h:46151)
==1215619==    by 0xA69ED1: execute_ex (zend_vm_execute.h:55890)
==1215619==    by 0xA6A297: zend_execute (zend_vm_execute.h:56094)
==1215619==    by 0x9C442A: zend_execute_scripts (zend.c:1667)
==1215619==    by 0x92BF71: php_execute_script (main.c:2537)
==1215619==    by 0xAA9230: do_cli (php_cli.c:955)
==1215619==    by 0xAAA328: main (php_cli.c:1353)
==1215619==  Address 0x8ebe454 is 4 bytes inside a block of size 32 free'd
==1215619==    at 0x483DFAF: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1215619==    by 0x98B8F2: __zend_realloc (zend_alloc.c:3011)
==1215619==    by 0x98A77F: _realloc_custom (zend_alloc.c:2435)
==1215619==    by 0x98A8DB: _erealloc (zend_alloc.c:2557)
==1215619==    by 0x9B3B4F: zend_string_extend (zend_string.h:224)
==1215619==    by 0x9BAE64: concat_function (zend_operators.c:1876)
==1215619==    by 0x9F1330: zend_binary_op (zend_execute.c:1293)
==1215619==    by 0xA4CE04: ZEND_ASSIGN_OP_SPEC_CV_CONST_HANDLER (zend_vm_execute.h:37663)
==1215619==    by 0xA692F1: execute_ex (zend_vm_execute.h:55282)
==1215619==    by 0x9ACB1D: zend_call_function (zend_execute_API.c:785)
==1215619==    by 0x9AC36A: _call_user_function_ex (zend_execute_API.c:633)
==1215619==    by 0x9C32A0: zend_error_impl (zend.c:1365)
==1215619==    by 0x9C352E: zend_error_va_list (zend.c:1413)
==1215619==    by 0x9C3929: zend_error (zend.c:1485)
==1215619==    by 0x9F3219: zend_undefined_index (zend_execute.c:1909)
==1215619==    by 0x9F32F0: zend_undefined_index_write (zend_execute.c:1937)
==1215619==    by 0x9F3ABC: zend_fetch_dimension_address_inner (zend_execute.c:2131)
==1215619==    by 0x9F3DA3: zend_fetch_dimension_address (zend_execute.c:2197)
==1215619==    by 0x9F4471: zend_fetch_dimension_address_RW (zend_execute.c:2306)
==1215619==    by 0xA60543: ZEND_FETCH_DIM_RW_SPEC_CV_CV_HANDLER (zend_vm_execute.h:46151)
==1215619==    by 0xA69ED1: execute_ex (zend_vm_execute.h:55890)
==1215619==    by 0xA6A297: zend_execute (zend_vm_execute.h:56094)
==1215619==    by 0x9C442A: zend_execute_scripts (zend.c:1667)
==1215619==    by 0x92BF71: php_execute_script (main.c:2537)
==1215619==    by 0xAA9230: do_cli (php_cli.c:955)
==1215619==    by 0xAAA328: main (php_cli.c:1353)
==1215619==  Block was alloc'd at
==1215619==    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1215619==    by 0x98B83F: __zend_malloc (zend_alloc.c:2992)
==1215619==    by 0x98A689: _malloc_custom (zend_alloc.c:2417)
==1215619==    by 0x98A7D3: _emalloc (zend_alloc.c:2536)
==1215619==    by 0x9B39A9: zend_string_alloc (zend_string.h:141)
==1215619==    by 0x9BAE7E: concat_function (zend_operators.c:1878)
==1215619==    by 0x9F1330: zend_binary_op (zend_execute.c:1293)
==1215619==    by 0xA4CE04: ZEND_ASSIGN_OP_SPEC_CV_CONST_HANDLER (zend_vm_execute.h:37663)
==1215619==    by 0xA692F1: execute_ex (zend_vm_execute.h:55282)
==1215619==    by 0x9ACB1D: zend_call_function (zend_execute_API.c:785)
==1215619==    by 0x9AC36A: _call_user_function_ex (zend_execute_API.c:633)
==1215619==    by 0x9C32A0: zend_error_impl (zend.c:1365)
==1215619==    by 0x9C352E: zend_error_va_list (zend.c:1413)
==1215619==    by 0x9C3929: zend_error (zend.c:1485)
==1215619==    by 0x9EEC29: zval_undefined_cv (zend_execute.c:269)
==1215619==    by 0x9EEC4A: _zval_undefined_op1 (zend_execute.c:276)
==1215619==    by 0x9F4322: zend_fetch_dimension_address (zend_execute.c:2272)
==1215619==    by 0x9F4471: zend_fetch_dimension_address_RW (zend_execute.c:2306)
==1215619==    by 0xA60543: ZEND_FETCH_DIM_RW_SPEC_CV_CV_HANDLER (zend_vm_execute.h:46151)
==1215619==    by 0xA69ED1: execute_ex (zend_vm_execute.h:55890)
==1215619==    by 0xA6A297: zend_execute (zend_vm_execute.h:56094)
==1215619==    by 0x9C442A: zend_execute_scripts (zend.c:1667)
==1215619==    by 0x92BF71: php_execute_script (main.c:2537)
==1215619==    by 0xAA9230: do_cli (php_cli.c:955)
==1215619==    by 0xAAA328: main (php_cli.c:1353)
 [2020-07-07 14:33 UTC] nikic@php.net 
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=77acc8a069acbdd0e4ab0ac43f7d676a23e413a1
Log: Fixed bug #79793
 [2020-07-07 14:33 UTC] nikic@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Apr 03 07:01:30 2025 UTC