|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-09-27 12:08 UTC] ajf@php.net
[2016-09-27 17:38 UTC] nikic@php.net
-Assigned To:
+Assigned To: nikic
[2016-09-27 17:49 UTC] nikic@php.net
[2016-09-27 17:49 UTC] nikic@php.net
-Status: Assigned
+Status: Closed
[2016-10-17 10:07 UTC] bwoebi@php.net
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Mon Oct 27 19:00:02 2025 UTC |
Description: ------------ Calling parse_str() without a second argument can create variables with numeric names in the current scope. zend_symtable_clean() didn't plan for this, and it considers that all elements in the scope's hashtable have a string key. This causes a crash when zend_symtable_clean() tries to release keys: zend_string_release(p->key); p->key is NULL, and zend_string_release() tries to access memory at address 0x5. I can reproduce with all versions of php since 7.0: https://3v4l.org/3lNAH The extract() function seems to avoid this by not extracting numerically-named variables. Test script: --------------- <?php function x() { parse_str("1&x"); } x(); Expected result: ---------------- No crash Actual result: -------------- Program received signal SIGSEGV, Segmentation fault. 0x00000000009f8adb in zend_string_release (s=0x0) at /opt/php-7.0.11/Zend/zend_string.h:269 269 if (!ZSTR_IS_INTERNED(s)) { (gdb) bt #0 0x00000000009f8adb in zend_string_release (s=0x0) at /opt/php-7.0.11/Zend/zend_string.h:269 #1 0x00000000009fd33b in zend_symtable_clean (ht=0x3695be0) at /opt/php-7.0.11/Zend/zend_hash.c:1450 #2 0x0000000000a41d65 in zend_clean_and_cache_symbol_table (symbol_table=0x3695be0) at /opt/php-7.0.11/Zend/zend_execute.c:2055 #3 0x0000000000a43594 in zend_leave_helper_SPEC () at /opt/php-7.0.11/Zend/zend_vm_execute.h:472 #4 0x0000000000a4a619 in ZEND_RETURN_SPEC_CONST_HANDLER () at /opt/php-7.0.11/Zend/zend_vm_execute.h:3100 #5 0x0000000000a43412 in execute_ex (ex=0x7ffff7f26a50) at /opt/php-7.0.11/Zend/zend_vm_execute.h:414 #6 0x00000000009d0ff7 in zend_call_function (fci=0x7fffffffaa70, fci_cache=0x7fffffffaa40) at /opt/php-7.0.11/Zend/zend_execute_API.c:866 #7 0x0000000000853722 in zif_call_user_func_array (execute_data=0x7ffff7f269d0, return_value=0x7ffff7f26950) at /opt/php-7.0.11/ext/standard/basic_functions.c:4815 #8 0x0000000000a43f93 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER () at /opt/php-7.0.11/Zend/zend_vm_execute.h:714 #9 0x0000000000a43412 in execute_ex (ex=0x7ffff7f24040) at /opt/php-7.0.11/Zend/zend_vm_execute.h:414 #10 0x0000000000a43527 in zend_execute (op_array=0x15e18a0, return_value=0x0) at /opt/php-7.0.11/Zend/zend_vm_execute.h:458 #11 0x00000000009e8733 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /opt/php-7.0.11/Zend/zend.c:1427 #12 0x000000000095ae0b in php_execute_script (primary_file=0x7fffffffe200) at /opt/php-7.0.11/main/main.c:2494 #13 0x0000000000aa83e5 in do_cli (argc=12, argv=0x13f9ca0) at /opt/php-7.0.11/sapi/cli/php_cli.c:974 #14 0x0000000000aa9389 in main (argc=12, argv=0x13f9ca0) at /opt/php-7.0.11/sapi/cli/php_cli.c:1344 (gdb) frame 1 #1 0x00000000009fd33b in zend_symtable_clean (ht=0x3695be0) at /opt/php-7.0.11/Zend/zend_hash.c:1450 1450 zend_string_release(p->key); (gdb)