php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69868 Invalid read of size 1 in zend_compile_short_circuiting
Submitted: 2015-06-18 08:18 UTC Modified: 2015-06-18 09:08 UTC
From: arjen at react dot com Assigned: bwoebi
Status: Closed Package: Scripting Engine problem
PHP Version: 7.0Git-2015-06-18 (Git) OS:
Private report: No CVE-ID:
 [2015-06-18 08:18 UTC] arjen at react dot com
Description:
------------
Valgrind reports invalid read.

USE_ZEND_ALLOC=0 valgrind --tool=memcheck --smc-check=all --error-limit=no --num-callers=30 --track-origins=yes --num-callers=30 --leak-check=full php-src/sapi/cli/php shortcircuit.php

Caused by https://github.com/php/php-src/commit/3cfa58367b1b85d346d9be6cf9ae116c63571247

Test script:
---------------
<?php

class A
{
	public static function get(array $v, $r)
	{
		if (!isset($r))
			return array_shift($v);

		foreach ($r['allowed'] as $allowed)
		{
			if (in_array($allowed, $v))
				return $allowed;

			foreach ($v as $version)
				if (0 === strpos($version, $allowed .'.'))
					return $version;
		}


		foreach ($r['ranges'] as $range)
		{
			foreach ($v as $version)
			{
				if ($range['min'] != '' && version_compare($range['min'], $version, '>'))
					continue;

				if ($range['max'] != '' && version_compare($range['max'], $version, '<') && (0 !== strpos($version, $range['max'] .'.')))
					continue;

				if (in_array($version, $r['blocked']))
					continue;

				return $version;
			}
		}
	}
}


Expected result:
----------------
No invalid read.

Actual result:
--------------
==12725== Invalid read of size 1
==12725==    at 0x9261AA: zend_compile_short_circuiting (zend_compile.c:5914)
==12725==    by 0x929691: zend_compile_expr (zend_compile.c:7013)
==12725==    by 0x91FD69: zend_compile_if (zend_compile.c:3851)
==12725==    by 0x9291A2: zend_compile_stmt (zend_compile.c:6904)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x91FC10: zend_compile_foreach (zend_compile.c:3817)
==12725==    by 0x929191: zend_compile_stmt (zend_compile.c:6901)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x91FC10: zend_compile_foreach (zend_compile.c:3817)
==12725==    by 0x929191: zend_compile_stmt (zend_compile.c:6901)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x9227DC: zend_compile_func_decl (zend_compile.c:4717)
==12725==    by 0x9291EB: zend_compile_stmt (zend_compile.c:6917)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x9239A8: zend_compile_class_decl (zend_compile.c:5122)
==12725==    by 0x92922C: zend_compile_stmt (zend_compile.c:6929)
==12725==    by 0x928E8A: zend_compile_top_stmt (zend_compile.c:6839)
==12725==    by 0x928E6C: zend_compile_top_stmt (zend_compile.c:6834)
==12725==    by 0x8F13CF: compile_file (zend_language_scanner.l:607)
==12725==    by 0x7711D8: phar_compile_file (phar.c:3310)
==12725==    by 0x947185: zend_execute_scripts (zend.c:1383)
==12725==    by 0x8B88B0: php_execute_script (main.c:2475)
==12725==    by 0xA04906: do_cli (php_cli.c:967)
==12725==    by 0xA058CE: main (php_cli.c:1334)
==12725==  Address 0xc3eb2ff is 2,015 bytes inside a block of size 2,048 free'd
==12725==    at 0x4C2C29E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==12725==    by 0x9146C3: _erealloc (zend_alloc.c:2233)
==12725==    by 0x932BA1: op_array_alloc_ops (zend_opcode.c:48)
==12725==    by 0x933EA0: get_next_op (zend_opcode.c:433)
==12725==    by 0x91CD1E: zend_compile_args (zend_compile.c:2761)
==12725==    by 0x91CF19: zend_compile_call_common (zend_compile.c:2821)
==12725==    by 0x91E36B: zend_compile_call (zend_compile.c:3220)
==12725==    by 0x929986: zend_compile_var (zend_compile.c:7100)
==12725==    by 0x9295A1: zend_compile_expr (zend_compile.c:6980)
==12725==    by 0x9258D7: zend_compile_binary_op (zend_compile.c:5728)
==12725==    by 0x929631: zend_compile_expr (zend_compile.c:6998)
==12725==    by 0x9260A9: zend_compile_short_circuiting (zend_compile.c:5897)
==12725==    by 0x929691: zend_compile_expr (zend_compile.c:7013)
==12725==    by 0x91FD69: zend_compile_if (zend_compile.c:3851)
==12725==    by 0x9291A2: zend_compile_stmt (zend_compile.c:6904)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x91FC10: zend_compile_foreach (zend_compile.c:3817)
==12725==    by 0x929191: zend_compile_stmt (zend_compile.c:6901)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x91FC10: zend_compile_foreach (zend_compile.c:3817)
==12725==    by 0x929191: zend_compile_stmt (zend_compile.c:6901)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x9227DC: zend_compile_func_decl (zend_compile.c:4717)
==12725==    by 0x9291EB: zend_compile_stmt (zend_compile.c:6917)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x9239A8: zend_compile_class_decl (zend_compile.c:5122)
==12725== 
==12725== Invalid read of size 4
==12725==    at 0x926231: zend_compile_short_circuiting (zend_compile.c:5914)
==12725==    by 0x929691: zend_compile_expr (zend_compile.c:7013)
==12725==    by 0x91FD69: zend_compile_if (zend_compile.c:3851)
==12725==    by 0x9291A2: zend_compile_stmt (zend_compile.c:6904)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x91FC10: zend_compile_foreach (zend_compile.c:3817)
==12725==    by 0x929191: zend_compile_stmt (zend_compile.c:6901)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x91FC10: zend_compile_foreach (zend_compile.c:3817)
==12725==    by 0x929191: zend_compile_stmt (zend_compile.c:6901)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x9227DC: zend_compile_func_decl (zend_compile.c:4717)
==12725==    by 0x9291EB: zend_compile_stmt (zend_compile.c:6917)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x9239A8: zend_compile_class_decl (zend_compile.c:5122)
==12725==    by 0x92922C: zend_compile_stmt (zend_compile.c:6929)
==12725==    by 0x928E8A: zend_compile_top_stmt (zend_compile.c:6839)
==12725==    by 0x928E6C: zend_compile_top_stmt (zend_compile.c:6834)
==12725==    by 0x8F13CF: compile_file (zend_language_scanner.l:607)
==12725==    by 0x7711D8: phar_compile_file (phar.c:3310)
==12725==    by 0x947185: zend_execute_scripts (zend.c:1383)
==12725==    by 0x8B88B0: php_execute_script (main.c:2475)
==12725==    by 0xA04906: do_cli (php_cli.c:967)
==12725==    by 0xA058CE: main (php_cli.c:1334)
==12725==  Address 0xc3eb2f0 is 2,000 bytes inside a block of size 2,048 free'd
==12725==    at 0x4C2C29E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==12725==    by 0x9146C3: _erealloc (zend_alloc.c:2233)
==12725==    by 0x932BA1: op_array_alloc_ops (zend_opcode.c:48)
==12725==    by 0x933EA0: get_next_op (zend_opcode.c:433)
==12725==    by 0x91CD1E: zend_compile_args (zend_compile.c:2761)
==12725==    by 0x91CF19: zend_compile_call_common (zend_compile.c:2821)
==12725==    by 0x91E36B: zend_compile_call (zend_compile.c:3220)
==12725==    by 0x929986: zend_compile_var (zend_compile.c:7100)
==12725==    by 0x9295A1: zend_compile_expr (zend_compile.c:6980)
==12725==    by 0x9258D7: zend_compile_binary_op (zend_compile.c:5728)
==12725==    by 0x929631: zend_compile_expr (zend_compile.c:6998)
==12725==    by 0x9260A9: zend_compile_short_circuiting (zend_compile.c:5897)
==12725==    by 0x929691: zend_compile_expr (zend_compile.c:7013)
==12725==    by 0x91FD69: zend_compile_if (zend_compile.c:3851)
==12725==    by 0x9291A2: zend_compile_stmt (zend_compile.c:6904)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x91FC10: zend_compile_foreach (zend_compile.c:3817)
==12725==    by 0x929191: zend_compile_stmt (zend_compile.c:6901)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x91FC10: zend_compile_foreach (zend_compile.c:3817)
==12725==    by 0x929191: zend_compile_stmt (zend_compile.c:6901)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x9227DC: zend_compile_func_decl (zend_compile.c:4717)
==12725==    by 0x9291EB: zend_compile_stmt (zend_compile.c:6917)
==12725==    by 0x920CD7: zend_compile_stmt_list (zend_compile.c:4199)
==12725==    by 0x9290B4: zend_compile_stmt (zend_compile.c:6861)
==12725==    by 0x9239A8: zend_compile_class_decl (zend_compile.c:5122)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-18 09:08 UTC] kalle@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: bwoebi
 [2015-06-18 09:08 UTC] kalle@php.net
Hi Bob, as you were the committer of the patch, could you give your input on this?
 [2015-06-18 09:51 UTC] arjen at react dot com
This also fails:

<?php

$a = ['test' => true];

if (isset($a['test']) && 0)
	echo "failure";
else
	echo "success";
 [2015-06-18 12:01 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c58c5e779a3ef32e8cf4c18890982403210abff3
Log: Fixed bug #69868 (Invalid read of size 1 in zend_compile_short_circuiting)
 [2015-06-18 12:01 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2015-06-23 18:04 UTC] ab@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c58c5e779a3ef32e8cf4c18890982403210abff3
Log: Fixed bug #69868 (Invalid read of size 1 in zend_compile_short_circuiting)
 [2016-07-20 11:38 UTC] davey@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c58c5e779a3ef32e8cf4c18890982403210abff3
Log: Fixed bug #69868 (Invalid read of size 1 in zend_compile_short_circuiting)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Feb 19 11:01:37 2017 UTC