|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70183 null pointer deref (segfault) in zend_eval_const_expr
Submitted: 2015-08-02 09:32 UTC Modified: 2015-08-02 20:31 UTC
From: hugh at allthethings dot co dot nz Assigned: ab (profile)
Status: Closed Package: Reproducible crash
PHP Version: master-Git-2015-08-02 (Git) OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
31 + 5 = ?
Subscribe to this entry?

 [2015-08-02 09:32 UTC] hugh at allthethings dot co dot nz
Found this using afl-fuzz, see

To reproduce, compile PHP normally, then run ./sapi/cli/php with the test script
<?php [[][]] ?>
You should get a segfault.

Bisected this back to commit 52e9a772a33fe3fac17f99257c3c5cc767801f66 which is to do with bug #69832.

The test case required to have an array construct with two array constructs in it. This created a ZEND_AST_DIM with only one child, the other of which was NULL. This created a null pointer dereference when checking that child.

I've created a patch that checks the children before deferencing them.

Test script:
<?php [[][]] ?>

Expected result:
Fatal error: Cannot use [] for reading in /root/php-crash-tmin3 on line 1

Actual result:
(gdb) bt
#0  0x00000000005b4b36 in zend_eval_const_expr (ast_ptr=ast_ptr@entry=0x7ffff7074098) at /root/php-src/Zend/zend_compile.c:7377
#1  0x00000000005b50a4 in zend_try_ct_eval_array (result=0x7fffffffaf68, ast=0x7ffff70740a8) at /root/php-src/Zend/zend_compile.c:5793
#2  0x00000000005bbd35 in zend_compile_array (result=0x7fffffffaf60, ast=0x7ffff70740a8) at /root/php-src/Zend/zend_compile.c:6435
#3  0x00000000005b66df in zend_compile_expr (result=result@entry=0x7fffffffaf60, ast=ast@entry=0x7ffff70740a8) at /root/php-src/Zend/zend_compile.c:7180
#4  0x00000000005be02f in zend_compile_stmt (ast=ast@entry=0x7ffff70740a8) at /root/php-src/Zend/zend_compile.c:7068
#5  0x00000000005c0f95 in zend_compile_top_stmt (ast=0x7ffff70740a8) at /root/php-src/Zend/zend_compile.c:6954
#6  zend_compile_top_stmt (ast=0x7ffff7074018) at /root/php-src/Zend/zend_compile.c:6949
#7  0x00000000005947fd in compile_file (file_handle=<optimized out>, type=<optimized out>) at Zend/zend_language_scanner.l:607
#8  0x00000000005d8e46 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /root/php-src/Zend/zend.c:1398
#9  0x00000000005668a0 in php_execute_script (primary_file=primary_file@entry=0x7fffffffd600) at /root/php-src/main/main.c:2475
#10 0x000000000067fc6b in do_cli (argc=2, argv=0xa8c780) at /root/php-src/sapi/cli/php_cli.c:971
#11 0x000000000041ed80 in main (argc=2, argv=0xa8c780) at /root/php-src/sapi/cli/php_cli.c:1338
(gdb) i r
rax            0x0      0
rbx            0x7ffff7074078   140737337835640
rcx            0x7ffff7057188   140737337717128
rdx            0x1      1
rsi            0x0      0
rdi            0x7ffff7074088   140737337835656
rbp            0x7ffff7074098   0x7ffff7074098
rsp            0x7fffffffad40   0x7fffffffad40
r8             0x7c     124
r9             0x7ffff7000000   140737337360384
r10            0xfffffffffffffff        1152921504606846975
r11            0x180    384
r12            0x7ffff7074130   140737337835824
r13            0x1      1
r14            0x7fffffffaf68   140737488334696
r15            0x0      0
rip            0x5b4b36 0x5b4b36 <zend_eval_const_expr+1142>
eflags         0x10246  [ PF ZF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
(gdb) x/i $rip
=> 0x5b4b36 <zend_eval_const_expr+1142>:        cmpw   $0x40,(%rax)


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2015-08-02 09:38 UTC] hugh at allthethings dot co dot nz
Won't let me upload patch for some reason, says still private. See below.

Author: Hugh Davenport <>
Date:   Sun Aug 2 05:35:25 2015 -0400

    Fix bug #70183 (null pointer deref (segfault) in zend_eval_const_expr)

diff --git a/Zend/tests/bug70183.phpt b/Zend/tests/bug70183.phpt
new file mode 100644
index 0000000..4b038fd
--- /dev/null
+++ b/Zend/tests/bug70183.phpt
@@ -0,0 +1,8 @@
+Bug #70183 (null pointer deref (segfault) in zend_eval_const_expr)
+Fatal error: Cannot use [] for reading in %sbug70182.php on line 2
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index 5d7eec2..0e9f478 100644
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -7374,7 +7374,7 @@ void zend_eval_const_expr(zend_ast **ast_ptr) /* {{{ */
-                       if (ast->child[0]->kind != ZEND_AST_ZVAL || ast->child[1]->kind != ZEND_AST_ZVAL) {
+                       if (!ast->child[0] || !ast->child[1] || ast->child[0]->kind != ZEND_AST_ZVAL || ast->child[1]->kind != ZEND_AST_ZVAL) {
 [2015-08-02 15:36 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: ab
 [2015-08-02 15:36 UTC]
Patch applied in 2a1a8f9ea75d4c8c9c47c2a391113764b9d0639b. Btw not sure if it makes sense to file security bugs for some pre release.

 [2015-08-02 17:23 UTC]
-Type: Security +Type: Bug
 [2015-08-02 19:23 UTC] hugh at allthethings dot co dot nz

Thanks for the quick fix.

No worries about the security flag, wasn't sure. Started fuzzing on 5.6 as well, so hopefully more there :D.

Would any crashes count as security on pre-release?


 [2015-08-02 19:25 UTC] hugh at allthethings dot co dot nz
I was basing the security flag of a similar one like bug #68618
 [2015-08-02 20:26 UTC]

#68618 was switched to security, after it turned out it is in a stable branch (5.6) as well. Any crash is a stable branch should be security. But a pre release is explicitly not for production, so ATM - if it's 7.0 only crash, no need for security. Once 7.0 is GA - yes, it's security in any case.

 [2015-08-02 20:31 UTC] hugh at allthethings dot co dot nz
Cool, makes sense. I've got a few more 7.0 ones to submit and some 5.6 ones as well. Changed fuzzing focus to 5.6 for a few days.
 [2015-08-04 20:54 UTC]
Automatic comment on behalf of
Log: Fixed bug #70183 null pointer deref (segfault) in zend_eval_const_expr
 [2016-07-20 11:37 UTC]
Automatic comment on behalf of
Log: Fixed bug #70183 null pointer deref (segfault) in zend_eval_const_expr
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Apr 13 12:01:28 2024 UTC