php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70327 segfault in xbuf_format_converter at spprintf.c:204
Submitted: 2015-08-22 17:25 UTC Modified: 2015-08-22 17:29 UTC
From: brian dot carpenter at gmail dot com Assigned:
Status: Not a bug Package: Reproducible crash
PHP Version: 7.0Git-2015-08-22 (Git) OS: Debian 7
Private report: No CVE-ID: None
 [2015-08-22 17:25 UTC] brian dot carpenter at gmail dot com
Description:
------------
While fuzzing PHP 7.0.0-dev (cli) (built: Aug 19 2015 16:48:48) with AFL, I found this script that causes a segfault in xbuf_format_converter (spprintf.c:204).

Test script:
---------------
<?php
function SG0s0G00000y0G0h(){($___=__FUNCTION__)&&!$_ and list($_)=array_values(array_filter($GLOBALS,$___))and
0?(0):((0));}SG0s0G00000y0G0h();

Expected result:
----------------
No crash.

Actual result:
--------------
The GDB output goes on infinitely:

Program received signal SIGSEGV, Segmentation fault.
0x00000000011e3562 in xbuf_format_converter ()
(gdb) bt
#0  0x00000000011e3562 in xbuf_format_converter ()
#1  0x00000000011e974c in vspprintf ()
#2  0x00000000011ca899 in php_error_cb ()
#3  0x000000000043e7f1 in zend_error_noreturn ()
    at /home/geeknik/php-src/Zend/zend.c:1166
#4  0x00000000016419a5 in ZEND_BOOL_NOT_SPEC_CV_HANDLER ()
    at /home/geeknik/php-src/Zend/zend_execute.c:252
#5  0x00000000015e3ec3 in execute_ex ()
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:406
#6  0x00000000013bdd02 in zend_call_function ()
#7  0x0000000000f7f413 in zif_array_filter ()
#8  0x0000000001634545 in ZEND_DO_ICALL_SPEC_HANDLER ()
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:577
#9  0x00000000015e3ec3 in execute_ex ()
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:406
#10 0x00000000013bdd02 in zend_call_function ()
#11 0x0000000000f7f413 in zif_array_filter ()
#12 0x0000000001634545 in ZEND_DO_ICALL_SPEC_HANDLER ()
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:577
#13 0x00000000015e3ec3 in execute_ex ()
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:406
#14 0x00000000013bdd02 in zend_call_function ()
#15 0x0000000000f7f413 in zif_array_filter ()
#16 0x0000000001634545 in ZEND_DO_ICALL_SPEC_HANDLER ()

valgrind -q ~/php-src/sapi/cli/php test00-min
==63869== Stack overflow in thread #1: can't grow stack to 0xffe801000
==63869== 
==63869== Process terminating with default action of signal 11 (SIGSEGV)
==63869==  Access not within mapped region at address 0xFFE801EF8
==63869== Stack overflow in thread #1: can't grow stack to 0xffe801000
==63869==    at 0x11E3562: xbuf_format_converter (spprintf.c:204)
==63869==  If you believe this happened as a result of a stack
==63869==  overflow in your program's main thread (unlikely but
==63869==  possible), you can try to increase the size of the
==63869==  main thread stack using the --main-stacksize= flag.
==63869==  The main thread stack size used in this run was 8388608.
==63869== Stack overflow in thread #1: can't grow stack to 0xffe801000
==63869== 
==63869== Process terminating with default action of signal 11 (SIGSEGV)
==63869==  Access not within mapped region at address 0xFFE801EE8
==63869== Stack overflow in thread #1: can't grow stack to 0xffe801000
==63869==    at 0x4A22620: _vgnU_freeres (vg_preloaded.c:58)
==63869==  If you believe this happened as a result of a stack
==63869==  overflow in your program's main thread (unlikely but
==63869==  possible), you can try to increase the size of the
==63869==  main thread stack using the --main-stacksize= flag.
==63869==  The main thread stack size used in this run was 8388608.
Segmentation fault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-08-22 17:29 UTC] bwoebi@php.net
-Status: Open +Status: Not a bug
 [2015-08-22 17:29 UTC] bwoebi@php.net
Typical stack overflow, not a bug.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Mon Jun 01 19:01:24 2020 UTC