php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #70499 PHP segfaults after json_decode
Submitted: 2015-09-15 09:25 UTC Modified: 2015-09-15 11:09 UTC
From: casper at biering dot dk Assigned: remi (profile)
Status: Closed Package: JSON related
PHP Version: 5.6.13 OS: CentOS 6.7 x86_64
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: casper at biering dot dk
New email:
PHP Version: OS:

 

 [2015-09-15 09:25 UTC] casper at biering dot dk
Description:
------------
Can be repoduced on php 5.6.13 from remi repo on CentOS 6.7 x86_64.

From php -i:
json version => 1.3.8
JSON-C version (bundled) => 0.11

I've tested on Fedora 22 without having any problems (fedora repo, php=5.6.12, json=1.3.7, JSON-C=0.11).

Test script:
---------------
https://gist.githubusercontent.com/casperbiering/c3cfee1029fcb105bc37/raw/e962019e14b2c05f96c70ff49fb6f957576939dc/json_decode-segfault.php

Expected result:
----------------
The text "SCRIPT-FINISHED-WITHOUT-ERRORS".

Actual result:
--------------
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-83.el6)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/php...Reading symbols from /usr/lib/debug/usr/bin/php.debug...done.
done.
(gdb) run json_decode-segfault.php
Starting program: /usr/bin/php json_decode-segfault.php
[Thread debugging using libthread_db enabled]
warning: "/usr/lib/debug/usr/lib64/libicudata.so.50.1.2.debug": separate debug info file has no debug info

Program received signal SIGSEGV, Segmentation fault.
_zend_mm_alloc_int (heap=0x9ee230, size=32) at /usr/src/debug/php-5.6.13/Zend/zend_alloc.c:1910
1910				heap->cache[index] = best_fit->prev_free_block;
Missing separate debuginfos, use: debuginfo-install libc-client-2007e-11.el6.x86_64 libedit-2.11-4.20080712cvs.1.el6.x86_64 libevent-last-2.0.22-1.el6.remi.x86_64 libgearman-1.1.8-2.el6.x86_64 libidn-1.18-2.el6.x86_64 libmemcached-1.0.16-1.el6.remi.x86_64 libssh2-1.4.2-2.el6.x86_64 libtidy-0.99.0-19.20070615.1.el6.x86_64 libtool-ltdl-2.2.6-15.5.el6.x86_64 php-pecl-gearman-1.1.2-4.el6.remi.5.6.x86_64 php-pecl-memcache-3.0.8-3.el6.remi.5.6.x86_64 php-pecl-memcached-2.2.0-3.el6.remi.5.6.x86_64
(gdb) bt
#0  _zend_mm_alloc_int (heap=0x9ee230, size=32) at /usr/src/debug/php-5.6.13/Zend/zend_alloc.c:1910
#1  0x00000000006635b3 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /usr/src/debug/php-5.6.13/Zend/zend_vm_execute.h:551
#2  0x00000000006530e8 in execute_ex (execute_data=0x7ffff7fa4180) at /usr/src/debug/php-5.6.13/Zend/zend_vm_execute.h:363
#3  0x00000000005d48ae in dtrace_execute_ex (execute_data=0x7ffff7fa4180) at /usr/src/debug/php-5.6.13/Zend/zend_dtrace.c:73
#4  0x00000000005e3ffc in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/debug/php-5.6.13/Zend/zend.c:1341
#5  0x000000000058251a in php_execute_script (primary_file=0x7fffffffd040) at /usr/src/debug/php-5.6.13/main/main.c:2597
#6  0x000000000068aff3 in do_cli (argc=2, argv=0x9edf80) at /usr/src/debug/php-5.6.13/sapi/cli/php_cli.c:994
#7  0x000000000068b7f8 in main (argc=2, argv=0x9edf80) at /usr/src/debug/php-5.6.13/sapi/cli/php_cli.c:1378
(gdb) frame 0
#0  _zend_mm_alloc_int (heap=0x9ee230, size=32) at /usr/src/debug/php-5.6.13/Zend/zend_alloc.c:1910
1910				heap->cache[index] = best_fit->prev_free_block;
(gdb) frame 1
#1  0x00000000006635b3 in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>) at /usr/src/debug/php-5.6.13/Zend/zend_vm_execute.h:551
551				MAKE_STD_ZVAL(ret->var.ptr);
(gdb) frame 2
#2  0x00000000006530e8 in execute_ex (execute_data=0x7ffff7fa4180) at /usr/src/debug/php-5.6.13/Zend/zend_vm_execute.h:363
363			if ((ret = OPLINE->handler(execute_data TSRMLS_CC)) > 0) {
(gdb) frame 3
#3  0x00000000005d48ae in dtrace_execute_ex (execute_data=0x7ffff7fa4180) at /usr/src/debug/php-5.6.13/Zend/zend_dtrace.c:73
73		execute_ex(execute_data TSRMLS_CC);
(gdb) frame 4
#4  0x00000000005e3ffc in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/debug/php-5.6.13/Zend/zend.c:1341
1341				zend_execute(EG(active_op_array) TSRMLS_CC);
(gdb) frame 5
#5  0x000000000058251a in php_execute_script (primary_file=0x7fffffffd040) at /usr/src/debug/php-5.6.13/main/main.c:2597
2597				retval = (zend_execute_scripts(ZEND_REQUIRE TSRMLS_CC, NULL, 3, prepend_file_p, primary_file, append_file_p) == SUCCESS);
(gdb) frame 6
#6  0x000000000068aff3 in do_cli (argc=2, argv=0x9edf80) at /usr/src/debug/php-5.6.13/sapi/cli/php_cli.c:994
994					php_execute_script(&file_handle TSRMLS_CC);
(gdb) frame 7
#7  0x000000000068b7f8 in main (argc=2, argv=0x9edf80) at /usr/src/debug/php-5.6.13/sapi/cli/php_cli.c:1378
1378				exit_status = do_cli(argc, argv TSRMLS_CC);


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-09-15 10:45 UTC] remi@php.net
-Assigned To: +Assigned To: remi
 [2015-09-15 10:46 UTC] remi@php.net
Related to jsonc extension, not to ext/json.
 [2015-09-15 11:09 UTC] remi@php.net
-Status: Assigned +Status: Closed
 [2015-09-15 11:09 UTC] remi@php.net
Thank you for your bug report. This issue has already been fixed
in the latest released version of PHP, which you can download at 
http://www.php.net/downloads.php

Fix by https://github.com/remicollet/pecl-json-c/commit/b2ee7cf3952bb47fe2ef40824a6f96a90cd00b01

Released as 1.3.9
 [2015-09-15 12:06 UTC] remi@php.net
FYI Fedora repository (updates-testing) and remi repositories, which provide your packages, are already updated to 1.3.9.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Dec 02 04:01:24 2020 UTC