PHP :: Bug #70912 :: Null ptr dereference when class property is initialised to a dereferenced value.

Bug #70912	Null ptr dereference when class property is initialised to a dereferenced value.
Submitted:	2015-11-13 11:52 UTC	Modified:	2015-11-13 14:50 UTC
From:	leigh@php.net	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	master-Git-2015-11-13 (Git)	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

[2015-11-13 11:52 UTC] leigh@php.net

Description:
------------
Instantiating a class (normal or anonymous) that has property initialised with a double array short syntax causes a null pointer dereference in zend_ast_evaluate.

PHP compiled with --disable-all.

This affects 7.0alpha1 up to git-master - https://3v4l.org/cg1F3

Found with afl

Test script:
---------------
<?php

new class {
    public $a = [][];
};

Expected result:
----------------
Exit code 0

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x0000000000669709 in zend_ast_evaluate (result=0x7fffffffa160, ast=0x0, scope=0x0)
    at /home/leigh/php-src/Zend/zend_ast.c:217
217		switch (ast->kind) {
Missing separate debuginfos, use: dnf debuginfo-install nss-softokn-freebl-3.20.1-1.0.fc23.x86_64
(gdb) bt
#0  0x0000000000669709 in zend_ast_evaluate (result=0x7fffffffa160, ast=0x0, scope=0x0)
    at /home/leigh/php-src/Zend/zend_ast.c:217
#1  0x000000000066a305 in zend_ast_evaluate (result=0x7fffffffa280, ast=0x7ffff66020a8, 
    scope=0x0) at /home/leigh/php-src/Zend/zend_ast.c:390
#2  0x000000000061712b in zval_update_constant_ex (p=0x7ffff66010f0, inline_change=1 '\001', 
    scope=0x0) at /home/leigh/php-src/Zend/zend_execute_API.c:641
#3  0x0000000000633603 in zend_update_class_constants (class_type=0x7ffff6603018)
    at /home/leigh/php-src/Zend/zend_API.c:1155
#4  0x0000000000633bb9 in _object_and_properties_init (arg=0x7fffffffa4d0, 
    class_type=0x7ffff6603018, properties=0x0, 
    __zend_filename=0x87e988 "/home/leigh/php-src/Zend/zend_vm_execute.h", __zend_lineno=15353)
    at /home/leigh/php-src/Zend/zend_API.c:1273
#5  0x0000000000633cc7 in _object_init_ex (arg=0x7fffffffa4d0, class_type=0x7ffff6603018, 
    __zend_filename=0x87e988 "/home/leigh/php-src/Zend/zend_vm_execute.h", __zend_lineno=15353)
    at /home/leigh/php-src/Zend/zend_API.c:1296
#6  0x00000000006a275e in ZEND_NEW_SPEC_VAR_HANDLER ()
    at /home/leigh/php-src/Zend/zend_vm_execute.h:15353
#7  0x0000000000684d72 in execute_ex (ex=0x7ffff6614030)
    at /home/leigh/php-src/Zend/zend_vm_execute.h:414
#8  0x0000000000684e53 in zend_execute (op_array=0x7ffff6687000, return_value=0x0)
    at /home/leigh/php-src/Zend/zend_vm_execute.h:458
#9  0x000000000062e497 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/leigh/php-src/Zend/zend.c:1428
#10 0x00000000005aa22a in php_execute_script (primary_file=0x7fffffffdbc0)
    at /home/leigh/php-src/main/main.c:2471
#11 0x00000000006e62c9 in do_cli (argc=2, argv=0xafe4b0)
    at /home/leigh/php-src/sapi/cli/php_cli.c:974
#12 0x00000000006e7159 in main (argc=2, argv=0xafe4b0)
    at /home/leigh/php-src/sapi/cli/php_cli.c:1345

Patches

Pull Requests

Pull requests:

Fixed bug #70912 (Null ptr dereference instantiating class with invalâ€¦ (php-src/1637)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-11-13 14:50 UTC] leigh@php.net

-Summary: Null ptr dereference instantiating class with invalid array property. +Summary: Null ptr dereference when class property is initialised to a dereferenced value.

[2015-11-13 14:50 UTC] leigh@php.net

Updated title, also happens with

public $a = a[];
public $a = "a"[];
public $a = null[];
public $a = true[];

etc.

[2015-11-13 15:05 UTC] laruence@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=25de928df77d9906c81becddca42143d19d6eedd
Log: Fixed bug #70912 (Null ptr dereference instantiating class with invalid array property)

[2015-11-13 15:05 UTC] laruence@php.net

-Status: Open +Status: Closed

[2015-11-20 01:03 UTC] ab@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=815e456a7ada4865d1dfb3fbc90bfece4a02ba9e
Log: Fixed bug #70912 (Null ptr dereference instantiating class with invalid array property)

[2016-07-20 11:35 UTC] davey@php.net

Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=25de928df77d9906c81becddca42143d19d6eedd
Log: Fixed bug #70912 (Null ptr dereference instantiating class with invalid array property)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Nov 04 03:00:01 2025 UTC