|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-06-14 00:39 UTC] laruence@php.net
[2016-06-14 08:33 UTC] shm@php.net
[2016-06-15 07:02 UTC] laruence@php.net
[2016-06-15 09:59 UTC] shm@php.net
[2016-06-15 15:46 UTC] laruence@php.net
-Status: Open
+Status: Wont fix
[2016-06-15 15:46 UTC] laruence@php.net
[2016-06-15 15:47 UTC] laruence@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Fri Apr 19 04:01:28 2024 UTC |
Description: ------------ In case of USE_ZEND_ALLOC=0, function: php_output_handler_init which looks as follows: 863static inline php_output_handler *php_output_handler_init(zend_string *name, size_t chunk_size, int flags) 864{ 865 php_output_handler *handler; 866 867 handler = ecalloc(1, sizeof(php_output_handler)); 868 handler->name = zend_string_copy(name); 869 handler->size = chunk_size; 870 handler->flags = flags; 871 handler->buffer.size = PHP_OUTPUT_HANDLER_INITBUF_SIZE(chunk_size); 872 handler->buffer.data = emalloc(handler->buffer.size); 873 874 return handler; 875} may return in buffer.data NULL if buffer.size is large enough to fail, then it can be deferred later (when buffer.data is used) i.e. in php_output_handler_append as presented below: $ ASAN_OPTIONS=symbolize=1 ./php minerva.147.1053581631 ==2035== WARNING: AddressSanitizer failed to allocate 0x10e0829ff7e000 bytes ASAN:SIGSEGV ================================================================= ==2035== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f79f3d819a5 sp 0x7fff83d32038 bp 0x7fff83d32880 T0) AddressSanitizer can not provide additional info. #0 0x7f79f3d819a4 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x199a4) #1 0x7f79f3d763a2 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0xe3a2) #2 0xedf3f7 in php_output_handler_append /home/shm/src/php-src/main/output.c:893 #3 0xedf5de in php_output_handler_op /home/shm/src/php-src/main/output.c:941 #4 0xee043e in php_output_op /home/shm/src/php-src/main/output.c:1057 #5 0xedbd51 in php_output_write /home/shm/src/php-src/main/output.c:257 #6 0xe9995e in php_printf /home/shm/src/php-src/main/main.c:692 #7 0xe9bef0 in php_error_cb /home/shm/src/php-src/main/main.c:1127 #8 0x1010b45 in zend_error_noreturn /home/shm/src/php-src/Zend/zend.c:1154 #9 0x10122af in zend_internal_type_error /home/shm/src/php-src/Zend/zend.c:1348 #10 0x1016e57 in zend_wrong_paramer_type_error /home/shm/src/php-src/Zend/zend_API.c:226 #11 0xd1c570 in zif_fread /home/shm/src/php-src/ext/standard/file.c:1808 #12 0x10fe845 in ZEND_DO_ICALL_SPEC_HANDLER /home/shm/src/php-src/Zend/zend_vm_execute.h:586 #13 0x10fd8be in execute_ex /home/shm/src/php-src/Zend/zend_vm_execute.h:414 #14 0x10fdb19 in zend_execute /home/shm/src/php-src/Zend/zend_vm_execute.h:458 #15 0x1012aee in zend_execute_scripts /home/shm/src/php-src/Zend/zend.c:1427 #16 0xea2158 in php_execute_script /home/shm/src/php-src/main/main.c:2494 #17 0x122931b in do_cli /home/shm/src/php-src/sapi/cli/php_cli.c:974 #18 0x122b8f7 in main /home/shm/src/php-src/sapi/cli/php_cli.c:1344 #19 0x7f79f2481ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) #20 0x42dc48 in _start (/home/shm/src/php-src/sapi/cli/php+0x42dc48) Test script: --------------- <?php $var0 = mt_rand(); $var5 = mktime($var0,$var2,$var1,$var0,$var2); $var7 = ob_start($var4,$var5,$var2); $var8 = posix_seteuid($var7); $var10 = gzread($var8,$var8); Expected result: ---------------- No NPD happens Actual result: -------------- NPD happens