|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72705 AddressSanitizer: negative-size-param in zend_compile_stmt
Submitted: 2016-07-29 07:18 UTC Modified: 2020-01-03 09:53 UTC
From: pranjal dot jumde at gmail dot com Assigned: nikic (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.1Git-2016-07-29 (Git) OS: All
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: pranjal dot jumde at gmail dot com
New email:
PHP Version: OS:


 [2016-07-29 07:18 UTC] pranjal dot jumde at gmail dot com
=38807==ERROR: AddressSanitizer: negative-size-param: (size=-2147483648)
    #0 0x1107632f2 in printf_common(void*, char const*, __va_list_tag*) (libclang_rt.asan_osx_dynamic.dylib+0x1b2f2)
    #1 0x110763c5b in wrap_vsprintf (libclang_rt.asan_osx_dynamic.dylib+0x1bc5b)
    #2 0x110764956 in wrap_sprintf (libclang_rt.asan_osx_dynamic.dylib+0x1c956)
    #3 0x10f89206f in zend_compile_stmt zend_compile.c:7785
    #4 0x10f8a9a86 in zend_compile_top_stmt zend_compile.c:7691
    #5 0x10f8a9a51 in zend_compile_top_stmt zend_compile.c:7686
    #6 0x10f816a14 in zend_compile zend_language_scanner.l:600
    #7 0x10f818713 in compile_string zend_language_scanner.l:765
    #8 0x10fbb90be in zend_include_or_eval zend_execute.c:2857

Test script:
ini_set('memory_limit', '-1');
$newClassName = str_repeat("a", 2147483647);

eval("class $newClassName {
    function hello() {
        return \"Hello\";


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-29 08:23 UTC]
-Type: Security +Type: Bug
 [2016-10-19 04:39 UTC]
I'm not able to reproduce (because I don't have a 32bit machine).

I'm not sure that the trace looks like a bug in PHP, compile_stmt doesn't call any printing functions, so it looks like asan is trying to output some debugging string in compile_stmt, and it's asan itself is overflowing, possibly.
 [2020-01-03 09:53 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2020-01-03 09:53 UTC]
I can't repro this either. On a 32-bit build this OOMs when concating the string (thus never reaching the eval), on a 64-bit build it is clean under asan. I'm assuming this was already resolved in the meantime.
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Jan 23 17:01:23 2021 UTC