php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72705 AddressSanitizer: negative-size-param in zend_compile_stmt
Submitted: 2016-07-29 07:18 UTC Modified: 2016-10-19 04:39 UTC
From: pranjal dot jumde at gmail dot com Assigned:
Status: Open Package: Reproducible crash
PHP Version: 7.1Git-2016-07-29 (Git) OS: All
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: pranjal dot jumde at gmail dot com
New email:
PHP Version: OS:

 

 [2016-07-29 07:18 UTC] pranjal dot jumde at gmail dot com
Description:
------------
=38807==ERROR: AddressSanitizer: negative-size-param: (size=-2147483648)
    #0 0x1107632f2 in printf_common(void*, char const*, __va_list_tag*) (libclang_rt.asan_osx_dynamic.dylib+0x1b2f2)
    #1 0x110763c5b in wrap_vsprintf (libclang_rt.asan_osx_dynamic.dylib+0x1bc5b)
    #2 0x110764956 in wrap_sprintf (libclang_rt.asan_osx_dynamic.dylib+0x1c956)
    #3 0x10f89206f in zend_compile_stmt zend_compile.c:7785
    #4 0x10f8a9a86 in zend_compile_top_stmt zend_compile.c:7691
    #5 0x10f8a9a51 in zend_compile_top_stmt zend_compile.c:7686
    #6 0x10f816a14 in zend_compile zend_language_scanner.l:600
    #7 0x10f818713 in compile_string zend_language_scanner.l:765
    #8 0x10fbb90be in zend_include_or_eval zend_execute.c:2857

Test script:
---------------
 <?php
ini_set('memory_limit', '-1');
$newClassName = str_repeat("a", 2147483647);

eval("class $newClassName {
    function hello() {
        return \"Hello\";
    }
};");
 ?>


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-29 08:23 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-10-19 04:39 UTC] krakjoe@php.net
I'm not able to reproduce (because I don't have a 32bit machine).

I'm not sure that the trace looks like a bug in PHP, compile_stmt doesn't call any printing functions, so it looks like asan is trying to output some debugging string in compile_stmt, and it's asan itself is overflowing, possibly.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC