php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72705 AddressSanitizer: negative-size-param in zend_compile_stmt
Submitted: 2016-07-29 07:18 UTC Modified: 2020-01-03 09:53 UTC
From: pranjal dot jumde at gmail dot com Assigned: nikic (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.1Git-2016-07-29 (Git) OS: All
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: pranjal dot jumde at gmail dot com
New email:
PHP Version: OS:

 

 [2016-07-29 07:18 UTC] pranjal dot jumde at gmail dot com
Description:
------------
=38807==ERROR: AddressSanitizer: negative-size-param: (size=-2147483648)
    #0 0x1107632f2 in printf_common(void*, char const*, __va_list_tag*) (libclang_rt.asan_osx_dynamic.dylib+0x1b2f2)
    #1 0x110763c5b in wrap_vsprintf (libclang_rt.asan_osx_dynamic.dylib+0x1bc5b)
    #2 0x110764956 in wrap_sprintf (libclang_rt.asan_osx_dynamic.dylib+0x1c956)
    #3 0x10f89206f in zend_compile_stmt zend_compile.c:7785
    #4 0x10f8a9a86 in zend_compile_top_stmt zend_compile.c:7691
    #5 0x10f8a9a51 in zend_compile_top_stmt zend_compile.c:7686
    #6 0x10f816a14 in zend_compile zend_language_scanner.l:600
    #7 0x10f818713 in compile_string zend_language_scanner.l:765
    #8 0x10fbb90be in zend_include_or_eval zend_execute.c:2857

Test script:
---------------
 <?php
ini_set('memory_limit', '-1');
$newClassName = str_repeat("a", 2147483647);

eval("class $newClassName {
    function hello() {
        return \"Hello\";
    }
};");
 ?>


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-29 08:23 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-10-19 04:39 UTC] krakjoe@php.net
I'm not able to reproduce (because I don't have a 32bit machine).

I'm not sure that the trace looks like a bug in PHP, compile_stmt doesn't call any printing functions, so it looks like asan is trying to output some debugging string in compile_stmt, and it's asan itself is overflowing, possibly.
 [2020-01-03 09:53 UTC] nikic@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2020-01-03 09:53 UTC] nikic@php.net
I can't repro this either. On a 32-bit build this OOMs when concating the string (thus never reaching the eval), on a 64-bit build it is clean under asan. I'm assuming this was already resolved in the meantime.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 14:01:28 2024 UTC