|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72705 AddressSanitizer: negative-size-param in zend_compile_stmt
Submitted: 2016-07-29 07:18 UTC Modified: 2016-10-19 04:39 UTC
From: pranjal dot jumde at gmail dot com Assigned:
Status: Open Package: Reproducible crash
PHP Version: 7.1Git-2016-07-29 (Git) OS: All
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
Solve the problem:
27 - 2 = ?
Subscribe to this entry?

 [2016-07-29 07:18 UTC] pranjal dot jumde at gmail dot com
=38807==ERROR: AddressSanitizer: negative-size-param: (size=-2147483648)
    #0 0x1107632f2 in printf_common(void*, char const*, __va_list_tag*) (libclang_rt.asan_osx_dynamic.dylib+0x1b2f2)
    #1 0x110763c5b in wrap_vsprintf (libclang_rt.asan_osx_dynamic.dylib+0x1bc5b)
    #2 0x110764956 in wrap_sprintf (libclang_rt.asan_osx_dynamic.dylib+0x1c956)
    #3 0x10f89206f in zend_compile_stmt zend_compile.c:7785
    #4 0x10f8a9a86 in zend_compile_top_stmt zend_compile.c:7691
    #5 0x10f8a9a51 in zend_compile_top_stmt zend_compile.c:7686
    #6 0x10f816a14 in zend_compile zend_language_scanner.l:600
    #7 0x10f818713 in compile_string zend_language_scanner.l:765
    #8 0x10fbb90be in zend_include_or_eval zend_execute.c:2857

Test script:
ini_set('memory_limit', '-1');
$newClassName = str_repeat("a", 2147483647);

eval("class $newClassName {
    function hello() {
        return \"Hello\";


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-29 08:23 UTC]
-Type: Security +Type: Bug
 [2016-10-19 04:39 UTC]
I'm not able to reproduce (because I don't have a 32bit machine).

I'm not sure that the trace looks like a bug in PHP, compile_stmt doesn't call any printing functions, so it looks like asan is trying to output some debugging string in compile_stmt, and it's asan itself is overflowing, possibly.
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Dec 15 10:01:25 2019 UTC