php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73164 crash in zend_new_interned_string_int when include PHAR file
Submitted: 2016-09-24 13:37 UTC Modified: 2016-10-20 02:29 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: nguyenluan dot vnn at gmail dot com Assigned:
Status: Open Package: PHAR related
PHP Version: 5.6.26 OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-09-24 13:37 UTC] nguyenluan dot vnn at gmail dot com
Description:
------------
PHP crashed in zend_new_interned_string_int while include PHAR file larger than 2Gb.

static const char *zend_new_interned_string_int(const char *arKey, int nKeyLength, int free_src TSRMLS_DC){

        ...
        ...

        p = (Bucket *) CG(interned_strings_top);
	CG(interned_strings_top) += ZEND_MM_ALIGNED_SIZE(sizeof(Bucket) + nKeyLength);

#if ZEND_DEBUG_INTERNED_STRINGS
	mprotect(CG(interned_strings_start), CG(interned_strings_end) - CG(interned_strings_start), PROT_READ | PROT_WRITE);
#endif
	
	p->arKey = (char*)(p+1);
	memcpy((char*)p->arKey, arKey, nKeyLength);  <- crash here
	if (free_src) {
		efree((void *)arKey);
	}

Test script:
---------------
Python script to create PHAR file (please run with Python 3):
#! /usr/bin/env python3

import zipfile

fname = 'test.txt'

with zipfile.ZipFile('zip1.zip', 'w') as z:
    z.writestr(fname, 'a'*0x80001000)
    

PHP script:
<?php
    ini_set('memory_limit', -1);
    
    include __DIR__ . '/zip1.zip';
?>

Expected result:
----------------
No crash

Actual result:
--------------
gdb-peda$ b phar.c:3371
Breakpoint 1 at 0x7d1277: file /home/user/Desktop/php-5.6.26/ext/phar/phar.c, line 3371.
gdb-peda$ r ../test/string/test_phar_file_get_contents.php 
Starting program: /home/user/Desktop/php-5.6.26/sapi/cli/php ../test/string/test_phar_file_get_contents.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
 [----------------------------------registers-----------------------------------]
RAX: 0x13f1020 --> 0x0 
RBX: 0x0 
RCX: 0x61 ('a')
RDX: 0xf6395eb8238ab911 
RSI: 0x0 
RDI: 0x7fffffffa7a0 --> 0x0 
RBP: 0x7fffffffa870 --> 0x7fffffffa9b0 --> 0x7fffffffcc00 --> 0x7fffffffdf60 --> 0x7fffffffe0b0 --> 0xb17770 (<__libc_csu_init>:	push   r15)
RSP: 0x7fffffffa6e0 --> 0x801695bf0 
RIP: 0x7d1277 (<phar_compile_file+1266>:	)
R8 : 0xfeffc00000000000 
R9 : 0x0 
R10: 0x361 
R11: 0x7ffff43cb640 (<__strstr_sse2_unaligned>:	movzx  eax,BYTE PTR [rsi])
R12: 0x439790 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffe190 --> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7d125c <phar_compile_file+1239>:	mov    DWORD PTR [rbp-0x174],0x0
   0x7d1266 <phar_compile_file+1249>:	
    lea    rax,[rip+0xc1fdb3]        # 0x13f1020 <compiler_globals>
   0x7d126d <phar_compile_file+1256>:	mov    DWORD PTR [rax+0xf0],0x0
=> 0x7d1277 <phar_compile_file+1266>:	
    mov    rax,QWORD PTR [rip+0xc1ab0a]        # 0x13ebd88 <phar_orig_compile_file>
   0x7d127e <phar_compile_file+1273>:	mov    ecx,DWORD PTR [rbp-0x18c]
   0x7d1284 <phar_compile_file+1279>:	mov    rdx,QWORD PTR [rbp-0x188]
   0x7d128b <phar_compile_file+1286>:	mov    esi,ecx
   0x7d128d <phar_compile_file+1288>:	mov    rdi,rdx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffa6e0 --> 0x801695bf0 
0008| 0x7fffffffa6e8 --> 0x7fffffffcd60 --> 0x7fff00000002 
0016| 0x7fffffffa6f0 --> 0x7fffffffa840 --> 0x7ffff7fbe450 --> 0x7fffb6d96766 
0024| 0x7fffffffa6f8 --> 0xa80fdd (<tsrm_realpath_r+2866>:	movzx  eax,BYTE PTR [rbp-0xc1])
0032| 0x7fffffffa700 --> 0x0 
0040| 0x7fffffffa708 --> 0x84 
0048| 0x7fffffffa710 --> 0x7fffffffa780 --> 0x2100000001 
0056| 0x7fffffffa718 --> 0x7fffffffbb20 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, phar_compile_file (file_handle=0x7fffffffcd60, type=0x8)
    at /home/user/Desktop/php-5.6.26/ext/phar/phar.c:3371
3371			res = phar_orig_compile_file(file_handle, type TSRMLS_CC);


gdb-peda$ c
Continuing.

 [----------------------------------registers-----------------------------------]
RAX: 0x13f1020 --> 0x4000000000 ('')
RBX: 0xa93d73 (<execute_ex>:	push   rbp)
RCX: 0x2 
RDX: 0xf6395eb8270ab911 
RSI: 0x0 
RDI: 0x7fffffffa560 --> 0xa93d73 (<execute_ex>:	push   rbp)
RBP: 0x7fffffffa630 --> 0x7fffffffa710 --> 0x7fffffffa810 --> 0x7fffffffa840 --> 0x7fffffffa870 --> 0x7fffffffa9b0 (--> ...)
RSP: 0x7fffffffa4a0 --> 0x2ffffa500 
RIP: 0x7d1277 (<phar_compile_file+1266>:	)
R8 : 0xfec0f08000000000 
R9 : 0xa20 (' \n')
R10: 0x0 
R11: 0x7ffff44b6730 --> 0xfffda400fffda12f 
R12: 0x439790 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffe190 --> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7d125c <phar_compile_file+1239>:	mov    DWORD PTR [rbp-0x174],0x0
   0x7d1266 <phar_compile_file+1249>:	
    lea    rax,[rip+0xc1fdb3]        # 0x13f1020 <compiler_globals>
   0x7d126d <phar_compile_file+1256>:	mov    DWORD PTR [rax+0xf0],0x0
=> 0x7d1277 <phar_compile_file+1266>:	
    mov    rax,QWORD PTR [rip+0xc1ab0a]        # 0x13ebd88 <phar_orig_compile_file>
   0x7d127e <phar_compile_file+1273>:	mov    ecx,DWORD PTR [rbp-0x18c]
   0x7d1284 <phar_compile_file+1279>:	mov    rdx,QWORD PTR [rbp-0x188]
   0x7d128b <phar_compile_file+1286>:	mov    esi,ecx
   0x7d128d <phar_compile_file+1288>:	mov    rdi,rdx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffa4a0 --> 0x2ffffa500 
0008| 0x7fffffffa4a8 --> 0x7fffffffa690 --> 0x7fff00000000 
0016| 0x7fffffffa4b0 --> 0x7ffff7fbeba0 --> 0x7fffb6d96896 
0024| 0x7fffffffa4b8 --> 0x9e8 
0032| 0x7fffffffa4c0 --> 0x0 
0040| 0x7fffffffa4c8 --> 0xb ('\x0b')
0048| 0x7fffffffa4d0 --> 0x7fffffffa530 --> 0x7fffffffa600 --> 0x5cb00000a20 
0056| 0x7fffffffa4d8 --> 0x7fffffffbb20 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, phar_compile_file (file_handle=0x7fffffffa690, type=0x2)
    at /home/user/Desktop/php-5.6.26/ext/phar/phar.c:3371
3371			res = phar_orig_compile_file(file_handle, type TSRMLS_CC);


gdb-peda$ b zend_string.c:117
Breakpoint 2 at 0xa7d759: file /home/user/Desktop/php-5.6.26/Zend/zend_string.c, line 117.


gdb-peda$ c
Continuing.

 [----------------------------------registers-----------------------------------]
RAX: 0x7ffff7ebdce0 --> 0x0 
RBX: 0xa93d73 (<execute_ex>:	push   rbp)
RCX: 0x2ddc759bc21f5b3a 
RDX: 0x7fff77ebee10 ('a' <repeats 200 times>...)
RSI: 0x800010e7 
RDI: 0x7fff6d171070 --> 0x2d04034b50 
RBP: 0x7fffffff7fa0 --> 0x7fffffff7fe0 --> 0x7fffffff8010 --> 0x7fffffff8040 --> 0x7fffffffa350 --> 0x7fffffffa490 (--> ...)
RSP: 0x7fffffff7f70 --> 0x800010e700000001 
RIP: 0xa7d759 (<zend_new_interned_string_int+357>:	)
R8 : 0x0 
R9 : 0x0 
R10: 0xfffffffe80173000 
R11: 0x246 
R12: 0x439790 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffe190 --> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x287 (CARRY PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xa7d747 <zend_new_interned_string_int+339>:	
    lea    rax,[rip+0x9738d2]        # 0x13f1020 <compiler_globals>
   0xa7d74e <zend_new_interned_string_int+346>:	
    mov    rax,QWORD PTR [rax+0x2d8]
   0xa7d755 <zend_new_interned_string_int+353>:	mov    QWORD PTR [rbp-0x18],rax
=> 0xa7d759 <zend_new_interned_string_int+357>:	
    lea    rax,[rip+0x9738c0]        # 0x13f1020 <compiler_globals>
   0xa7d760 <zend_new_interned_string_int+364>:	
    mov    rax,QWORD PTR [rax+0x2d8]
   0xa7d767 <zend_new_interned_string_int+371>:	mov    edx,DWORD PTR [rbp-0x2c]
   0xa7d76a <zend_new_interned_string_int+374>:	movsxd rdx,edx
   0xa7d76d <zend_new_interned_string_int+377>:	add    rdx,0x4f
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff7f70 --> 0x800010e700000001 
0008| 0x7fffffff7f78 --> 0x7fff6d171070 --> 0x2d04034b50 
0016| 0x7fffffff7f80 --> 0xb3affff7fd0 
0024| 0x7fffffff7f88 --> 0x7ffff7ebdce0 --> 0x0 
0032| 0x7fffffff7f90 --> 0x2ddc759bc21f5b3a 
0040| 0x7fffffff7f98 --> 0x0 
0048| 0x7fffffff7fa0 --> 0x7fffffff7fe0 --> 0x7fffffff8010 --> 0x7fffffff8040 --> 0x7fffffffa350 --> 0x7fffffffa490 (--> ...)
0056| 0x7fffffff7fa8 --> 0xa12a52 (<zend_insert_literal+88>:	mov    rdx,rax)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 2, zend_new_interned_string_int (
    arKey=0x7fff6d171070 "PK\003\004-", nKeyLength=0x800010e7, free_src=0x1)
    at /home/user/Desktop/php-5.6.26/Zend/zend_string.c:117
117		CG(interned_strings_top) += ZEND_MM_ALIGNED_SIZE(sizeof(Bucket) + nKeyLength);


gdb-peda$ p #! /usr/bin/env python


gdb-peda$ p nKeyLength
$1 = 0x800010e7        <- length of zip file is larger than 2Gb


gdb-peda$ n

 [----------------------------------registers-----------------------------------]
RAX: 0x13f1020 --> 0x4000000000 ('')
RBX: 0xa93d73 (<execute_ex>:	push   rbp)
RCX: 0x2ddc759bc21f5b3a 
RDX: 0x7fff77ebee10 ('a' <repeats 200 times>...)
RSI: 0x800010e7 
RDI: 0x7fff6d171070 --> 0x2d04034b50 
RBP: 0x7fffffff7fa0 --> 0x7fffffff7fe0 --> 0x7fffffff8010 --> 0x7fffffff8040 --> 0x7fffffffa350 --> 0x7fffffffa490 (--> ...)
RSP: 0x7fffffff7f70 --> 0x800010e700000001 
RIP: 0xa7d786 (<zend_new_interned_string_int+402>:	mov    rax,QWORD PTR [rbp-0x18])
R8 : 0x0 
R9 : 0x0 
R10: 0xfffffffe80173000 
R11: 0x246 
R12: 0x439790 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffe190 --> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x203 (CARRY parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xa7d775 <zend_new_interned_string_int+385>:	add    rdx,rax
   0xa7d778 <zend_new_interned_string_int+388>:	
    lea    rax,[rip+0x9738a1]        # 0x13f1020 <compiler_globals>
   0xa7d77f <zend_new_interned_string_int+395>:	
    mov    QWORD PTR [rax+0x2d8],rdx
=> 0xa7d786 <zend_new_interned_string_int+402>:	mov    rax,QWORD PTR [rbp-0x18]
   0xa7d78a <zend_new_interned_string_int+406>:	lea    rdx,[rax+0x48]
   0xa7d78e <zend_new_interned_string_int+410>:	mov    rax,QWORD PTR [rbp-0x18]
   0xa7d792 <zend_new_interned_string_int+414>:	mov    QWORD PTR [rax+0x40],rdx
   0xa7d796 <zend_new_interned_string_int+418>:	mov    eax,DWORD PTR [rbp-0x2c]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff7f70 --> 0x800010e700000001 
0008| 0x7fffffff7f78 --> 0x7fff6d171070 --> 0x2d04034b50 
0016| 0x7fffffff7f80 --> 0xb3affff7fd0 
0024| 0x7fffffff7f88 --> 0x7ffff7ebdce0 --> 0x0 
0032| 0x7fffffff7f90 --> 0x2ddc759bc21f5b3a 
0040| 0x7fffffff7f98 --> 0x0 
0048| 0x7fffffff7fa0 --> 0x7fffffff7fe0 --> 0x7fffffff8010 --> 0x7fffffff8040 --> 0x7fffffffa350 --> 0x7fffffffa490 (--> ...)
0056| 0x7fffffff7fa8 --> 0xa12a52 (<zend_insert_literal+88>:	mov    rdx,rax)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
123		p->arKey = (char*)(p+1);


gdb-peda$ p p->arKey
$2 = 0x0


gdb-peda$ n

 [----------------------------------registers-----------------------------------]
RAX: 0x7ffff7ebdce0 --> 0x0 
RBX: 0xa93d73 (<execute_ex>:	push   rbp)
RCX: 0x2ddc759bc21f5b3a 
RDX: 0x7ffff7ebdd28 --> 0x0 
RSI: 0x800010e7 
RDI: 0x7fff6d171070 --> 0x2d04034b50 
RBP: 0x7fffffff7fa0 --> 0x7fffffff7fe0 --> 0x7fffffff8010 --> 0x7fffffff8040 --> 0x7fffffffa350 --> 0x7fffffffa490 (--> ...)
RSP: 0x7fffffff7f70 --> 0x800010e700000001 
RIP: 0xa7d796 (<zend_new_interned_string_int+418>:	mov    eax,DWORD PTR [rbp-0x2c])
R8 : 0x0 
R9 : 0x0 
R10: 0xfffffffe80173000 
R11: 0x246 
R12: 0x439790 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffe190 --> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x203 (CARRY parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xa7d78a <zend_new_interned_string_int+406>:	lea    rdx,[rax+0x48]
   0xa7d78e <zend_new_interned_string_int+410>:	mov    rax,QWORD PTR [rbp-0x18]
   0xa7d792 <zend_new_interned_string_int+414>:	mov    QWORD PTR [rax+0x40],rdx
=> 0xa7d796 <zend_new_interned_string_int+418>:	mov    eax,DWORD PTR [rbp-0x2c]
   0xa7d799 <zend_new_interned_string_int+421>:	movsxd rdx,eax
   0xa7d79c <zend_new_interned_string_int+424>:	mov    rax,QWORD PTR [rbp-0x18]
   0xa7d7a0 <zend_new_interned_string_int+428>:	mov    rax,QWORD PTR [rax+0x40]
   0xa7d7a4 <zend_new_interned_string_int+432>:	mov    rcx,QWORD PTR [rbp-0x28]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff7f70 --> 0x800010e700000001 
0008| 0x7fffffff7f78 --> 0x7fff6d171070 --> 0x2d04034b50 
0016| 0x7fffffff7f80 --> 0xb3affff7fd0 
0024| 0x7fffffff7f88 --> 0x7ffff7ebdce0 --> 0x0 
0032| 0x7fffffff7f90 --> 0x2ddc759bc21f5b3a 
0040| 0x7fffffff7f98 --> 0x0 
0048| 0x7fffffff7fa0 --> 0x7fffffff7fe0 --> 0x7fffffff8010 --> 0x7fffffff8040 --> 0x7fffffffa350 --> 0x7fffffffa490 (--> ...)
0056| 0x7fffffff7fa8 --> 0xa12a52 (<zend_insert_literal+88>:	mov    rdx,rax)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
124		memcpy((char*)p->arKey, arKey, nKeyLength);
gdb-peda$ p p->arKey
$3 = 0x7ffff7ebdd28 ""
gdb-peda$ p arKey
$4 = 0x7fff6d171070 "PK\003\004-"
gdb-peda$ p nKeyLength
$5 = 0x800010e7


gdb-peda$ n

Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0xffffffff752b3378 
RBX: 0xa93d73 (<execute_ex>:	push   rbp)
RCX: 0x7ffff7fe2000 
RDX: 0x7fff77ebee00 --> 0x0 
RSI: 0x7fff6d171088 --> 0x657400140008ffff 
RDI: 0x7ffff7ebdd28 --> 0x2d04034b50 
RBP: 0x7fffffff7fa0 --> 0x7fffffff7fe0 --> 0x7fffffff8010 --> 0x7fffffff8040 --> 0x7fffffffa350 --> 0x7fffffffa490 (--> ...)
RSP: 0x7fffffff7f68 --> 0xa7d7b3 (<zend_new_interned_string_int+447>:	cmp    DWORD PTR [rbp-0x30],0x0)
RIP: 0x7ffff43c0ed6 (<__memcpy_sse2_unaligned+230>:	)
R8 : 0xffffffff752b3368 
R9 : 0xffffffff752b3358 
R10: 0xffffffff752b3348 
R11: 0x246 
R12: 0x439790 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffe190 --> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10287 (CARRY PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff43c0ec8 <__memcpy_sse2_unaligned+216>:	lea    r8,[r10+0x20]
   0x7ffff43c0ecc <__memcpy_sse2_unaligned+220>:	lea    rax,[r10+0x30]
   0x7ffff43c0ed0 <__memcpy_sse2_unaligned+224>:	
    movdqu xmm8,XMMWORD PTR [rcx+r10*1]
=> 0x7ffff43c0ed6 <__memcpy_sse2_unaligned+230>:	
    movdqa XMMWORD PTR [rcx],xmm8
   0x7ffff43c0edb <__memcpy_sse2_unaligned+235>:	
    movdqu xmm8,XMMWORD PTR [rcx+r9*1]
   0x7ffff43c0ee1 <__memcpy_sse2_unaligned+241>:	
    movdqa XMMWORD PTR [rcx+0x10],xmm8
   0x7ffff43c0ee7 <__memcpy_sse2_unaligned+247>:	
    movdqu xmm8,XMMWORD PTR [rcx+r8*1]
   0x7ffff43c0eed <__memcpy_sse2_unaligned+253>:	
    movdqa XMMWORD PTR [rcx+0x20],xmm8
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff7f68 --> 0xa7d7b3 (<zend_new_interned_string_int+447>:	cmp    DWORD PTR [rbp-0x30],0x0)
0008| 0x7fffffff7f70 --> 0x800010e700000001 
0016| 0x7fffffff7f78 --> 0x7fff6d171070 --> 0x2d04034b50 
0024| 0x7fffffff7f80 --> 0xb3affff7fd0 
0032| 0x7fffffff7f88 --> 0x7ffff7ebdce0 --> 0x0 
0040| 0x7fffffff7f90 --> 0x2ddc759bc21f5b3a 
0048| 0x7fffffff7f98 --> 0x0 
0056| 0x7fffffff7fa0 --> 0x7fffffff7fe0 --> 0x7fffffff8010 --> 0x7fffffff8040 --> 0x7fffffffa350 --> 0x7fffffffa490 (--> ...)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
__memcpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:81
81	../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.


gdb-peda$ bt
#0  __memcpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:81
#1  0x0000000000a7d7b3 in zend_new_interned_string_int (
    arKey=0x7fff6d171070 "PK\003\004-", nKeyLength=0x800010e7, free_src=0x1)
    at /home/user/Desktop/php-5.6.26/Zend/zend_string.c:124
#2  0x0000000000a12a52 in zend_insert_literal (op_array=0x7ffff7fbec48, 
    zv=0x7fffffff8400, literal_position=0x0)
    at /home/user/Desktop/php-5.6.26/Zend/zend_compile.c:343
#3  0x0000000000a12c3d in zend_add_literal (op_array=0x7ffff7fbec48, 
    zv=0x7fffffff8400) at /home/user/Desktop/php-5.6.26/Zend/zend_compile.c:366
#4  0x0000000000a15c54 in zend_do_echo (arg=0x7fffffff83f8)
    at /home/user/Desktop/php-5.6.26/Zend/zend_compile.c:877
#5  0x00000000009e2021 in zendparse ()
    at /home/user/Desktop/php-5.6.26/Zend/zend_language_parser.c:4125
#6  0x00000000009ea42d in compile_file (file_handle=0x7fffffffa690, type=0x2)
    at Zend/zend_language_scanner.l:586
#7  0x00000000007d1292 in phar_compile_file (file_handle=0x7fffffffa690, 
    type=0x2) at /home/user/Desktop/php-5.6.26/ext/phar/phar.c:3371
#8  0x00000000009ea617 in compile_filename (type=0x2, filename=0x7ffff7f86218)
    at Zend/zend_language_scanner.l:629
#9  0x0000000000aa6048 in ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER (
    execute_data=0x7ffff7f86258)
    at /home/user/Desktop/php-5.6.26/Zend/zend_vm_execute.h:8354
#10 0x0000000000a93dd3 in execute_ex (execute_data=0x7ffff7f86258)
    at /home/user/Desktop/php-5.6.26/Zend/zend_vm_execute.h:363
#11 0x0000000000a93e5a in zend_execute (op_array=0x7ffff7fbe538)
    at /home/user/Desktop/php-5.6.26/Zend/zend_vm_execute.h:388
#12 0x0000000000a4c498 in zend_execute_scripts (type=0x8, retval=0x0, 
    file_count=0x3) at /home/user/Desktop/php-5.6.26/Zend/zend.c:1341
#13 0x00000000009ad757 in php_execute_script (primary_file=0x7fffffffcd60)
    at /home/user/Desktop/php-5.6.26/main/main.c:2613
#14 0x0000000000b09556 in do_cli (argc=0x2, argv=0x13f5560)
    at /home/user/Desktop/php-5.6.26/sapi/cli/php_cli.c:994
#15 0x0000000000b0a8b9 in main (argc=0x2, argv=0x13f5560)
    at /home/user/Desktop/php-5.6.26/sapi/cli/php_cli.c:1378
#16 0x00007ffff4342830 in __libc_start_main (main=0xb0a09c <main>, argc=0x2, 
    argv=0x7fffffffe198, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe188)
    at ../csu/libc-start.c:291
#17 0x00000000004397b9 in _start ()

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-26 04:39 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2016-09-26 04:39 UTC] stas@php.net
Could you please provide a backtrace?
 [2016-09-26 04:40 UTC] stas@php.net
-Status: Feedback +Status: Open
 [2016-09-26 04:40 UTC] stas@php.net
Ah, sorry, didn't notice, it's at the end.
 [2016-09-26 04:41 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-09-26 04:41 UTC] stas@php.net
Doesn't look like security issue - you're including a zip file, that's not what is commonly done.
 [2016-09-26 12:25 UTC] nguyenluan dot vnn at gmail dot com
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2016-09-26 12:25 UTC] nguyenluan dot vnn at gmail dot com
I tested to include a PHP with length larger than 2Gb and this still happen. I think we have problem when include any file larger than 2Gb. This could cause PHP to crash and denial of service.
 [2016-10-12 00:02 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2016-10-12 00:02 UTC] stas@php.net
Please provide a reproducing case where it's not doing something no real PHP programmer would do, like including 2GB zip file as PHP.
 [2016-10-19 14:16 UTC] nguyenluan dot vnn at gmail dot com
-Status: Feedback +Status: Open
 [2016-10-19 14:16 UTC] nguyenluan dot vnn at gmail dot com
Yes, I agree with you. No PHP developer could include file larger than 2Gb. But please change it to Bug and fix it.
 [2016-10-20 02:29 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Oct 20 00:01:27 2019 UTC