php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73164 crash in zend_new_interned_string_int when include PHAR file
Submitted: 2016-09-24 13:37 UTC Modified: 2021-01-31 04:22 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: nguyenluan dot vnn at gmail dot com Assigned: cmb (profile)
Status: No Feedback Package: Scripting Engine problem
PHP Version: 5.6.26 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: nguyenluan dot vnn at gmail dot com
New email:
PHP Version: OS:

 

 [2016-09-24 13:37 UTC] nguyenluan dot vnn at gmail dot com
Description:
------------
PHP crashed in zend_new_interned_string_int while include PHAR file larger than 2Gb.

static const char *zend_new_interned_string_int(const char *arKey, int nKeyLength, int free_src TSRMLS_DC){

        ...
        ...

        p = (Bucket *) CG(interned_strings_top);
	CG(interned_strings_top) += ZEND_MM_ALIGNED_SIZE(sizeof(Bucket) + nKeyLength);

#if ZEND_DEBUG_INTERNED_STRINGS
	mprotect(CG(interned_strings_start), CG(interned_strings_end) - CG(interned_strings_start), PROT_READ | PROT_WRITE);
#endif
	
	p->arKey = (char*)(p+1);
	memcpy((char*)p->arKey, arKey, nKeyLength);  <- crash here
	if (free_src) {
		efree((void *)arKey);
	}

Test script:
---------------
Python script to create PHAR file (please run with Python 3):
#! /usr/bin/env python3

import zipfile

fname = 'test.txt'

with zipfile.ZipFile('zip1.zip', 'w') as z:
    z.writestr(fname, 'a'*0x80001000)
    

PHP script:
<?php
    ini_set('memory_limit', -1);
    
    include __DIR__ . '/zip1.zip';
?>

Expected result:
----------------
No crash

Actual result:
--------------
gdb-peda$ b phar.c:3371
Breakpoint 1 at 0x7d1277: file /home/user/Desktop/php-5.6.26/ext/phar/phar.c, line 3371.
gdb-peda$ r ../test/string/test_phar_file_get_contents.php 
Starting program: /home/user/Desktop/php-5.6.26/sapi/cli/php ../test/string/test_phar_file_get_contents.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
 [----------------------------------registers-----------------------------------]
RAX: 0x13f1020 --> 0x0 
RBX: 0x0 
RCX: 0x61 ('a')
RDX: 0xf6395eb8238ab911 
RSI: 0x0 
RDI: 0x7fffffffa7a0 --> 0x0 
RBP: 0x7fffffffa870 --> 0x7fffffffa9b0 --> 0x7fffffffcc00 --> 0x7fffffffdf60 --> 0x7fffffffe0b0 --> 0xb17770 (<__libc_csu_init>:	push   r15)
RSP: 0x7fffffffa6e0 --> 0x801695bf0 
RIP: 0x7d1277 (<phar_compile_file+1266>:	)
R8 : 0xfeffc00000000000 
R9 : 0x0 
R10: 0x361 
R11: 0x7ffff43cb640 (<__strstr_sse2_unaligned>:	movzx  eax,BYTE PTR [rsi])
R12: 0x439790 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffe190 --> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7d125c <phar_compile_file+1239>:	mov    DWORD PTR [rbp-0x174],0x0
   0x7d1266 <phar_compile_file+1249>:	
    lea    rax,[rip+0xc1fdb3]        # 0x13f1020 <compiler_globals>
   0x7d126d <phar_compile_file+1256>:	mov    DWORD PTR [rax+0xf0],0x0
=> 0x7d1277 <phar_compile_file+1266>:	
    mov    rax,QWORD PTR [rip+0xc1ab0a]        # 0x13ebd88 <phar_orig_compile_file>
   0x7d127e <phar_compile_file+1273>:	mov    ecx,DWORD PTR [rbp-0x18c]
   0x7d1284 <phar_compile_file+1279>:	mov    rdx,QWORD PTR [rbp-0x188]
   0x7d128b <phar_compile_file+1286>:	mov    esi,ecx
   0x7d128d <phar_compile_file+1288>:	mov    rdi,rdx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffa6e0 --> 0x801695bf0 
0008| 0x7fffffffa6e8 --> 0x7fffffffcd60 --> 0x7fff00000002 
0016| 0x7fffffffa6f0 --> 0x7fffffffa840 --> 0x7ffff7fbe450 --> 0x7fffb6d96766 
0024| 0x7fffffffa6f8 --> 0xa80fdd (<tsrm_realpath_r+2866>:	movzx  eax,BYTE PTR [rbp-0xc1])
0032| 0x7fffffffa700 --> 0x0 
0040| 0x7fffffffa708 --> 0x84 
0048| 0x7fffffffa710 --> 0x7fffffffa780 --> 0x2100000001 
0056| 0x7fffffffa718 --> 0x7fffffffbb20 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, phar_compile_file (file_handle=0x7fffffffcd60, type=0x8)
    at /home/user/Desktop/php-5.6.26/ext/phar/phar.c:3371
3371			res = phar_orig_compile_file(file_handle, type TSRMLS_CC);


gdb-peda$ c
Continuing.

 [----------------------------------registers-----------------------------------]
RAX: 0x13f1020 --> 0x4000000000 ('')
RBX: 0xa93d73 (<execute_ex>:	push   rbp)
RCX: 0x2 
RDX: 0xf6395eb8270ab911 
RSI: 0x0 
RDI: 0x7fffffffa560 --> 0xa93d73 (<execute_ex>:	push   rbp)
RBP: 0x7fffffffa630 --> 0x7fffffffa710 --> 0x7fffffffa810 --> 0x7fffffffa840 --> 0x7fffffffa870 --> 0x7fffffffa9b0 (--> ...)
RSP: 0x7fffffffa4a0 --> 0x2ffffa500 
RIP: 0x7d1277 (<phar_compile_file+1266>:	)
R8 : 0xfec0f08000000000 
R9 : 0xa20 (' \n')
R10: 0x0 
R11: 0x7ffff44b6730 --> 0xfffda400fffda12f 
R12: 0x439790 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffe190 --> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7d125c <phar_compile_file+1239>:	mov    DWORD PTR [rbp-0x174],0x0
   0x7d1266 <phar_compile_file+1249>:	
    lea    rax,[rip+0xc1fdb3]        # 0x13f1020 <compiler_globals>
   0x7d126d <phar_compile_file+1256>:	mov    DWORD PTR [rax+0xf0],0x0
=> 0x7d1277 <phar_compile_file+1266>:	
    mov    rax,QWORD PTR [rip+0xc1ab0a]        # 0x13ebd88 <phar_orig_compile_file>
   0x7d127e <phar_compile_file+1273>:	mov    ecx,DWORD PTR [rbp-0x18c]
   0x7d1284 <phar_compile_file+1279>:	mov    rdx,QWORD PTR [rbp-0x188]
   0x7d128b <phar_compile_file+1286>:	mov    esi,ecx
   0x7d128d <phar_compile_file+1288>:	mov    rdi,rdx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffa4a0 --> 0x2ffffa500 
0008| 0x7fffffffa4a8 --> 0x7fffffffa690 --> 0x7fff00000000 
0016| 0x7fffffffa4b0 --> 0x7ffff7fbeba0 --> 0x7fffb6d96896 
0024| 0x7fffffffa4b8 --> 0x9e8 
0032| 0x7fffffffa4c0 --> 0x0 
0040| 0x7fffffffa4c8 --> 0xb ('\x0b')
0048| 0x7fffffffa4d0 --> 0x7fffffffa530 --> 0x7fffffffa600 --> 0x5cb00000a20 
0056| 0x7fffffffa4d8 --> 0x7fffffffbb20 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, phar_compile_file (file_handle=0x7fffffffa690, type=0x2)
    at /home/user/Desktop/php-5.6.26/ext/phar/phar.c:3371
3371			res = phar_orig_compile_file(file_handle, type TSRMLS_CC);


gdb-peda$ b zend_string.c:117
Breakpoint 2 at 0xa7d759: file /home/user/Desktop/php-5.6.26/Zend/zend_string.c, line 117.


gdb-peda$ c
Continuing.

 [----------------------------------registers-----------------------------------]
RAX: 0x7ffff7ebdce0 --> 0x0 
RBX: 0xa93d73 (<execute_ex>:	push   rbp)
RCX: 0x2ddc759bc21f5b3a 
RDX: 0x7fff77ebee10 ('a' <repeats 200 times>...)
RSI: 0x800010e7 
RDI: 0x7fff6d171070 --> 0x2d04034b50 
RBP: 0x7fffffff7fa0 --> 0x7fffffff7fe0 --> 0x7fffffff8010 --> 0x7fffffff8040 --> 0x7fffffffa350 --> 0x7fffffffa490 (--> ...)
RSP: 0x7fffffff7f70 --> 0x800010e700000001 
RIP: 0xa7d759 (<zend_new_interned_string_int+357>:	)
R8 : 0x0 
R9 : 0x0 
R10: 0xfffffffe80173000 
R11: 0x246 
R12: 0x439790 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffe190 --> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x287 (CARRY PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xa7d747 <zend_new_interned_string_int+339>:	
    lea    rax,[rip+0x9738d2]        # 0x13f1020 <compiler_globals>
   0xa7d74e <zend_new_interned_string_int+346>:	
    mov    rax,QWORD PTR [rax+0x2d8]
   0xa7d755 <zend_new_interned_string_int+353>:	mov    QWORD PTR [rbp-0x18],rax
=> 0xa7d759 <zend_new_interned_string_int+357>:	
    lea    rax,[rip+0x9738c0]        # 0x13f1020 <compiler_globals>
   0xa7d760 <zend_new_interned_string_int+364>:	
    mov    rax,QWORD PTR [rax+0x2d8]
   0xa7d767 <zend_new_interned_string_int+371>:	mov    edx,DWORD PTR [rbp-0x2c]
   0xa7d76a <zend_new_interned_string_int+374>:	movsxd rdx,edx
   0xa7d76d <zend_new_interned_string_int+377>:	add    rdx,0x4f
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff7f70 --> 0x800010e700000001 
0008| 0x7fffffff7f78 --> 0x7fff6d171070 --> 0x2d04034b50 
0016| 0x7fffffff7f80 --> 0xb3affff7fd0 
0024| 0x7fffffff7f88 --> 0x7ffff7ebdce0 --> 0x0 
0032| 0x7fffffff7f90 --> 0x2ddc759bc21f5b3a 
0040| 0x7fffffff7f98 --> 0x0 
0048| 0x7fffffff7fa0 --> 0x7fffffff7fe0 --> 0x7fffffff8010 --> 0x7fffffff8040 --> 0x7fffffffa350 --> 0x7fffffffa490 (--> ...)
0056| 0x7fffffff7fa8 --> 0xa12a52 (<zend_insert_literal+88>:	mov    rdx,rax)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 2, zend_new_interned_string_int (
    arKey=0x7fff6d171070 "PK\003\004-", nKeyLength=0x800010e7, free_src=0x1)
    at /home/user/Desktop/php-5.6.26/Zend/zend_string.c:117
117		CG(interned_strings_top) += ZEND_MM_ALIGNED_SIZE(sizeof(Bucket) + nKeyLength);


gdb-peda$ p #! /usr/bin/env python


gdb-peda$ p nKeyLength
$1 = 0x800010e7        <- length of zip file is larger than 2Gb


gdb-peda$ n

 [----------------------------------registers-----------------------------------]
RAX: 0x13f1020 --> 0x4000000000 ('')
RBX: 0xa93d73 (<execute_ex>:	push   rbp)
RCX: 0x2ddc759bc21f5b3a 
RDX: 0x7fff77ebee10 ('a' <repeats 200 times>...)
RSI: 0x800010e7 
RDI: 0x7fff6d171070 --> 0x2d04034b50 
RBP: 0x7fffffff7fa0 --> 0x7fffffff7fe0 --> 0x7fffffff8010 --> 0x7fffffff8040 --> 0x7fffffffa350 --> 0x7fffffffa490 (--> ...)
RSP: 0x7fffffff7f70 --> 0x800010e700000001 
RIP: 0xa7d786 (<zend_new_interned_string_int+402>:	mov    rax,QWORD PTR [rbp-0x18])
R8 : 0x0 
R9 : 0x0 
R10: 0xfffffffe80173000 
R11: 0x246 
R12: 0x439790 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffe190 --> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x203 (CARRY parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xa7d775 <zend_new_interned_string_int+385>:	add    rdx,rax
   0xa7d778 <zend_new_interned_string_int+388>:	
    lea    rax,[rip+0x9738a1]        # 0x13f1020 <compiler_globals>
   0xa7d77f <zend_new_interned_string_int+395>:	
    mov    QWORD PTR [rax+0x2d8],rdx
=> 0xa7d786 <zend_new_interned_string_int+402>:	mov    rax,QWORD PTR [rbp-0x18]
   0xa7d78a <zend_new_interned_string_int+406>:	lea    rdx,[rax+0x48]
   0xa7d78e <zend_new_interned_string_int+410>:	mov    rax,QWORD PTR [rbp-0x18]
   0xa7d792 <zend_new_interned_string_int+414>:	mov    QWORD PTR [rax+0x40],rdx
   0xa7d796 <zend_new_interned_string_int+418>:	mov    eax,DWORD PTR [rbp-0x2c]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff7f70 --> 0x800010e700000001 
0008| 0x7fffffff7f78 --> 0x7fff6d171070 --> 0x2d04034b50 
0016| 0x7fffffff7f80 --> 0xb3affff7fd0 
0024| 0x7fffffff7f88 --> 0x7ffff7ebdce0 --> 0x0 
0032| 0x7fffffff7f90 --> 0x2ddc759bc21f5b3a 
0040| 0x7fffffff7f98 --> 0x0 
0048| 0x7fffffff7fa0 --> 0x7fffffff7fe0 --> 0x7fffffff8010 --> 0x7fffffff8040 --> 0x7fffffffa350 --> 0x7fffffffa490 (--> ...)
0056| 0x7fffffff7fa8 --> 0xa12a52 (<zend_insert_literal+88>:	mov    rdx,rax)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
123		p->arKey = (char*)(p+1);


gdb-peda$ p p->arKey
$2 = 0x0


gdb-peda$ n

 [----------------------------------registers-----------------------------------]
RAX: 0x7ffff7ebdce0 --> 0x0 
RBX: 0xa93d73 (<execute_ex>:	push   rbp)
RCX: 0x2ddc759bc21f5b3a 
RDX: 0x7ffff7ebdd28 --> 0x0 
RSI: 0x800010e7 
RDI: 0x7fff6d171070 --> 0x2d04034b50 
RBP: 0x7fffffff7fa0 --> 0x7fffffff7fe0 --> 0x7fffffff8010 --> 0x7fffffff8040 --> 0x7fffffffa350 --> 0x7fffffffa490 (--> ...)
RSP: 0x7fffffff7f70 --> 0x800010e700000001 
RIP: 0xa7d796 (<zend_new_interned_string_int+418>:	mov    eax,DWORD PTR [rbp-0x2c])
R8 : 0x0 
R9 : 0x0 
R10: 0xfffffffe80173000 
R11: 0x246 
R12: 0x439790 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffe190 --> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x203 (CARRY parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xa7d78a <zend_new_interned_string_int+406>:	lea    rdx,[rax+0x48]
   0xa7d78e <zend_new_interned_string_int+410>:	mov    rax,QWORD PTR [rbp-0x18]
   0xa7d792 <zend_new_interned_string_int+414>:	mov    QWORD PTR [rax+0x40],rdx
=> 0xa7d796 <zend_new_interned_string_int+418>:	mov    eax,DWORD PTR [rbp-0x2c]
   0xa7d799 <zend_new_interned_string_int+421>:	movsxd rdx,eax
   0xa7d79c <zend_new_interned_string_int+424>:	mov    rax,QWORD PTR [rbp-0x18]
   0xa7d7a0 <zend_new_interned_string_int+428>:	mov    rax,QWORD PTR [rax+0x40]
   0xa7d7a4 <zend_new_interned_string_int+432>:	mov    rcx,QWORD PTR [rbp-0x28]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff7f70 --> 0x800010e700000001 
0008| 0x7fffffff7f78 --> 0x7fff6d171070 --> 0x2d04034b50 
0016| 0x7fffffff7f80 --> 0xb3affff7fd0 
0024| 0x7fffffff7f88 --> 0x7ffff7ebdce0 --> 0x0 
0032| 0x7fffffff7f90 --> 0x2ddc759bc21f5b3a 
0040| 0x7fffffff7f98 --> 0x0 
0048| 0x7fffffff7fa0 --> 0x7fffffff7fe0 --> 0x7fffffff8010 --> 0x7fffffff8040 --> 0x7fffffffa350 --> 0x7fffffffa490 (--> ...)
0056| 0x7fffffff7fa8 --> 0xa12a52 (<zend_insert_literal+88>:	mov    rdx,rax)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
124		memcpy((char*)p->arKey, arKey, nKeyLength);
gdb-peda$ p p->arKey
$3 = 0x7ffff7ebdd28 ""
gdb-peda$ p arKey
$4 = 0x7fff6d171070 "PK\003\004-"
gdb-peda$ p nKeyLength
$5 = 0x800010e7


gdb-peda$ n

Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0xffffffff752b3378 
RBX: 0xa93d73 (<execute_ex>:	push   rbp)
RCX: 0x7ffff7fe2000 
RDX: 0x7fff77ebee00 --> 0x0 
RSI: 0x7fff6d171088 --> 0x657400140008ffff 
RDI: 0x7ffff7ebdd28 --> 0x2d04034b50 
RBP: 0x7fffffff7fa0 --> 0x7fffffff7fe0 --> 0x7fffffff8010 --> 0x7fffffff8040 --> 0x7fffffffa350 --> 0x7fffffffa490 (--> ...)
RSP: 0x7fffffff7f68 --> 0xa7d7b3 (<zend_new_interned_string_int+447>:	cmp    DWORD PTR [rbp-0x30],0x0)
RIP: 0x7ffff43c0ed6 (<__memcpy_sse2_unaligned+230>:	)
R8 : 0xffffffff752b3368 
R9 : 0xffffffff752b3358 
R10: 0xffffffff752b3348 
R11: 0x246 
R12: 0x439790 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffe190 --> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10287 (CARRY PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff43c0ec8 <__memcpy_sse2_unaligned+216>:	lea    r8,[r10+0x20]
   0x7ffff43c0ecc <__memcpy_sse2_unaligned+220>:	lea    rax,[r10+0x30]
   0x7ffff43c0ed0 <__memcpy_sse2_unaligned+224>:	
    movdqu xmm8,XMMWORD PTR [rcx+r10*1]
=> 0x7ffff43c0ed6 <__memcpy_sse2_unaligned+230>:	
    movdqa XMMWORD PTR [rcx],xmm8
   0x7ffff43c0edb <__memcpy_sse2_unaligned+235>:	
    movdqu xmm8,XMMWORD PTR [rcx+r9*1]
   0x7ffff43c0ee1 <__memcpy_sse2_unaligned+241>:	
    movdqa XMMWORD PTR [rcx+0x10],xmm8
   0x7ffff43c0ee7 <__memcpy_sse2_unaligned+247>:	
    movdqu xmm8,XMMWORD PTR [rcx+r8*1]
   0x7ffff43c0eed <__memcpy_sse2_unaligned+253>:	
    movdqa XMMWORD PTR [rcx+0x20],xmm8
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff7f68 --> 0xa7d7b3 (<zend_new_interned_string_int+447>:	cmp    DWORD PTR [rbp-0x30],0x0)
0008| 0x7fffffff7f70 --> 0x800010e700000001 
0016| 0x7fffffff7f78 --> 0x7fff6d171070 --> 0x2d04034b50 
0024| 0x7fffffff7f80 --> 0xb3affff7fd0 
0032| 0x7fffffff7f88 --> 0x7ffff7ebdce0 --> 0x0 
0040| 0x7fffffff7f90 --> 0x2ddc759bc21f5b3a 
0048| 0x7fffffff7f98 --> 0x0 
0056| 0x7fffffff7fa0 --> 0x7fffffff7fe0 --> 0x7fffffff8010 --> 0x7fffffff8040 --> 0x7fffffffa350 --> 0x7fffffffa490 (--> ...)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
__memcpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:81
81	../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.


gdb-peda$ bt
#0  __memcpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:81
#1  0x0000000000a7d7b3 in zend_new_interned_string_int (
    arKey=0x7fff6d171070 "PK\003\004-", nKeyLength=0x800010e7, free_src=0x1)
    at /home/user/Desktop/php-5.6.26/Zend/zend_string.c:124
#2  0x0000000000a12a52 in zend_insert_literal (op_array=0x7ffff7fbec48, 
    zv=0x7fffffff8400, literal_position=0x0)
    at /home/user/Desktop/php-5.6.26/Zend/zend_compile.c:343
#3  0x0000000000a12c3d in zend_add_literal (op_array=0x7ffff7fbec48, 
    zv=0x7fffffff8400) at /home/user/Desktop/php-5.6.26/Zend/zend_compile.c:366
#4  0x0000000000a15c54 in zend_do_echo (arg=0x7fffffff83f8)
    at /home/user/Desktop/php-5.6.26/Zend/zend_compile.c:877
#5  0x00000000009e2021 in zendparse ()
    at /home/user/Desktop/php-5.6.26/Zend/zend_language_parser.c:4125
#6  0x00000000009ea42d in compile_file (file_handle=0x7fffffffa690, type=0x2)
    at Zend/zend_language_scanner.l:586
#7  0x00000000007d1292 in phar_compile_file (file_handle=0x7fffffffa690, 
    type=0x2) at /home/user/Desktop/php-5.6.26/ext/phar/phar.c:3371
#8  0x00000000009ea617 in compile_filename (type=0x2, filename=0x7ffff7f86218)
    at Zend/zend_language_scanner.l:629
#9  0x0000000000aa6048 in ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER (
    execute_data=0x7ffff7f86258)
    at /home/user/Desktop/php-5.6.26/Zend/zend_vm_execute.h:8354
#10 0x0000000000a93dd3 in execute_ex (execute_data=0x7ffff7f86258)
    at /home/user/Desktop/php-5.6.26/Zend/zend_vm_execute.h:363
#11 0x0000000000a93e5a in zend_execute (op_array=0x7ffff7fbe538)
    at /home/user/Desktop/php-5.6.26/Zend/zend_vm_execute.h:388
#12 0x0000000000a4c498 in zend_execute_scripts (type=0x8, retval=0x0, 
    file_count=0x3) at /home/user/Desktop/php-5.6.26/Zend/zend.c:1341
#13 0x00000000009ad757 in php_execute_script (primary_file=0x7fffffffcd60)
    at /home/user/Desktop/php-5.6.26/main/main.c:2613
#14 0x0000000000b09556 in do_cli (argc=0x2, argv=0x13f5560)
    at /home/user/Desktop/php-5.6.26/sapi/cli/php_cli.c:994
#15 0x0000000000b0a8b9 in main (argc=0x2, argv=0x13f5560)
    at /home/user/Desktop/php-5.6.26/sapi/cli/php_cli.c:1378
#16 0x00007ffff4342830 in __libc_start_main (main=0xb0a09c <main>, argc=0x2, 
    argv=0x7fffffffe198, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe188)
    at ../csu/libc-start.c:291
#17 0x00000000004397b9 in _start ()

Patches

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-26 04:39 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2016-09-26 04:39 UTC] stas@php.net
Could you please provide a backtrace?
 [2016-09-26 04:40 UTC] stas@php.net
-Status: Feedback +Status: Open
 [2016-09-26 04:40 UTC] stas@php.net
Ah, sorry, didn't notice, it's at the end.
 [2016-09-26 04:41 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-09-26 04:41 UTC] stas@php.net
Doesn't look like security issue - you're including a zip file, that's not what is commonly done.
 [2016-09-26 12:25 UTC] nguyenluan dot vnn at gmail dot com
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2016-09-26 12:25 UTC] nguyenluan dot vnn at gmail dot com
I tested to include a PHP with length larger than 2Gb and this still happen. I think we have problem when include any file larger than 2Gb. This could cause PHP to crash and denial of service.
 [2016-10-12 00:02 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2016-10-12 00:02 UTC] stas@php.net
Please provide a reproducing case where it's not doing something no real PHP programmer would do, like including 2GB zip file as PHP.
 [2016-10-19 14:16 UTC] nguyenluan dot vnn at gmail dot com
-Status: Feedback +Status: Open
 [2016-10-19 14:16 UTC] nguyenluan dot vnn at gmail dot com
Yes, I agree with you. No PHP developer could include file larger than 2Gb. But please change it to Bug and fix it.
 [2016-10-20 02:29 UTC] stas@php.net
-Type: Security +Type: Bug
 [2021-01-19 16:22 UTC] cmb@php.net
-Status: Open +Status: Feedback -Package: PHAR related +Package: Scripting Engine problem -Assigned To: +Assigned To: cmb
 [2021-01-19 16:22 UTC] cmb@php.net
To be clear: this is not Phar related; not even related to ZIP
archives, but rather that you're trying to include some binary
data (likely the same would happen if the same data where passed
as script to php).

Anyhow, I cannot reproduce the crash with PHP-7.4, so I'm assuming
this issue has been resolved.  Or can somebody else still
reproduce it with any of the actively supported PHP versions[1]?

[1] <https://www.php.net/supported-versions.php>
 [2021-01-31 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Sep 07 20:01:28 2024 UTC