php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #73452 Segfault (Regression for #69152)
Submitted: 2016-11-03 11:41 UTC Modified: 2016-12-10 17:21 UTC
From: remi@php.net Assigned: ab (profile)
Status: Closed Package: SOAP related
PHP Version: 7.0.12 OS:
Private report: No CVE-ID: None
 [2016-11-03 11:41 UTC] remi@php.net
Description:
------------
Running unit test from 5.6 with 7.0.12 (and 7.1.0RC5) raise a segfault.


Tagged as security... because original bug #69152 was a security issue (despite I think should be rated as low)

Test script:
---------------
<?php
$data = 'O:9:"SoapFault":4:{s:9:"faultcode";i:4298448493;s:11:"faultstring";i:4298448543;s:7:"'."\0*\0".'file";i:4298447319;s:7:"'."\0*\0".'line";s:4:"ryat";}';
echo unserialize($data);


Expected result:
----------------
SoapFault exception: [4298448493] 4298448543 in (null):0


Actual result:
--------------
Segmentation fault (core dumped)


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-03 11:43 UTC] remi@php.net
(gdb) bt
#0  0x00007ffff4ae0296 in strlen () from /lib64/libc.so.6
#1  0x00005555557417e1 in xbuf_format_converter (xbuf=xbuf@entry=0x7fffffffa370, is_char=is_char@entry=0 '\000', fmt=<optimized out>, 
    ap=ap@entry=0x7fffffffa3a0) at /usr/src/debug/php-7.0.12/main/spprintf.c:609
#2  0x0000555555742d19 in vstrpprintf (max_len=0, format=<optimized out>, ap=ap@entry=0x7fffffffa3a0)
    at /usr/src/debug/php-7.0.12/main/spprintf.c:881
#3  0x0000555555742e14 in strpprintf (max_len=max_len@entry=0, 
    format=format@entry=0x7fffe86554c0 "SoapFault exception: [%s] %s in %s:%pd\nStack trace:\n%s")
    at /usr/src/debug/php-7.0.12/main/spprintf.c:902
#4  0x00007fffe86222e0 in zim_SoapFault___toString (execute_data=<optimized out>, return_value=0x7fffffffa810)
    at /usr/src/debug/php-7.0.12/ext/soap/soap.c:975
#5  0x000055555578eaba in dtrace_execute_internal (execute_data=<optimized out>, return_value=<optimized out>)
    at /usr/src/debug/php-7.0.12/Zend/zend_dtrace.c:107
#6  0x000055555579081f in zend_call_function (fci=fci@entry=0x7fffffffa730, fci_cache=fci_cache@entry=0x7fffffffa700)
    at /usr/src/debug/php-7.0.12/Zend/zend_execute_API.c:877
#7  0x00005555557bcc72 in zend_call_method (object=object@entry=0x7ffff38130b0, obj_ce=<optimized out>, obj_ce@entry=0x555555c0e6d0, 
    fn_proxy=fn_proxy@entry=0x555555c0e800, function_name=function_name@entry=0x55555588b78b "__tostring", 
    function_name_len=function_name_len@entry=10, retval_ptr=retval_ptr@entry=0x7fffffffa810, param_count=0, arg1=0x0, arg2=0x0)
    at /usr/src/debug/php-7.0.12/Zend/zend_interfaces.c:104
#8  0x00005555557d7983 in zend_std_cast_object_tostring (readobj=0x7ffff38130b0, writeobj=0x7fffffffa890, type=<optimized out>)
    at /usr/src/debug/php-7.0.12/Zend/zend_object_handlers.c:1558
#9  0x0000555555796e4e in _zval_get_string_func (op=op@entry=0x7ffff38130b0) at /usr/src/debug/php-7.0.12/Zend/zend_operators.c:841
#10 0x00005555557f31e1 in ZEND_ECHO_SPEC_TMPVAR_HANDLER () at /usr/src/debug/php-7.0.12/Zend/zend_vm_execute.h:40451
#11 0x00005555557df52b in execute_ex (ex=ex@entry=0x7ffff38792c0) at /usr/src/debug/php-7.0.12/Zend/zend_vm_execute.h:414
#12 0x000055555578ea58 in dtrace_execute_ex (execute_data=0x7ffff38792c0) at /usr/src/debug/php-7.0.12/Zend/zend_dtrace.c:83
#13 0x00005555558337c7 in zend_execute (op_array=op_array@entry=0x7ffff3884000, return_value=return_value@entry=0x0)
    at /usr/src/debug/php-7.0.12/Zend/zend_vm_execute.h:458
#14 0x000055555579ec13 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3)
    at /usr/src/debug/php-7.0.12/Zend/zend.c:1427
#15 0x000055555573e720 in php_execute_script (primary_file=0x7fffffffcf50) at /usr/src/debug/php-7.0.12/main/main.c:2494
#16 0x000055555583547c in do_cli (argc=2, argv=0x555555ba4a60) at /usr/src/debug/php-7.0.12/sapi/cli/php_cli.c:974
#17 0x000055555561f5f9 in main (argc=2, argv=0x555555ba4a60) at /usr/src/debug/php-7.0.12/sapi/cli/php_cli.c:1344
 [2016-11-03 11:45 UTC] remi@php.net
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2016-11-10 09:39 UTC] dmitry@php.net
The code was fixed with http://git.php.net/?p=php-src.git;a=commitdiff;h=15ac4904727d22acdb9722871ef8f4acb7ddccae

Test and NEWS entry were not added.
 [2016-11-21 19:02 UTC] ab@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: ab
 [2016-11-21 19:02 UTC] ab@php.net
I've added a test and a backport patch for 5.6. Would keep the bug private till the final, just for the case.

Thanks.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 12:01:29 2024 UTC