php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74377 null pointer deref and crash in zval_addref_p()
Submitted: 2017-04-05 19:24 UTC Modified: 2020-12-27 04:22 UTC
From: brian dot carpenter at gmail dot com Assigned: cmb (profile)
Status: No Feedback Package: Reproducible crash
PHP Version: 5.6.30 OS: Debian 8 x64
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2017-04-05 19:24 UTC] brian dot carpenter at gmail dot com
Description:
------------
PHP 5.6.30 on Debian 8 x64 compiled with afl-gcc and ASAN.

Test script:
---------------
https://drive.google.com/file/d/0B3Tl4QiWJUt8TkVpZFZaZUVHQlU/view?usp=sharing

Expected result:
----------------
No crash.

Actual result:
--------------
==22740==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000001cf6a5c sp 0x7ffd0bcd1980 bp 0x7fc8ca0b49f8 T0)
    #0 0x1cf6a5b in zval_addref_p /root/php-5.6.30/Zend/zend.h:407
    #1 0x1cf6a5b in zend_binary_assign_op_helper_SPEC_CV_CV /root/php-5.6.30/Zend/zend_vm_execute.h:40099
    #2 0x1a2f7d6 in execute_ex /root/php-5.6.30/Zend/zend_vm_execute.h:363
    #3 0x1898d30 in zend_execute_scripts /root/php-5.6.30/Zend/zend.c:1341
    #4 0x15d377f in php_execute_script /root/php-5.6.30/main/main.c:2613
    #5 0x1e5d29f in do_cli /root/php-5.6.30/sapi/cli/php_cli.c:998
    #6 0x456eb8 in main /root/php-5.6.30/sapi/cli/php_cli.c:1382
    #7 0x7fc8c7c0fb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #8 0x457e3e (/root/php-5.6.30/sapi/cli/php+0x457e3e)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/php-5.6.30/Zend/zend.h:407 zval_addref_p

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-12-18 12:51 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2020-12-18 12:51 UTC] cmb@php.net
I cannot reproduce the segfault.  Instead the script outputs:

    Warning: Use of undefined constant d - assumed 'd' (this will throw an Error in a future version of PHP) in 74377.php on line 1

    Warning: A non-numeric value encountered in 74377.php on line 1     

    Warning: Use of undefined constant � - assumed '�' (this will throw an Error in a future version of PHP) in 74377.php on line 1

    Warning: A non-numeric value encountered in 74377.php on line 1     

    Fatal error: Uncaught DivisionByZeroError: Modulo by zero in 74377.php:1
    Stack trace:
    #0 {main}
    thrown in 74377.php on line 1

Can you still reproduce this with any of the actively supported
PHP versions[1]?

[1] <https://www.php.net/supported-versions.php>
 [2020-12-27 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Thu Jan 21 09:01:23 2021 UTC