php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74593 crash in i_zval_ptr_dtor()
Submitted: 2017-05-15 08:20 UTC Modified: 2017-09-10 21:34 UTC
Votes:4
Avg. Score:3.5 ± 0.9
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: whitehat002 at hotmail dot com Assigned: cmb (profile)
Status: Duplicate Package: Reproducible crash
PHP Version: 7.1.5 OS:
Private report: No CVE-ID: None
 [2017-05-15 08:20 UTC] whitehat002 at hotmail dot com
Description:
------------
The bug is related to bug#74310.But I find the bug still exists in php7.1.5 which is the latest version.

Test script:
---------------
<?php
$array=array();
$$array[99999999]=$Array="AAA";
$$array[1]=$$Array="BBB";


Expected result:
----------------
no crash 

Actual result:
--------------
root@hackyzh-virtual-machine:~# gdb -q --args ./php-7.1.5/sapi/cli/php -n  poc2.php 
Reading symbols from /root/php-7.1.5/sapi/cli/php...done.
gdb-peda$ r
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".

Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 100000020 bytes) in /root/poc2.php on line 4

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
EAX: 0xb7013060 --> 0xb0e00000 
EBX: 0x8a8ae48 --> 0x1 
ECX: 0xb0e00000 
EDX: 0x0 
ESI: 0xc0 
EDI: 0xb70561c8 --> 0x0 
EBP: 0xb70561c0 --> 0xb7013060 --> 0xb0e00000 
ESP: 0xbfffe06c --> 0x83d205c (<zend_hash_graceful_reverse_destroy+300>:	mov    eax,DWORD PTR [esp+0x14])
EIP: 0x83b1d12 (<zend_unclean_zval_ptr_dtor+18>:	mov    edx,DWORD PTR [ecx])
EFLAGS: 0x210202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x83b1d0a <zend_unclean_zval_ptr_dtor+10>:	test   BYTE PTR [eax+0x9],0x4
   0x83b1d0e <zend_unclean_zval_ptr_dtor+14>:	
    je     0x83b1d32 <zend_unclean_zval_ptr_dtor+50>
   0x83b1d10 <zend_unclean_zval_ptr_dtor+16>:	mov    ecx,DWORD PTR [eax]
=> 0x83b1d12 <zend_unclean_zval_ptr_dtor+18>:	mov    edx,DWORD PTR [ecx]
   0x83b1d14 <zend_unclean_zval_ptr_dtor+20>:	sub    edx,0x1
   0x83b1d17 <zend_unclean_zval_ptr_dtor+23>:	test   edx,edx
   0x83b1d19 <zend_unclean_zval_ptr_dtor+25>:	mov    DWORD PTR [ecx],edx
   0x83b1d1b <zend_unclean_zval_ptr_dtor+27>:	
    je     0x83b1d40 <zend_unclean_zval_ptr_dtor+64>
[------------------------------------stack-------------------------------------]
0000| 0xbfffe06c --> 0x83d205c (<zend_hash_graceful_reverse_destroy+300>:	mov    eax,DWORD PTR [esp+0x14])
0004| 0xbfffe070 --> 0xbfffe0a0 --> 0xb7013060 --> 0xb0e00000 
0008| 0xbfffe074 --> 0x0 
0012| 0xbfffe078 --> 0x1 
0016| 0xbfffe07c --> 0xb7fff938 --> 0x0 
0020| 0xbfffe080 --> 0x1 
0024| 0xbfffe084 --> 0x8 
0028| 0xbfffe088 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
i_zval_ptr_dtor (zval_ptr=0xb7013060) at /root/php-7.1.5/Zend/zend_variables.h:47
47			if (!Z_DELREF_P(zval_ptr)) {
gdb-peda$ bt
#0  i_zval_ptr_dtor (zval_ptr=0xb7013060) at /root/php-7.1.5/Zend/zend_variables.h:47
#1  zend_unclean_zval_ptr_dtor (zv=0xb7013060)
    at /root/php-7.1.5/Zend/zend_execute_API.c:210
#2  0x083d205c in _zend_hash_del_el_ex (prev=<optimized out>, p=<optimized out>, 
    idx=<optimized out>, ht=<optimized out>) at /root/php-7.1.5/Zend/zend_hash.c:998
#3  _zend_hash_del_el (p=<optimized out>, idx=0xc0, ht=0x8a8ae48)
    at /root/php-7.1.5/Zend/zend_hash.c:1021
#4  zend_hash_graceful_reverse_destroy (ht=0x8a8ae48)
    at /root/php-7.1.5/Zend/zend_hash.c:1477
#5  0x083b2341 in shutdown_executor () at /root/php-7.1.5/Zend/zend_execute_API.c:279
#6  0x083c161c in zend_deactivate () at /root/php-7.1.5/Zend/zend.c:999
#7  0x08361a97 in php_request_shutdown (dummy=0x0) at /root/php-7.1.5/main/main.c:1877
#8  0x08458fc0 in do_cli (argc=0x3, argv=0x8a8e868)
    at /root/php-7.1.5/sapi/cli/php_cli.c:1160
#9  0x080785ad in main (argc=0x3, argv=0x8a8e868)
    at /root/php-7.1.5/sapi/cli/php_cli.c:1381
#10 0xb791daf3 in __libc_start_main () from /lib/i386-linux-gnu/libc.so.6
#11 0x08078641 in _start ()


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-09-10 21:34 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2017-09-10 21:34 UTC] cmb@php.net
> The bug is related to bug#74310.But I find the bug still exists
> in php7.1.5 which is the latest version.

Of course, since bug #74310 has not yet been fixed. Closing as
duplicate.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sun Jul 05 08:01:27 2020 UTC