php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74947 Segfault in scanner on INF number
Submitted: 2017-07-19 06:06 UTC Modified: 2017-07-21 03:52 UTC
From: geeknik at protonmail dot ch Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 7.1.7 OS: Fedora 26 x64
Private report: No CVE-ID:
 [2017-07-19 06:06 UTC] geeknik at protonmail dot ch
Description:
------------
Built with afl-clang-fast and ASan/UBSan on Fedora 26 x64. While fuzzing with AFL this runtime error was triggered. 

Test script:
---------------
<?200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000[

Expected result:
----------------
Business as usual. 

Actual result:
--------------
Zend/zend_string.h:122:36: runtime error: member access within null pointer of type 'zend_string' (aka 'struct _zend_string')
    #0 0x1f0480c in zend_string_alloc /root/php-7.1.7/Zend/zend_string.h:122:36
    #1 0x1f0480c in zend_string_init /root/php-7.1.7/Zend/zend_string.h:158
    #2 0x1f0480c in _zend_hash_str_add /root/php-7.1.7/Zend/zend_hash.c:666
    #3 0x1ae0ac5 in zend_hash_str_add_mem /root/php-7.1.7/Zend/zend_hash.h:620:12
    #4 0x1ae0ac5 in sapi_register_post_entry /root/php-7.1.7/main/SAPI.c:954
    #5 0x1ae07e6 in sapi_register_post_entries /root/php-7.1.7/main/SAPI.c:940:7
    #6 0x1aeea3b in php_setup_sapi_content_types /root/php-7.1.7/main/php_content_types.c:64:2
    #7 0x29801ee in main /root/php-7.1.7/sapi/cli/php_cli.c:1326:2
    #8 0x7f08e77424d9 in __libc_start_main (/lib64/libc.so.6+0x204d9)
    #9 0x43aad9 in _start (/root/php-7.1.7/sapi/cli/php+0x43aad9)

SUMMARY: AddressSanitizer: undefined-behavior Zend/zend_string.h:122:36 in

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-07-21 03:52 UTC] laruence@php.net
-Summary: runtime error: member access within null pointer of type 'zend_string' +Summary: Segfault in scanner on INF number
 [2017-07-21 04:05 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=95d2908814585bd9c3c9a1eab4989bc551b6cc73
Log: Fixed bug #74947 (Segfault in scanner on INF number)
 [2017-07-21 04:05 UTC] laruence@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC