php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74949 null pointer dereference in _function_string (php_reflection.c:865)
Submitted: 2017-07-19 07:44 UTC Modified: -
From: geeknik at protonmail dot ch Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 7.1.7 OS: Fedora 26 x64
Private report: No CVE-ID:
 [2017-07-19 07:44 UTC] geeknik at protonmail dot ch
Description:
------------
null deref triggered with afl. compiled with afl-clang-fast on fedora 26 x64.

Test script:
---------------
./php -r '$f=function(stdClass$x):s{};$r=new ReflectionMethod($f,'__invoke');var_dump();$f=function():s{};var_dump($r->getParameters()[0]->getClass());echo$r?>['

Actual result:
--------------
Warning: var_dump() expects at least 1 parameter, 0 given in Command line code on line 1
/root/php-7.1.7/Zend/zend_hash.c:1291:41: runtime error: left shift of 32768 by 16 places cannot be represented in type 'int'
SUMMARY: AddressSanitizer: undefined-behavior /root/php-7.1.7/Zend/zend_hash.c:1291:41 in
object(ReflectionClass)#4 (1) {
  ["name"]=>
  string(8) "stdClass"
}

/root/php-7.1.7/ext/reflection/php_reflection.c:865:40: runtime error: member access within misaligned address 0xffffffffffffffff for type 'zend_class_entry' (aka 'struct _zend_class_entry'), which requires 8 byte alignment
0xffffffffffffffff: note: pointer points here
<memory cannot be printed>
SUMMARY: AddressSanitizer: undefined-behavior /root/php-7.1.7/ext/reflection/php_reflection.c:865:40 in


/root/php-7.1.7/ext/reflection/php_reflection.c:865:40: runtime error: load of misaligned address 0x000000000007 for type 'zend_string *' (aka 'struct _zend_string *'), which requires 8 byte alignment
0x000000000007: note: pointer points here
<memory cannot be printed>
SUMMARY: AddressSanitizer: undefined-behavior /root/php-7.1.7/ext/reflection/php_reflection.c:865:40 in

ASAN:DEADLYSIGNAL
=================================================================
==12003==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000007 (pc 0x000001357adc bp 0x7ffd3b75d5f0 sp 0x7ffd3b75d4c0 T0)
==12003==The signal is caused by a READ memory access.
==12003==Hint: address points to the zero page.
    #0 0x1357adb in _function_string /root/php-7.1.7/ext/reflection/php_reflection.c:865:40
    #1 0x1399d66 in zim_reflection_method___toString /root/php-7.1.7/ext/reflection/php_reflection.c:3186:2
    #2 0x1d61f71 in zend_call_function /root/php-7.1.7/Zend/zend_execute_API.c
    #3 0x1ff4d17 in zend_call_method /root/php-7.1.7/Zend/zend_interfaces.c:99:12
    #4 0x212f47c in zend_std_cast_object_tostring /root/php-7.1.7/Zend/zend_object_handlers.c:1631:6
    #5 0x1db49f3 in _zval_get_string_func /root/php-7.1.7/Zend/zend_operators.c:887:9
    #6 0x231823d in ZEND_ECHO_SPEC_CV_HANDLER /root/php-7.1.7/Zend/zend_vm_execute.h:34709:22
    #7 0x21a9e8a in execute_ex /root/php-7.1.7/Zend/zend_vm_execute.h:432:7
    #8 0x21ab3f7 in zend_execute /root/php-7.1.7/Zend/zend_vm_execute.h:474:2
    #9 0x1d6dc24 in zend_eval_stringl /root/php-7.1.7/Zend/zend_execute_API.c:1120:4
    #10 0x1d6ea20 in zend_eval_stringl_ex /root/php-7.1.7/Zend/zend_execute_API.c:1161:11
    #11 0x1d6ea20 in zend_eval_string_ex /root/php-7.1.7/Zend/zend_execute_API.c:1172
    #12 0x2982f44 in do_cli /root/php-7.1.7/sapi/cli/php_cli.c:1024:8
    #13 0x2980752 in main /root/php-7.1.7/sapi/cli/php_cli.c:1381:18
    #14 0x7f986c29b4d9 in __libc_start_main /usr/src/debug/glibc-2.25-24-g49f97e6/csu/../csu/libc-start.c:295
    #15 0x43aad9 in _start (/root/php-7.1.7/sapi/cli/php+0x43aad9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/php-7.1.7/ext/reflection/php_reflection.c:865:40 in _function_string
==12003==ABORTING

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-07-27 03:25 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e36c04ef483d85fe145ee07280d8c31e7e295644
Log: Fixed bug #74949 (null pointer dereference in _function_string)
 [2017-07-27 03:25 UTC] laruence@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC