php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74949 null pointer dereference in _function_string (php_reflection.c:865)
Submitted: 2017-07-19 07:44 UTC Modified: -
From: geeknik at protonmail dot ch Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 7.1.7 OS: Fedora 26 x64
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: geeknik at protonmail dot ch
New email:
PHP Version: OS:

 

 [2017-07-19 07:44 UTC] geeknik at protonmail dot ch
Description:
------------
null deref triggered with afl. compiled with afl-clang-fast on fedora 26 x64.

Test script:
---------------
./php -r '$f=function(stdClass$x):s{};$r=new ReflectionMethod($f,'__invoke');var_dump();$f=function():s{};var_dump($r->getParameters()[0]->getClass());echo$r?>['

Actual result:
--------------
Warning: var_dump() expects at least 1 parameter, 0 given in Command line code on line 1
/root/php-7.1.7/Zend/zend_hash.c:1291:41: runtime error: left shift of 32768 by 16 places cannot be represented in type 'int'
SUMMARY: AddressSanitizer: undefined-behavior /root/php-7.1.7/Zend/zend_hash.c:1291:41 in
object(ReflectionClass)#4 (1) {
  ["name"]=>
  string(8) "stdClass"
}

/root/php-7.1.7/ext/reflection/php_reflection.c:865:40: runtime error: member access within misaligned address 0xffffffffffffffff for type 'zend_class_entry' (aka 'struct _zend_class_entry'), which requires 8 byte alignment
0xffffffffffffffff: note: pointer points here
<memory cannot be printed>
SUMMARY: AddressSanitizer: undefined-behavior /root/php-7.1.7/ext/reflection/php_reflection.c:865:40 in


/root/php-7.1.7/ext/reflection/php_reflection.c:865:40: runtime error: load of misaligned address 0x000000000007 for type 'zend_string *' (aka 'struct _zend_string *'), which requires 8 byte alignment
0x000000000007: note: pointer points here
<memory cannot be printed>
SUMMARY: AddressSanitizer: undefined-behavior /root/php-7.1.7/ext/reflection/php_reflection.c:865:40 in

ASAN:DEADLYSIGNAL
=================================================================
==12003==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000007 (pc 0x000001357adc bp 0x7ffd3b75d5f0 sp 0x7ffd3b75d4c0 T0)
==12003==The signal is caused by a READ memory access.
==12003==Hint: address points to the zero page.
    #0 0x1357adb in _function_string /root/php-7.1.7/ext/reflection/php_reflection.c:865:40
    #1 0x1399d66 in zim_reflection_method___toString /root/php-7.1.7/ext/reflection/php_reflection.c:3186:2
    #2 0x1d61f71 in zend_call_function /root/php-7.1.7/Zend/zend_execute_API.c
    #3 0x1ff4d17 in zend_call_method /root/php-7.1.7/Zend/zend_interfaces.c:99:12
    #4 0x212f47c in zend_std_cast_object_tostring /root/php-7.1.7/Zend/zend_object_handlers.c:1631:6
    #5 0x1db49f3 in _zval_get_string_func /root/php-7.1.7/Zend/zend_operators.c:887:9
    #6 0x231823d in ZEND_ECHO_SPEC_CV_HANDLER /root/php-7.1.7/Zend/zend_vm_execute.h:34709:22
    #7 0x21a9e8a in execute_ex /root/php-7.1.7/Zend/zend_vm_execute.h:432:7
    #8 0x21ab3f7 in zend_execute /root/php-7.1.7/Zend/zend_vm_execute.h:474:2
    #9 0x1d6dc24 in zend_eval_stringl /root/php-7.1.7/Zend/zend_execute_API.c:1120:4
    #10 0x1d6ea20 in zend_eval_stringl_ex /root/php-7.1.7/Zend/zend_execute_API.c:1161:11
    #11 0x1d6ea20 in zend_eval_string_ex /root/php-7.1.7/Zend/zend_execute_API.c:1172
    #12 0x2982f44 in do_cli /root/php-7.1.7/sapi/cli/php_cli.c:1024:8
    #13 0x2980752 in main /root/php-7.1.7/sapi/cli/php_cli.c:1381:18
    #14 0x7f986c29b4d9 in __libc_start_main /usr/src/debug/glibc-2.25-24-g49f97e6/csu/../csu/libc-start.c:295
    #15 0x43aad9 in _start (/root/php-7.1.7/sapi/cli/php+0x43aad9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/php-7.1.7/ext/reflection/php_reflection.c:865:40 in _function_string
==12003==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-07-27 03:25 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e36c04ef483d85fe145ee07280d8c31e7e295644
Log: Fixed bug #74949 (null pointer dereference in _function_string)
 [2017-07-27 03:25 UTC] laruence@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Oct 08 21:01:27 2024 UTC