php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75033 memory corrupton
Submitted: 2017-08-04 04:30 UTC Modified: 2017-08-11 20:58 UTC
From: zhihua dot yao at dbappsecurity dot com dot cn Assigned:
Status: Duplicate Package: Reproducible crash
PHP Version: 7.1.8 OS:
Private report: No CVE-ID: None
 [2017-08-04 04:30 UTC] zhihua dot yao at dbappsecurity dot com dot cn
Description:
------------
It cause deinal of service.

Test script:
---------------
<?php
class A {
       
         public $a;
         
         public function __destruct() {
              $this->a=new A ;               
        }
        
}


$class=unserialize('O:8:"stdClass":1:{s:1:"a";O:1:"A":0:{}}');


Expected result:
----------------
NO CRASH 

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
EAX: 0xbf800000 
EBX: 0xbf8002d0 
ECX: 0xbf800270 
EDX: 0xb454db8c --> 0xb440300c --> 0x6d697402 
ESI: 0xb440300c --> 0x6d697402 
EDI: 0x0 
EBP: 0xbf800158 
ESP: 0xbf7fffb0 
EIP: 0x9ba47c8 (<zend_call_function+72>:	mov    DWORD PTR [ebp-0x18c],eax)
EFLAGS: 0x210282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x9ba47b6 <zend_call_function+54>:	lea    eax,[ebp-0x158]
   0x9ba47bc <zend_call_function+60>:	sub    esp,0x19c
   0x9ba47c2 <zend_call_function+66>:	mov    edi,DWORD PTR ds:0xac55ca0
=> 0x9ba47c8 <zend_call_function+72>:	mov    DWORD PTR [ebp-0x18c],eax
   0x9ba47ce <zend_call_function+78>:	test   edi,edi
   0x9ba47d0 <zend_call_function+80>:	
    jne    0x9bae338 <zend_call_function+39864>
   0x9ba47d6 <zend_call_function+86>:	xchg   ax,ax
   0x9ba47d8 <zend_call_function+88>:	lea    esp,[esp-0x10]
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0xbf7fffb0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x09ba47c8 in zend_call_function (fci=0xbf800270, fci_cache=0xbf8001f0)
    at /home/hjy/Desktop/php-7.1.8/Zend/zend_execute_API.c:677
677	{


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-08-11 20:58 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 [2017-08-11 20:58 UTC] nikic@php.net
Duplicate of bug #64280.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Sep 17 12:01:27 2019 UTC