|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75128 Invalid write in zval_delref_p()
Submitted: 2017-08-28 08:52 UTC Modified: 2021-07-02 10:22 UTC
From: fumfi dot 255 at gmail dot com Assigned: nikic (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.1.8 OS: Ubuntu 16.04 x64
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: fumfi dot 255 at gmail dot com
New email:
PHP Version: OS:


 [2017-08-28 08:52 UTC] fumfi dot 255 at gmail dot com
After some fuzz testing I found a crashing test case.

Version: 7.18

Command: php php_iw_zval_delref_p.php

Faulting PHP script:


==32358==ERROR: AddressSanitizer: SEGV on unknown address 0x7ff1ff400000 (pc 0x0000017678cf bp 0x7ffc9544dc90 sp 0x7ffc9544daf0 T0)
==32358==The signal is caused by a WRITE memory access.
    #0 0x17678ce in zval_delref_p XYZ/php-7.1.8/Zend/zend_types.h:838:9
    #1 0x17678ce in i_zval_ptr_dtor XYZ/php-7.1.8/Zend/zend_variables.h:47
    #2 0x17678ce in zend_unclean_zval_ptr_dtor XYZ/php-7.1.8/Zend/zend_execute_API.c:210
    #3 0x1851027 in _zend_hash_del_el_ex XYZ/php-7.1.8/Zend/zend_hash.c:997:3
    #4 0x1851027 in _zend_hash_del_el XYZ/php-7.1.8/Zend/zend_hash.c:1020
    #5 0x1851027 in zend_hash_graceful_reverse_destroy XYZ/php-7.1.8/Zend/zend_hash.c:1476
    #6 0x1767f89 in shutdown_executor XYZ/php-7.1.8/Zend/zend_execute_API.c:279:3
    #7 0x17ce8ca in zend_deactivate XYZ/php-7.1.8/Zend/zend.c:999:2
    #8 0x1564144 in php_request_shutdown XYZ/php-7.1.8/main/main.c:1877:2
    #9 0x1c4215c in do_cli XYZ/php-7.1.8/sapi/cli/php_cli.c:1160:3
    #10 0x1c418e5 in main XYZ/php-7.1.8/sapi/cli/php_cli.c:1381:18
    #11 0x7ff20a65982f in __libc_start_main (/lib/x86_64-linux-gnu/
    #12 0x43ac28 in _start (/usr/local/bin/php+0x43ac28)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/php-7.1.8/Zend/zend_types.h:838:9 in zval_delref_p


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-08-29 14:05 UTC]
-Package: *General Issues +Package: Reproducible crash
 [2017-09-02 03:56 UTC]
this is an knew issue..... just don't have a good way to fix it yet
 [2021-07-02 10:22 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2021-07-02 10:22 UTC]
This no longer reproduces, even after fixing the undefined constant issue.

Looking at the reproducer and the stack trace, this looks like an issue we had with hitting the memory limit during a string reallocation, in which case refcount was not managed correctly. This issue has since been fixed.
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Sat Feb 04 10:04:08 2023 UTC