php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75128 Invalid write in zval_delref_p()
Submitted: 2017-08-28 08:52 UTC Modified: 2017-09-02 03:56 UTC
From: fumfi dot 255 at gmail dot com Assigned:
Status: Open Package: Reproducible crash
PHP Version: 7.1.8 OS: Ubuntu 16.04 x64
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: fumfi dot 255 at gmail dot com
New email:
PHP Version: OS:

 

 [2017-08-28 08:52 UTC] fumfi dot 255 at gmail dot com
Description:
------------
After some fuzz testing I found a crashing test case.

Version: 7.18

Command: php php_iw_zval_delref_p.php

Faulting PHP script: https://frankowicz.me/storage/crashes/php_iw_zval_delref_p.txt

ASAN:

==32358==ERROR: AddressSanitizer: SEGV on unknown address 0x7ff1ff400000 (pc 0x0000017678cf bp 0x7ffc9544dc90 sp 0x7ffc9544daf0 T0)
==32358==The signal is caused by a WRITE memory access.
    #0 0x17678ce in zval_delref_p XYZ/php-7.1.8/Zend/zend_types.h:838:9
    #1 0x17678ce in i_zval_ptr_dtor XYZ/php-7.1.8/Zend/zend_variables.h:47
    #2 0x17678ce in zend_unclean_zval_ptr_dtor XYZ/php-7.1.8/Zend/zend_execute_API.c:210
    #3 0x1851027 in _zend_hash_del_el_ex XYZ/php-7.1.8/Zend/zend_hash.c:997:3
    #4 0x1851027 in _zend_hash_del_el XYZ/php-7.1.8/Zend/zend_hash.c:1020
    #5 0x1851027 in zend_hash_graceful_reverse_destroy XYZ/php-7.1.8/Zend/zend_hash.c:1476
    #6 0x1767f89 in shutdown_executor XYZ/php-7.1.8/Zend/zend_execute_API.c:279:3
    #7 0x17ce8ca in zend_deactivate XYZ/php-7.1.8/Zend/zend.c:999:2
    #8 0x1564144 in php_request_shutdown XYZ/php-7.1.8/main/main.c:1877:2
    #9 0x1c4215c in do_cli XYZ/php-7.1.8/sapi/cli/php_cli.c:1160:3
    #10 0x1c418e5 in main XYZ/php-7.1.8/sapi/cli/php_cli.c:1381:18
    #11 0x7ff20a65982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x43ac28 in _start (/usr/local/bin/php+0x43ac28)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/php-7.1.8/Zend/zend_types.h:838:9 in zval_delref_p
==32358==ABORTING


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-08-29 14:05 UTC] kalle@php.net
-Package: *General Issues +Package: Reproducible crash
 [2017-09-02 03:56 UTC] laruence@php.net
this is an knew issue..... just don't have a good way to fix it yet
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC