php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #75189 Invalid read in zend_string_release()
Submitted: 2017-09-11 15:07 UTC Modified: 2021-07-02 10:20 UTC
From: fumfi dot 255 at gmail dot com Assigned:
Status: Wont fix Package: *General Issues
PHP Version: 7.1.9 OS: Xubuntu 16.04 x64
Private report: No CVE-ID: None
View Add Comment Developer Edit
Have you experienced this issue?
Rate the importance of this bug to you:

 [2017-09-11 15:07 UTC] fumfi dot 255 at gmail dot com 
Description:
------------
After some fuzz testing I found a crashing test case.

Version: 7.18

Command: php php_ir_zend_string_release.php

Faulting PHP script: https://frankowicz.me/storage/crashes/php_ir_zend_string_release.txt

ASAN:

==3643==ERROR: AddressSanitizer: SEGV on unknown address 0x7f22bb400005 (pc 0x00000184bce4 bp 0x000002767b60 sp 0x7ffed871ccf0 T0)
==3643==The signal is caused by a READ memory access.
    #0 0x184bce3 in zend_string_release XYZ/php-7.1.8/Zend/zend_string.h:270:7
    #1 0x184bce3 in zend_array_destroy XYZ/php-7.1.8/Zend/zend_hash.c:1311
    #2 0x192c600 in zend_object_std_dtor XYZ/php-7.1.8/Zend/zend_objects.c:60:5
    #3 0x1949bb5 in zend_objects_store_del XYZ/php-7.1.8/Zend/zend_objects_API.c:178:8
    #4 0x17c742f in _zval_dtor_func XYZ/php-7.1.8/Zend/zend_variables.c:56:5
    #5 0x184b84c in i_zval_ptr_dtor XYZ/php-7.1.8/Zend/zend_variables.h:48:4
    #6 0x184b84c in zend_array_destroy XYZ/php-7.1.8/Zend/zend_hash.c:1305
    #7 0x17c7463 in _zval_dtor_func XYZ/php-7.1.8/Zend/zend_variables.c:43:5
    #8 0x1767a30 in i_zval_ptr_dtor XYZ/php-7.1.8/Zend/zend_variables.h:48:4
    #9 0x1767a30 in zend_unclean_zval_ptr_dtor XYZ/php-7.1.8/Zend/zend_execute_API.c:210
    #10 0x1851027 in _zend_hash_del_el_ex XYZ/php-7.1.8/Zend/zend_hash.c:997:3
    #11 0x1851027 in _zend_hash_del_el XYZ/php-7.1.8/Zend/zend_hash.c:1020
    #12 0x1851027 in zend_hash_graceful_reverse_destroy XYZ/php-7.1.8/Zend/zend_hash.c:1476
    #13 0x1767f89 in shutdown_executor XYZ/php-7.1.8/Zend/zend_execute_API.c:279:3
    #14 0x17ce8ca in zend_deactivate XYZ/php-7.1.8/Zend/zend.c:999:2
    #15 0x1564144 in php_request_shutdown XYZ/php-7.1.8/main/main.c:1877:2
    #16 0x1c4215c in do_cli XYZ/php-7.1.8/sapi/cli/php_cli.c:1160:3
    #17 0x1c418e5 in main XYZ/php-7.1.8/sapi/cli/php_cli.c:1381:18
    #18 0x7f22c87c782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #19 0x43ac28 in _start (/usr/local/bin/php+0x43ac28)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/php-7.1.8/Zend/zend_string.h:270:7 in zend_string_release
==3643==ABORTING

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-09-12 13:39 UTC] laruence@php.net
-Status: Open +Status: Analyzed
 [2017-09-12 13:39 UTC] laruence@php.net 
this is similar as https://bugs.php.net/bug.php?id=75128
 [2017-09-13 23:02 UTC] cmb@php.net
-Summary: Inwalid read in zend_string_release() +Summary: Invalid read in zend_string_release()
 [2021-07-02 10:20 UTC] nikic@php.net
-Status: Analyzed +Status: Wont fix
 [2021-07-02 10:20 UTC] nikic@php.net 
The reproducer no longer works, and as it is a non-reduced one, it's hard to guess at what the issue here was originally.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 25 17:01:29 2024 UTC