php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75241 Null pointer dereference in zend_mm_alloc_small()
Submitted: 2017-09-21 08:40 UTC Modified: -
From: fumfi dot 255 at gmail dot com Assigned:
Status: Closed Package: *General Issues
PHP Version: 7.1.9 OS: Ubuntu 16.04 x64
Private report: No CVE-ID: None
 [2017-09-21 08:40 UTC] fumfi dot 255 at gmail dot com
Description:
------------
After some fuzz testing I found a crashing test case.

Version: 7.18

Command: php php_nullptr_zend_mm_alloc_small.php

ASAN:

==22121==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000016aab11 bp 0x0fe6bf7c0010 sp 0x7fff4f0ba340 T0)
==22121==The signal is caused by a READ memory access.
==22121==Hint: address points to the zero page.
    #0 0x16aab10 in zend_mm_alloc_small XYZ/php-7.1.8/Zend/zend_alloc.c:1261:33
    #1 0x16aab10 in zend_mm_alloc_heap XYZ/php-7.1.8/Zend/zend_alloc.c:1332
    #2 0x16aab10 in _emalloc XYZ/php-7.1.8/Zend/zend_alloc.c:2417
    #3 0x198bde8 in zend_string_alloc XYZ/php-7.1.8/Zend/zend_string.h:122:36
    #4 0x198bde8 in ZEND_CONCAT_SPEC_TMPVAR_CONST_HANDLER XYZ/php-7.1.8/Zend/zend_vm_execute.h:52084
    #5 0x196fb4d in execute_ex XYZ/php-7.1.8/Zend/zend_vm_execute.h:432:7
    #6 0x176fb4c in zend_call_function XYZ/php-7.1.8/Zend/zend_execute_API.c:855:3
    #7 0x176d73d in _call_user_function_ex XYZ/php-7.1.8/Zend/zend_execute_API.c:672:9
    #8 0x17d018f in zend_error_noreturn XYZ/php-7.1.8/Zend/zend.c:1254:8
    #9 0x1b111c5 in ZEND_ASSIGN_OBJ_SPEC_VAR_CONST_OP_DATA_CONST_HANDLER XYZ/php-7.1.8/Zend/zend_vm_execute.h:18801:5
    #10 0x196fb4d in execute_ex XYZ/php-7.1.8/Zend/zend_vm_execute.h:432:7
    #11 0x1970b2b in zend_execute XYZ/php-7.1.8/Zend/zend_vm_execute.h:474:2
    #12 0x17d2629 in zend_execute_scripts XYZ/php-7.1.8/Zend/zend.c:1476:4
    #13 0x156a812 in php_execute_script XYZ/php-7.1.8/main/main.c:2537:14
    #14 0x1c4506d in do_cli XYZ/php-7.1.8/sapi/cli/php_cli.c:993:5
    #15 0x1c418e5 in main XYZ/php-7.1.8/sapi/cli/php_cli.c:1381:18
    #16 0x7f360124682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #17 0x43ac28 in _start (/usr/local/bin/php+0x43ac28)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/php-7.1.8/Zend/zend_alloc.c:1261:33 in zend_mm_alloc_small
==22121==ABORTING



Test script:
---------------
<?php
function eh(){e."0000000";}set_error_handler('eh');$d->d=&$d+$d->d/=0?><?$$d->b=0;


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-09-24 09:25 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b05ff14a9aa8fd98eea9cbeb090f9d64bf302561
Log: Fixed bug #75241 (Null pointer dereference in zend_mm_alloc_small()).
 [2017-09-24 09:25 UTC] laruence@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC