PHP :: Bug #75566 :: Stack overflow in php_userstreamop

Bug #75566	Stack overflow in php_userstreamop_close()
Submitted:	2017-11-24 12:41 UTC	Modified:	2017-11-25 00:01 UTC
From:	fumfi dot 255 at gmail dot com	Assigned:
Status:	Not a bug	Package:	*General Issues
PHP Version:	7.1.12	OS:	Ubuntu 16.04
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2017-11-24 12:41 UTC] fumfi dot 255 at gmail dot com

Description:
------------
After some fuzz testing I found a crashing test case.

Version: 7.1.12

Command: php php_so_php_userstreamop_close.php

ASAN:

==31836==ERROR: AddressSanitizer: stack-overflow on address 0x7fffcffc4ff8 (pc 0x00000044ca75 bp 0x7fffcffc5870 sp 0x7fffcffc5000 T0)
    #0 0x44ca74 in strlen /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:282:19
    #1 0x1583a58 in xbuf_format_converter XYZ/php-7.1.12/main/spprintf.c:605:16
    #2 0x157c56a in vspprintf XYZ/php-7.1.12/main/spprintf.c:843:2
    #3 0x1568e08 in php_error_cb XYZ/php-7.1.12/main/main.c:1045:20
    #4 0x17d305b in zend_error_noreturn XYZ/php-7.1.12/Zend/zend.c
    #5 0x1ab580b in ZEND_FETCH_CONSTANT_SPEC_UNUSED_CONST_HANDLER XYZ/php-7.1.12/Zend/zend_vm_execute.h:29752:4
    #6 0x1974bed in execute_ex XYZ/php-7.1.12/Zend/zend_vm_execute.h:432:7
    #7 0x1772ccc in zend_call_function XYZ/php-7.1.12/Zend/zend_execute_API.c:855:3
    #8 0x17708bd in _call_user_function_ex XYZ/php-7.1.12/Zend/zend_execute_API.c:672:9
    #9 0x160ea54 in user_wrapper_opener XYZ/php-7.1.12/main/streams/userspace.c:379:17
    #10 0x15ee671 in _php_stream_open_wrapper_ex XYZ/php-7.1.12/main/streams/streams.c:2055:13
    #11 0x138e120 in php_if_fopen XYZ/php-7.1.12/ext/standard/file.c:870:11
    #12 0x10d6289 in phar_fopen XYZ/php-7.1.12/ext/phar/func_interceptors.c:427:2
    #13 0x1b0b206 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER XYZ/php-7.1.12/Zend/zend_vm_execute.h:628:2
    #14 0x1974bed in execute_ex XYZ/php-7.1.12/Zend/zend_vm_execute.h:432:7
    #15 0x1772ccc in zend_call_function XYZ/php-7.1.12/Zend/zend_execute_API.c:855:3
    #16 0x17708bd in _call_user_function_ex XYZ/php-7.1.12/Zend/zend_execute_API.c:672:9
    #17 0x1609f38 in php_userstreamop_close XYZ/php-7.1.12/main/streams/userspace.c:727:2
    #18 0x15e1071 in _php_stream_free XYZ/php-7.1.12/main/streams/streams.c:467:9
    #19 0x15eb571 in stream_resource_regular_dtor XYZ/php-7.1.12/main/streams/streams.c:1619:19
    #20 0x1869dda in zend_resource_dtor XYZ/php-7.1.12/Zend/zend_list.c:76:4
    #21 0x1869dda in list_entry_destructor XYZ/php-7.1.12/Zend/zend_list.c:187
    #22 0x184d09a in zend_hash_index_del XYZ/php-7.1.12/Zend/zend_hash.c
    #23 0x186836e in zend_list_free XYZ/php-7.1.12/Zend/zend_list.c:59:10
    #24 0x17cafad in _zval_dtor_func XYZ/php-7.1.12/Zend/zend_variables.c:63:5
    #25 0x1b0b72a in i_zval_ptr_dtor XYZ/php-7.1.12/Zend/zend_variables.h:48:4
    #26 0x1b0b72a in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER XYZ/php-7.1.12/Zend/zend_vm_execute.h:643
    #27 0x1974bed in execute_ex XYZ/php-7.1.12/Zend/zend_vm_execute.h:432:7
    #28 0x1772ccc in zend_call_function XYZ/php-7.1.12/Zend/zend_execute_API.c:855:3
    #29 0x17708bd in _call_user_function_ex XYZ/php-7.1.12/Zend/zend_execute_API.c:672:9
    #30 0x1609f38 in php_userstreamop_close XYZ/php-7.1.12/main/streams/userspace.c:727:2
    #31 0x15e1071 in _php_stream_free XYZ/php-7.1.12/main/streams/streams.c:467:9
    #32 0x15eb571 in stream_resource_regular_dtor XYZ/php-7.1.12/main/streams/streams.c:1619:19
    #33 0x1869dda in zend_resource_dtor XYZ/php-7.1.12/Zend/zend_list.c:76:4
    #34 0x1869dda in list_entry_destructor XYZ/php-7.1.12/Zend/zend_list.c:187
    #35 0x184d09a in zend_hash_index_del XYZ/php-7.1.12/Zend/zend_hash.c
    #36 0x186836e in zend_list_free XYZ/php-7.1.12/Zend/zend_list.c:59:10
    #37 0x17cafad in _zval_dtor_func XYZ/php-7.1.12/Zend/zend_variables.c:63:5
    #38 0x1b0b72a in i_zval_ptr_dtor XYZ/php-7.1.12/Zend/zend_variables.h:48:4
    #39 0x1b0b72a in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER XYZ/php-7.1.12/Zend/zend_vm_execute.h:643
    #40 0x1974bed in execute_ex XYZ/php-7.1.12/Zend/zend_vm_execute.h:432:7
    #41 0x1772ccc in zend_call_function XYZ/php-7.1.12/Zend/zend_execute_API.c:855:3
    #42 0x17708bd in _call_user_function_ex XYZ/php-7.1.12/Zend/zend_execute_API.c:672:9
    #43 0x1609f38 in php_userstreamop_close XYZ/php-7.1.12/main/streams/userspace.c:727:2
    #44 0x15e1071 in _php_stream_free XYZ/php-7.1.12/main/streams/streams.c:467:9
    #45 0x15eb571 in stream_resource_regular_dtor XYZ/php-7.1.12/main/streams/streams.c:1619:19
    #46 0x1869dda in zend_resource_dtor XYZ/php-7.1.12/Zend/zend_list.c:76:4
    #47 0x1869dda in list_entry_destructor XYZ/php-7.1.12/Zend/zend_list.c:187
    #48 0x184d09a in zend_hash_index_del XYZ/php-7.1.12/Zend/zend_hash.c
    #49 0x186836e in zend_list_free XYZ/php-7.1.12/Zend/zend_list.c:59:10
    #50 0x17cafad in _zval_dtor_func XYZ/php-7.1.12/Zend/zend_variables.c:63:5
    #51 0x1b0b72a in i_zval_ptr_dtor XYZ/php-7.1.12/Zend/zend_variables.h:48:4
    #52 0x1b0b72a in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER XYZ/php-7.1.12/Zend/zend_vm_execute.h:643
    #53 0x1974bed in execute_ex XYZ/php-7.1.12/Zend/zend_vm_execute.h:432:7
    #54 0x1772ccc in zend_call_function XYZ/php-7.1.12/Zend/zend_execute_API.c:855:3
    #55 0x17708bd in _call_user_function_ex XYZ/php-7.1.12/Zend/zend_execute_API.c:672:9
    #56 0x1609f38 in php_userstreamop_close XYZ/php-7.1.12/main/streams/userspace.c:727:2
    #57 0x15e1071 in _php_stream_free XYZ/php-7.1.12/main/streams/streams.c:467:9
    #58 0x15eb571 in stream_resource_regular_dtor XYZ/php-7.1.12/main/streams/streams.c:1619:19
    #59 0x1869dda in zend_resource_dtor XYZ/php-7.1.12/Zend/zend_list.c:76:4
    #60 0x1869dda in list_entry_destructor XYZ/php-7.1.12/Zend/zend_list.c:187
    #61 0x184d09a in zend_hash_index_del XYZ/php-7.1.12/Zend/zend_hash.c
    #62 0x186836e in zend_list_free XYZ/php-7.1.12/Zend/zend_list.c:59:10
    #63 0x17cafad in _zval_dtor_func XYZ/php-7.1.12/Zend/zend_variables.c:63:5
    #64 0x1b0b72a in i_zval_ptr_dtor XYZ/php-7.1.12/Zend/zend_variables.h:48:4
    #65 0x1b0b72a in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER XYZ/php-7.1.12/Zend/zend_vm_execute.h:643
    #66 0x1974bed in execute_ex XYZ/php-7.1.12/Zend/zend_vm_execute.h:432:7
    #67 0x1772ccc in zend_call_function XYZ/php-7.1.12/Zend/zend_execute_API.c:855:3
    #68 0x17708bd in _call_user_function_ex XYZ/php-7.1.12/Zend/zend_execute_API.c:672:9
    #69 0x1609f38 in php_userstreamop_close XYZ/php-7.1.12/main/streams/userspace.c:727:2
    #70 0x15e1071 in _php_stream_free XYZ/php-7.1.12/main/streams/streams.c:467:9
    #71 0x15eb571 in stream_resource_regular_dtor XYZ/php-7.1.12/main/streams/streams.c:1619:19
    #72 0x1869dda in zend_resource_dtor XYZ/php-7.1.12/Zend/zend_list.c:76:4
    #73 0x1869dda in list_entry_destructor XYZ/php-7.1.12/Zend/zend_list.c:187
    #74 0x184d09a in zend_hash_index_del XYZ/php-7.1.12/Zend/zend_hash.c
    #75 0x186836e in zend_list_free XYZ/php-7.1.12/Zend/zend_list.c:59:10
    #76 0x17cafad in _zval_dtor_func XYZ/php-7.1.12/Zend/zend_variables.c:63:5
    #77 0x1b0b72a in i_zval_ptr_dtor XYZ/php-7.1.12/Zend/zend_variables.h:48:4
    #78 0x1b0b72a in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER XYZ/php-7.1.12/Zend/zend_vm_execute.h:643
    #79 0x1974bed in execute_ex XYZ/php-7.1.12/Zend/zend_vm_execute.h:432:7
    #80 0x1772ccc in zend_call_function XYZ/php-7.1.12/Zend/zend_execute_API.c:855:3
    #81 0x17708bd in _call_user_function_ex XYZ/php-7.1.12/Zend/zend_execute_API.c:672:9
    #82 0x1609f38 in php_userstreamop_close XYZ/php-7.1.12/main/streams/userspace.c:727:2
    #83 0x15e1071 in _php_stream_free XYZ/php-7.1.12/main/streams/streams.c:467:9
    #84 0x15eb571 in stream_resource_regular_dtor XYZ/php-7.1.12/main/streams/streams.c:1619:19
    #85 0x1869dda in zend_resource_dtor XYZ/php-7.1.12/Zend/zend_list.c:76:4
    #86 0x1869dda in list_entry_destructor XYZ/php-7.1.12/Zend/zend_list.c:187
    #87 0x184d09a in zend_hash_index_del XYZ/php-7.1.12/Zend/zend_hash.c
    #88 0x186836e in zend_list_free XYZ/php-7.1.12/Zend/zend_list.c:59:10
    #89 0x17cafad in _zval_dtor_func XYZ/php-7.1.12/Zend/zend_variables.c:63:5
    #90 0x1b0b72a in i_zval_ptr_dtor XYZ/php-7.1.12/Zend/zend_variables.h:48:4
    #91 0x1b0b72a in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER XYZ/php-7.1.12/Zend/zend_vm_execute.h:643
    #92 0x1974bed in execute_ex XYZ/php-7.1.12/Zend/zend_vm_execute.h:432:7
    #93 0x1772ccc in zend_call_function XYZ/php-7.1.12/Zend/zend_execute_API.c:855:3
    #94 0x17708bd in _call_user_function_ex XYZ/php-7.1.12/Zend/zend_execute_API.c:672:9
    #95 0x1609f38 in php_userstreamop_close XYZ/php-7.1.12/main/streams/userspace.c:727:2
    #96 0x15e1071 in _php_stream_free XYZ/php-7.1.12/main/streams/streams.c:467:9
    #97 0x15eb571 in stream_resource_regular_dtor XYZ/php-7.1.12/main/streams/streams.c:1619:19
    #98 0x1869dda in zend_resource_dtor XYZ/php-7.1.12/Zend/zend_list.c:76:4
    #99 0x1869dda in list_entry_destructor XYZ/php-7.1.12/Zend/zend_list.c:187
    #100 0x184d09a in zend_hash_index_del XYZ/php-7.1.12/Zend/zend_hash.c
    #101 0x186836e in zend_list_free XYZ/php-7.1.12/Zend/zend_list.c:59:10
    #102 0x17cafad in _zval_dtor_func XYZ/php-7.1.12/Zend/zend_variables.c:63:5
    #103 0x1b0b72a in i_zval_ptr_dtor XYZ/php-7.1.12/Zend/zend_variables.h:48:4
    #104 0x1b0b72a in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER XYZ/php-7.1.12/Zend/zend_vm_execute.h:643
    #105 0x1974bed in execute_ex XYZ/php-7.1.12/Zend/zend_vm_execute.h:432:7
    #106 0x1772ccc in zend_call_function XYZ/php-7.1.12/Zend/zend_execute_API.c:855:3
    #107 0x17708bd in _call_user_function_ex XYZ/php-7.1.12/Zend/zend_execute_API.c:672:9
    #108 0x1609f38 in php_userstreamop_close XYZ/php-7.1.12/main/streams/userspace.c:727:2
    #109 0x15e1071 in _php_stream_free XYZ/php-7.1.12/main/streams/streams.c:467:9
    #110 0x15eb571 in stream_resource_regular_dtor XYZ/php-7.1.12/main/streams/streams.c:1619:19
    #111 0x1869dda in zend_resource_dtor XYZ/php-7.1.12/Zend/zend_list.c:76:4
    #112 0x1869dda in list_entry_destructor XYZ/php-7.1.12/Zend/zend_list.c:187
    #113 0x184d09a in zend_hash_index_del XYZ/php-7.1.12/Zend/zend_hash.c
    #114 0x186836e in zend_list_free XYZ/php-7.1.12/Zend/zend_list.c:59:10
    #115 0x17cafad in _zval_dtor_func XYZ/php-7.1.12/Zend/zend_variables.c:63:5
    #116 0x1b0b72a in i_zval_ptr_dtor XYZ/php-7.1.12/Zend/zend_variables.h:48:4
    #117 0x1b0b72a in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER XYZ/php-7.1.12/Zend/zend_vm_execute.h:643
    #118 0x1974bed in execute_ex XYZ/php-7.1.12/Zend/zend_vm_execute.h:432:7
    #119 0x1772ccc in zend_call_function XYZ/php-7.1.12/Zend/zend_execute_API.c:855:3
    #120 0x17708bd in _call_user_function_ex XYZ/php-7.1.12/Zend/zend_execute_API.c:672:9
    #121 0x1609f38 in php_userstreamop_close XYZ/php-7.1.12/main/streams/userspace.c:727:2
    #122 0x15e1071 in _php_stream_free XYZ/php-7.1.12/main/streams/streams.c:467:9
    #123 0x15eb571 in stream_resource_regular_dtor XYZ/php-7.1.12/main/streams/streams.c:1619:19
    #124 0x1869dda in zend_resource_dtor XYZ/php-7.1.12/Zend/zend_list.c:76:4
    #125 0x1869dda in list_entry_destructor XYZ/php-7.1.12/Zend/zend_list.c:187
    #126 0x184d09a in zend_hash_index_del XYZ/php-7.1.12/Zend/zend_hash.c
    #127 0x186836e in zend_list_free XYZ/php-7.1.12/Zend/zend_list.c:59:10
    #128 0x17cafad in _zval_dtor_func XYZ/php-7.1.12/Zend/zend_variables.c:63:5
    #129 0x1b0b72a in i_zval_ptr_dtor XYZ/php-7.1.12/Zend/zend_variables.h:48:4
    #130 0x1b0b72a in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER XYZ/php-7.1.12/Zend/zend_vm_execute.h:643
    #131 0x1974bed in execute_ex XYZ/php-7.1.12/Zend/zend_vm_execute.h:432:7
    #132 0x1772ccc in zend_call_function XYZ/php-7.1.12/Zend/zend_execute_API.c:855:3
    #133 0x17708bd in _call_user_function_ex XYZ/php-7.1.12/Zend/zend_execute_API.c:672:9
    #134 0x1609f38 in php_userstreamop_close XYZ/php-7.1.12/main/streams/userspace.c:727:2
    #135 0x15e1071 in _php_stream_free XYZ/php-7.1.12/main/streams/streams.c:467:9
    #136 0x15eb571 in stream_resource_regular_dtor XYZ/php-7.1.12/main/streams/streams.c:1619:19
    #137 0x1869dda in zend_resource_dtor XYZ/php-7.1.12/Zend/zend_list.c:76:4
    #138 0x1869dda in list_entry_destructor XYZ/php-7.1.12/Zend/zend_list.c:187
    #139 0x184d09a in zend_hash_index_del XYZ/php-7.1.12/Zend/zend_hash.c
    #140 0x186836e in zend_list_free XYZ/php-7.1.12/Zend/zend_list.c:59:10
    #141 0x17cafad in _zval_dtor_func XYZ/php-7.1.12/Zend/zend_variables.c:63:5
    #142 0x1b0b72a in i_zval_ptr_dtor XYZ/php-7.1.12/Zend/zend_variables.h:48:4
    #143 0x1b0b72a in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER XYZ/php-7.1.12/Zend/zend_vm_execute.h:643
    #144 0x1974bed in execute_ex XYZ/php-7.1.12/Zend/zend_vm_execute.h:432:7
    #145 0x1772ccc in zend_call_function XYZ/php-7.1.12/Zend/zend_execute_API.c:855:3
    #146 0x17708bd in _call_user_function_ex XYZ/php-7.1.12/Zend/zend_execute_API.c:672:9
    #147 0x1609f38 in php_userstreamop_close XYZ/php-7.1.12/main/streams/userspace.c:727:2
    #148 0x15e1071 in _php_stream_free XYZ/php-7.1.12/main/streams/streams.c:467:9
    #149 0x15eb571 in stream_resource_regular_dtor XYZ/php-7.1.12/main/streams/streams.c:1619:19
    #150 0x1869dda in zend_resource_dtor XYZ/php-7.1.12/Zend/zend_list.c:76:4
    #151 0x1869dda in list_entry_destructor XYZ/php-7.1.12/Zend/zend_list.c:187
    #152 0x184d09a in zend_hash_index_del XYZ/php-7.1.12/Zend/zend_hash.c
    #153 0x186836e in zend_list_free XYZ/php-7.1.12/Zend/zend_list.c:59:10
    #154 0x17cafad in _zval_dtor_func XYZ/php-7.1.12/Zend/zend_variables.c:63:5
    #155 0x1b0b72a in i_zval_ptr_dtor XYZ/php-7.1.12/Zend/zend_variables.h:48:4
    #156 0x1b0b72a in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER XYZ/php-7.1.12/Zend/zend_vm_execute.h:643
    #157 0x1974bed in execute_ex XYZ/php-7.1.12/Zend/zend_vm_execute.h:432:7
    #158 0x1772ccc in zend_call_function XYZ/php-7.1.12/Zend/zend_execute_API.c:855:3
    #159 0x17708bd in _call_user_function_ex XYZ/php-7.1.12/Zend/zend_execute_API.c:672:9
    #160 0x1609f38 in php_userstreamop_close XYZ/php-7.1.12/main/streams/userspace.c:727:2
    #161 0x15e1071 in _php_stream_free XYZ/php-7.1.12/main/streams/streams.c:467:9
    #162 0x15eb571 in stream_resource_regular_dtor XYZ/php-7.1.12/main/streams/streams.c:1619:19
    #163 0x1869dda in zend_resource_dtor XYZ/php-7.1.12/Zend/zend_list.c:76:4
    #164 0x1869dda in list_entry_destructor XYZ/php-7.1.12/Zend/zend_list.c:187
    #165 0x184d09a in zend_hash_index_del XYZ/php-7.1.12/Zend/zend_hash.c
    #166 0x186836e in zend_list_free XYZ/php-7.1.12/Zend/zend_list.c:59:10
    #167 0x17cafad in _zval_dtor_func XYZ/php-7.1.12/Zend/zend_variables.c:63:5
    #168 0x1b0b72a in i_zval_ptr_dtor XYZ/php-7.1.12/Zend/zend_variables.h:48:4
    #169 0x1b0b72a in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER XYZ/php-7.1.12/Zend/zend_vm_execute.h:643
    #170 0x1974bed in execute_ex XYZ/php-7.1.12/Zend/zend_vm_execute.h:432:7
    #171 0x1772ccc in zend_call_function XYZ/php-7.1.12/Zend/zend_execute_API.c:855:3
    #172 0x17708bd in _call_user_function_ex XYZ/php-7.1.12/Zend/zend_execute_API.c:672:9
    #173 0x1609f38 in php_userstreamop_close XYZ/php-7.1.12/main/streams/userspace.c:727:2
    #174 0x15e1071 in _php_stream_free XYZ/php-7.1.12/main/streams/streams.c:467:9
    #175 0x15eb571 in stream_resource_regular_dtor XYZ/php-7.1.12/main/streams/streams.c:1619:19
    #176 0x1869dda in zend_resource_dtor XYZ/php-7.1.12/Zend/zend_list.c:76:4
    #177 0x1869dda in list_entry_destructor XYZ/php-7.1.12/Zend/zend_list.c:187
    #178 0x184d09a in zend_hash_index_del XYZ/php-7.1.12/Zend/zend_hash.c
    #179 0x186836e in zend_list_free XYZ/php-7.1.12/Zend/zend_list.c:59:10
    #180 0x17cafad in _zval_dtor_func XYZ/php-7.1.12/Zend/zend_variables.c:63:5
    #181 0x1b0b72a in i_zval_ptr_dtor XYZ/php-7.1.12/Zend/zend_variables.h:48:4
    #182 0x1b0b72a in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER XYZ/php-7.1.12/Zend/zend_vm_execute.h:643
    #183 0x1974bed in execute_ex XYZ/php-7.1.12/Zend/zend_vm_execute.h:432:7
    #184 0x1772ccc in zend_call_function XYZ/php-7.1.12/Zend/zend_execute_API.c:855:3
    #185 0x17708bd in _call_user_function_ex XYZ/php-7.1.12/Zend/zend_execute_API.c:672:9
    #186 0x1609f38 in php_userstreamop_close XYZ/php-7.1.12/main/streams/userspace.c:727:2
    #187 0x15e1071 in _php_stream_free XYZ/php-7.1.12/main/streams/streams.c:467:9
    #188 0x15eb571 in stream_resource_regular_dtor XYZ/php-7.1.12/main/streams/streams.c:1619:19
    #189 0x1869dda in zend_resource_dtor XYZ/php-7.1.12/Zend/zend_list.c:76:4
    #190 0x1869dda in list_entry_destructor XYZ/php-7.1.12/Zend/zend_list.c:187
    #191 0x184d09a in zend_hash_index_del XYZ/php-7.1.12/Zend/zend_hash.c
    #192 0x186836e in zend_list_free XYZ/php-7.1.12/Zend/zend_list.c:59:10
    #193 0x17cafad in _zval_dtor_func XYZ/php-7.1.12/Zend/zend_variables.c:63:5
    #194 0x1b0b72a in i_zval_ptr_dtor XYZ/php-7.1.12/Zend/zend_variables.h:48:4
    #195 0x1b0b72a in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER XYZ/php-7.1.12/Zend/zend_vm_execute.h:643
    #196 0x1974bed in execute_ex XYZ/php-7.1.12/Zend/zend_vm_execute.h:432:7
    #197 0x1772ccc in zend_call_function XYZ/php-7.1.12/Zend/zend_execute_API.c:855:3
    #198 0x17708bd in _call_user_function_ex XYZ/php-7.1.12/Zend/zend_execute_API.c:672:9
    #199 0x1609f38 in php_userstreamop_close XYZ/php-7.1.12/main/streams/userspace.c:727:2
    #200 0x15e1071 in _php_stream_free XYZ/php-7.1.12/main/streams/streams.c:467:9
    #201 0x15eb571 in stream_resource_regular_dtor XYZ/php-7.1.12/main/streams/streams.c:1619:19
    #202 0x1869dda in zend_resource_dtor XYZ/php-7.1.12/Zend/zend_list.c:76:4
    #203 0x1869dda in list_entry_destructor XYZ/php-7.1.12/Zend/zend_list.c:187
    #204 0x184d09a in zend_hash_index_del XYZ/php-7.1.12/Zend/zend_hash.c
    #205 0x186836e in zend_list_free XYZ/php-7.1.12/Zend/zend_list.c:59:10
    #206 0x17cafad in _zval_dtor_func XYZ/php-7.1.12/Zend/zend_variables.c:63:5
    #207 0x1b0b72a in i_zval_ptr_dtor XYZ/php-7.1.12/Zend/zend_variables.h:48:4
    #208 0x1b0b72a in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER XYZ/php-7.1.12/Zend/zend_vm_execute.h:643
    #209 0x1974bed in execute_ex XYZ/php-7.1.12/Zend/zend_vm_execute.h:432:7
    #210 0x1772ccc in zend_call_function XYZ/php-7.1.12/Zend/zend_execute_API.c:855:3
    #211 0x17708bd in _call_user_function_ex XYZ/php-7.1.12/Zend/zend_execute_API.c:672:9
    #212 0x1609f38 in php_userstreamop_close XYZ/php-7.1.12/main/streams/userspace.c:727:2
    #213 0x15e1071 in _php_stream_free XYZ/php-7.1.12/main/streams/streams.c:467:9
    #214 0x15eb571 in stream_resource_regular_dtor XYZ/php-7.1.12/main/streams/streams.c:1619:19
    #215 0x1869dda in zend_resource_dtor XYZ/php-7.1.12/Zend/zend_list.c:76:4
    #216 0x1869dda in list_entry_destructor XYZ/php-7.1.12/Zend/zend_list.c:187
    #217 0x184d09a in zend_hash_index_del XYZ/php-7.1.12/Zend/zend_hash.c
    #218 0x186836e in zend_list_free XYZ/php-7.1.12/Zend/zend_list.c:59:10
    #219 0x17cafad in _zval_dtor_func XYZ/php-7.1.12/Zend/zend_variables.c:63:5
    #220 0x1b0b72a in i_zval_ptr_dtor XYZ/php-7.1.12/Zend/zend_variables.h:48:4
    #221 0x1b0b72a in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER XYZ/php-7.1.12/Zend/zend_vm_execute.h:643
    #222 0x1974bed in execute_ex XYZ/php-7.1.12/Zend/zend_vm_execute.h:432:7
    #223 0x1772ccc in zend_call_function XYZ/php-7.1.12/Zend/zend_execute_API.c:855:3
    #224 0x17708bd in _call_user_function_ex XYZ/php-7.1.12/Zend/zend_execute_API.c:672:9
    #225 0x1609f38 in php_userstreamop_close XYZ/php-7.1.12/main/streams/userspace.c:727:2
    #226 0x15e1071 in _php_stream_free XYZ/php-7.1.12/main/streams/streams.c:467:9
    #227 0x15eb571 in stream_resource_regular_dtor XYZ/php-7.1.12/main/streams/streams.c:1619:19
    #228 0x1869dda in zend_resource_dtor XYZ/php-7.1.12/Zend/zend_list.c:76:4
    #229 0x1869dda in list_entry_destructor XYZ/php-7.1.12/Zend/zend_list.c:187
    #230 0x184d09a in zend_hash_index_del XYZ/php-7.1.12/Zend/zend_hash.c
    #231 0x186836e in zend_list_free XYZ/php-7.1.12/Zend/zend_list.c:59:10
    #232 0x17cafad in _zval_dtor_func XYZ/php-7.1.12/Zend/zend_variables.c:63:5
    #233 0x1b0b72a in i_zval_ptr_dtor XYZ/php-7.1.12/Zend/zend_variables.h:48:4
    #234 0x1b0b72a in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER XYZ/php-7.1.12/Zend/zend_vm_execute.h:643
    #235 0x1974bed in execute_ex XYZ/php-7.1.12/Zend/zend_vm_execute.h:432:7
    #236 0x1772ccc in zend_call_function XYZ/php-7.1.12/Zend/zend_execute_API.c:855:3
    #237 0x17708bd in _call_user_function_ex XYZ/php-7.1.12/Zend/zend_execute_API.c:672:9
    #238 0x1609f38 in php_userstreamop_close XYZ/php-7.1.12/main/streams/userspace.c:727:2
    #239 0x15e1071 in _php_stream_free XYZ/php-7.1.12/main/streams/streams.c:467:9
    #240 0x15eb571 in stream_resource_regular_dtor XYZ/php-7.1.12/main/streams/streams.c:1619:19
    #241 0x1869dda in zend_resource_dtor XYZ/php-7.1.12/Zend/zend_list.c:76:4
    #242 0x1869dda in list_entry_destructor XYZ/php-7.1.12/Zend/zend_list.c:187
    #243 0x184d09a in zend_hash_index_del XYZ/php-7.1.12/Zend/zend_hash.c
    #244 0x186836e in zend_list_free XYZ/php-7.1.12/Zend/zend_list.c:59:10
    #245 0x17cafad in _zval_dtor_func XYZ/php-7.1.12/Zend/zend_variables.c:63:5
    #246 0x1b0b72a in i_zval_ptr_dtor XYZ/php-7.1.12/Zend/zend_variables.h:48:4
    #247 0x1b0b72a in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER XYZ/php-7.1.12/Zend/zend_vm_execute.h:643
    #248 0x1974bed in execute_ex XYZ/php-7.1.12/Zend/zend_vm_execute.h:432:7
    #249 0x1772ccc in zend_call_function XYZ/php-7.1.12/Zend/zend_execute_API.c:855:3
    #250 0x17708bd in _call_user_function_ex XYZ/php-7.1.12/Zend/zend_execute_API.c:672:9
    #251 0x1609f38 in php_userstreamop_close XYZ/php-7.1.12/main/streams/userspace.c:727:2
    #252 0x15e1071 in _php_stream_free XYZ/php-7.1.12/main/streams/streams.c:467:9
    #253 0x15eb571 in stream_resource_regular_dtor XYZ/php-7.1.12/main/streams/streams.c:1619:19
    #254 0x1869dda in zend_resource_dtor XYZ/php-7.1.12/Zend/zend_list.c:76:4
    #255 0x1869dda in list_entry_destructor XYZ/php-7.1.12/Zend/zend_list.c:187
    #256 0x184d09a in zend_hash_index_del XYZ/php-7.1.12/Zend/zend_hash.c
    #257 0x186836e in zend_list_free XYZ/php-7.1.12/Zend/zend_list.c:59:10
    #258 0x17cafad in _zval_dtor_func XYZ/php-7.1.12/Zend/zend_variables.c:63:5
    #259 0x1b0b72a in i_zval_ptr_dtor XYZ/php-7.1.12/Zend/zend_variables.h:48:4
    #260 0x1b0b72a in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER XYZ/php-7.1.12/Zend/zend_vm_execute.h:643
    #261 0x1974bed in execute_ex XYZ/php-7.1.12/Zend/zend_vm_execute.h:432:7
    #262 0x1772ccc in zend_call_function XYZ/php-7.1.12/Zend/zend_execute_API.c:855:3
    #263 0x17708bd in _call_user_function_ex XYZ/php-7.1.12/Zend/zend_execute_API.c:672:9
    #264 0x1609f38 in php_userstreamop_close XYZ/php-7.1.12/main/streams/userspace.c:727:2
    #265 0x15e1071 in _php_stream_free XYZ/php-7.1.12/main/streams/streams.c:467:9
    #266 0x15eb571 in stream_resource_regular_dtor XYZ/php-7.1.12/main/streams/streams.c:1619:19
    #267 0x1869dda in zend_resource_dtor XYZ/php-7.1.12/Zend/zend_list.c:76:4
    #268 0x1869dda in list_entry_destructor XYZ/php-7.1.12/Zend/zend_list.c:187
    #269 0x184d09a in zend_hash_index_del XYZ/php-7.1.12/Zend/zend_hash.c
    #270 0x186836e in zend_list_free XYZ/php-7.1.12/Zend/zend_list.c:59:10
    #271 0x17cafad in _zval_dtor_func XYZ/php-7.1.12/Zend/zend_variables.c:63:5
    #272 0x1b0b72a in i_zval_ptr_dtor XYZ/php-7.1.12/Zend/zend_variables.h:48:4
    #273 0x1b0b72a in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER XYZ/php-7.1.12/Zend/zend_vm_execute.h:643
    #274 0x1974bed in execute_ex XYZ/php-7.1.12/Zend/zend_vm_execute.h:432:7
    #275 0x1772ccc in zend_call_function XYZ/php-7.1.12/Zend/zend_execute_API.c:855:3
    #276 0x17708bd in _call_user_function_ex XYZ/php-7.1.12/Zend/zend_execute_API.c:672:9
    #277 0x1609f38 in php_userstreamop_close XYZ/php-7.1.12/main/streams/userspace.c:727:2
    #278 0x15e1071 in _php_stream_free XYZ/php-7.1.12/main/streams/streams.c:467:9
    #279 0x15eb571 in stream_resource_regular_dtor XYZ/php-7.1.12/main/streams/streams.c:1619:19
    #280 0x1869dda in zend_resource_dtor XYZ/php-7.1.12/Zend/zend_list.c:76:4
    #281 0x1869dda in list_entry_destructor XYZ/php-7.1.12/Zend/zend_list.c:187
    #282 0x184d09a in zend_hash_index_del XYZ/php-7.1.12/Zend/zend_hash.c
    #283 0x186836e in zend_list_free XYZ/php-7.1.12/Zend/zend_list.c:59:10
    #284 0x17cafad in _zval_dtor_func XYZ/php-7.1.12/Zend/zend_variables.c:63:5
    #285 0x1b0b72a in i_zval_ptr_dtor XYZ/php-7.1.12/Zend/zend_variables.h:48:4
    #286 0x1b0b72a in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER XYZ/php-7.1.12/Zend/zend_vm_execute.h:643
    #287 0x1974bed in execute_ex XYZ/php-7.1.12/Zend/zend_vm_execute.h:432:7
    #288 0x1772ccc in zend_call_function XYZ/php-7.1.12/Zend/zend_execute_API.c:855:3
    #289 0x17708bd in _call_user_function_ex XYZ/php-7.1.12/Zend/zend_execute_API.c:672:9
    #290 0x1609f38 in php_userstreamop_close XYZ/php-7.1.12/main/streams/userspace.c:727:2
    #291 0x15e1071 in _php_stream_free XYZ/php-7.1.12/main/streams/streams.c:467:9

SUMMARY: AddressSanitizer: stack-overflow /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:282:19 in strlen
==31836==ABORTING


Test script:
---------------
<?php
class Stream00ploiter{public function stream_close(){fopen('e0ploit://','');((''))((e().''));}public function stream_open(){return e;}}var_dump(file_put_contents());var_dump(dir());stream_wrapper_register('e0ploit','Stream00ploiter');$s=fopen('e0ploit://',0);

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-11-25 00:01 UTC] requinix@php.net

-Status: Open +Status: Not a bug

[2017-11-25 00:01 UTC] requinix@php.net

https://en.wikipedia.org/wiki/Stack_overflow#Infinite_recursion

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 21:01:30 2024 UTC