|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76244 A stack overflow vulnerability exist (most likely) in the isSet function
Submitted: 2018-04-20 11:12 UTC Modified: 2018-04-23 03:34 UTC
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: daniel dot teuchert at rub dot de Assigned:
Status: Open Package: *Programming Data Structures
PHP Version: 7.2.4 OS: Linux 4.6.2
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
Solve the problem:
36 - 28 = ?
Subscribe to this entry?

 [2018-04-20 11:12 UTC] daniel dot teuchert at rub dot de
Calling isSet with too many parameters causes a stack overflow.
Executing the test script results in a stack overflow.
The produced ASAN output can be found here:
An attacker can possibly use this flaw to execute arbitrary code.

Steps to reproduce:
Build latest php version (compile with ASAN)
Donwload PoC file called "stack_overflow" (see Test script)
Execute binary file in $WORKDIR/php-7.2.4/sapi/cli/:
$WORKDIR/php-7.2.4/sapi/cli/php stack_overflow

I was not able to reproduce this behavior when debugging with gdb.

Test script:
PoC file can be found here:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2018-04-22 22:16 UTC]
This does not look like a security issue, since checking so many
variables in a single isset() does not appear to be of any
practical purpose.
 [2018-04-23 03:34 UTC]
-Type: Security +Type: Bug
 [2018-04-23 03:34 UTC]
Not a security issue, please see
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Tue Jul 07 15:01:26 2020 UTC