|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76410 SIGV in zend_mm_alloc_small
Submitted: 2018-06-03 11:24 UTC Modified: 2018-06-03 22:47 UTC
From: daniel dot teuchert at rub dot de Assigned: dmitry (profile)
Status: Closed Package: Arrays related
PHP Version: 7.2.6 OS: Linux/Ubuntu
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
43 - 2 = ?
Subscribe to this entry?

 [2018-06-03 11:24 UTC] daniel dot teuchert at rub dot de
When executing the test script PHP crashes.

Test script:
$b = timezone_abbreviations_list();

Actual result:
#0  0x0000000001918d3e in zend_mm_alloc_small (size=0, heap=<optimized out>, 
    bin_num=<optimized out>) at Zend/zend_alloc.c:1273
#1  _emalloc_56 () at Zend/zend_alloc.c:2352
#2  0x0000000001a78a0f in _array_init (arg=0x7fffffff99a0, size=0) at Zend/zend_API.c:1090
#3  0x000000000051c220 in zif_timezone_abbreviations_list (execute_data=<optimized out>, 
    return_value=<optimized out>) at ext/date/php_date.c:4830
#4  0x0000000001ea9d23 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (execute_data=<optimized out>)
    at Zend/zend_vm_execute.h:573
#5  0x0000000001c126d6 in execute_ex (ex=<optimized out>) at Zend/zend_vm_execute.h:59723
#6  0x0000000001c1312f in zend_execute (op_array=<optimized out>, return_value=<optimized out>)
    at Zend/zend_vm_execute.h:63760
#7  0x0000000001a6678e in zend_execute_scripts (type=-3184, retval=0x0, file_count=<optimized out>)
    at Zend/zend.c:1496
#8  0x00000000017e108a in php_execute_script (primary_file=0x7fffffffc560) at main/main.c:2590
#9  0x000000000200dba7 in do_cli (argc=<optimized out>, argv=<optimized out>)
    at sapi/cli/php_cli.c:1011
#10 0x000000000200aa8d in main (argc=<optimized out>, argv=<optimized out>)
    at sapi/cli/php_cli.c:1404


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2018-06-03 13:01 UTC]
-Status: Open +Status: Verified
 [2018-06-03 16:10 UTC]
-Package: Date/time related +Package: Arrays related -Assigned To: +Assigned To: dmitry
 [2018-06-03 16:10 UTC]
This does not appear to be particularly related to
timezone_abbreviations_list(), since the following test script
shows the same UAF issues under valgrind:

  $b = array_flip(range('a', 'c'));
  debug_zval_dump($b); // just to check the refcount

Actually it does not matter how the array is created; it just
needs to have the key 'b', and the debug_zval_dump() should show a
refcount of 2.

Apparently, the bad behavior has been intruced with commit
1f7bf2b[1]. Dmitry, could you please take at look at this issue?

[1] <;a=commit;h=1f7bf2bfd63d94ddf4e28f903c692850232ef798>
 [2018-06-03 22:47 UTC]
-Type: Security +Type: Bug
 [2018-06-05 09:17 UTC]
Automatic comment on behalf of
Log: Fixed bug #76410 (SIGV in zend_mm_alloc_small)
 [2018-06-05 09:17 UTC]
-Status: Verified +Status: Closed
 [2018-06-05 09:20 UTC]
Automatic comment on behalf of
Log: Fixed bug #76410 (SIGV in zend_mm_alloc_small)
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Jul 14 11:01:28 2024 UTC