php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76997 divide zero in array.c:2224
Submitted: 2018-10-11 07:30 UTC Modified: 2018-10-11 16:47 UTC
From: zzw20124321 at gmail dot com Assigned: cmb (profile)
Status: Duplicate Package: Arrays related
PHP Version: 7.0.32 OS: Ubuntu 16.04.5 LTS \n \l
Private report: No CVE-ID: None
 [2018-10-11 07:30 UTC] zzw20124321 at gmail dot com
Description:
------------
php -v
PHP 7.0.32 (cli) (built: Oct  9 2018 15:37:43) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies


~/Downloads/php-7.0.32/sapi/cli/php crash.php 
Floating point exception (core dumped)

gdb info:

```
[----------------------------------registers-----------------------------------]
RAX: 0x12 
RBX: 0xffffffff390 --> 0x0 
RCX: 0x12 
RDX: 0x0 
RSI: 0x0 
RDI: 0x7fffea413110 --> 0x12 
RBP: 0x7fffffff9da0 --> 0x1e4d750 --> 0x0 
RSP: 0x7fffffff9c40 --> 0x7fffffffc8d0 --> 0x7fffea4730b0 --> 0x0 
RIP: 0xc56627 (<zif_range+4775>:	div    r8)
R8 : 0x0 
R9 : 0x52df907 
R10: 0x60800007c8b8 --> 0x463a96833b2bd391 
R11: 0x60800007c8a0 --> 0x60800007c920 --> 0x60800007c9a0 --> 0x60800007caa0 --> 0x0 
R12: 0x7fffffff9c80 --> 0x41b58ab3 
R13: 0x0 
R14: 0x7fffea413090 --> 0x0 
R15: 0x7fffffff9c80 --> 0x41b58ab3
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xc5661c <zif_range+4764>:	cmp    r8,rax
   0xc5661f <zif_range+4767>:	ja     0xc55aa8 <zif_range+1832>
   0xc56625 <zif_range+4773>:	xor    edx,edx
=> 0xc56627 <zif_range+4775>:	div    r8
   0xc5662a <zif_range+4778>:	cmp    rax,0x7ffffffe
   0xc56630 <zif_range+4784>:	ja     0xc570ae <zif_range+7470>
   0xc56636 <zif_range+4790>:	lea    r9d,[rax+0x1]
   0xc5663a <zif_range+4794>:	mov    rdi,r14
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff9c40 --> 0x7fffffffc8d0 --> 0x7fffea4730b0 --> 0x0 
0008| 0x7fffffff9c48 --> 0x687945145230b425 
0016| 0x7fffffff9c50 --> 0x1e4d750 --> 0x0 
0024| 0x7fffffff9c58 --> 0x7fffffffc8d0 --> 0x7fffea4730b0 --> 0x0 
0032| 0x7fffffff9c60 --> 0x7fffea4730b0 --> 0x0 
0040| 0x7fffffff9c68 --> 0x7ffff7de6ac6 (<_dl_fixup+214>:	mov    r8,rax)
0048| 0x7fffffff9c70 --> 0x1 
0056| 0x7fffffff9c78 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGFPE
0x0000000000c56627 in zif_range (execute_data=<optimized out>, return_value=0x7fffea413090) at /home/fan/Downloads/php-7.0.32/ext/standard/array.c:2224
2224				RANGE_CHECK_LONG_INIT_ARRAY(high, low);
gdb-peda$ bt
#0  0x0000000000c56627 in zif_range (execute_data=<optimized out>, return_value=0x7fffea413090) at /home/fan/Downloads/php-7.0.32/ext/standard/array.c:2224
#1  0x0000000001035800 in ZEND_DO_ICALL_SPEC_HANDLER () at /home/fan/Downloads/php-7.0.32/Zend/zend_vm_execute.h:586
#2  0x0000000000ff650e in execute_ex (ex=<optimized out>) at /home/fan/Downloads/php-7.0.32/Zend/zend_vm_execute.h:414
#3  0x000000000113c09e in zend_execute (op_array=op_array@entry=0x7fffea482000, return_value=return_value@entry=0x0) at /home/fan/Downloads/php-7.0.32/Zend/zend_vm_execute.h:458
#4  0x0000000000f3aac3 in zend_execute_scripts (type=0xea413030, type@entry=0x8, retval=retval@entry=0x0, file_count=file_count@entry=0x3) at /home/fan/Downloads/php-7.0.32/Zend/zend.c:1445
#5  0x0000000000e42ba0 in php_execute_script (primary_file=primary_file@entry=0x7fffffffc8d0) at /home/fan/Downloads/php-7.0.32/main/main.c:2516
#6  0x000000000113fc31 in do_cli (argc=<optimized out>, argv=<optimized out>) at /home/fan/Downloads/php-7.0.32/sapi/cli/php_cli.c:977
#7  0x000000000045d059 in main (argc=argc@entry=0x2, argv=0x60300000da80, argv@entry=0x7fffffffde28) at /home/fan/Downloads/php-7.0.32/sapi/cli/php_cli.c:1347
#8  0x00007ffff351b830 in __libc_start_main (main=0x45c910 <main>, argc=0x2, argv=0x7fffffffde28, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffde18)
    at ../csu/libc-start.c:291
#9  0x000000000045d329 in _start ()
gdb-peda$ q

```

Test script:
---------------
cat crash.php 
<?php
	range(null, 18, "1.844674407371e195b");
?>



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-10-11 14:16 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Type: Security +Type: Bug -Assigned To: +Assigned To: cmb
 [2018-10-11 14:16 UTC] cmb@php.net
Duplicate of bug #76390.  This is not a security issue, and
therefore non-actively supported versions[1] will not be patched.

[1] <http://php.net/supported-versions.php>
 [2018-10-11 15:05 UTC] spam2 at rhsoft dot net
outside of the php world issues which can lead to reproducable segfaults and so denial of service are always considered as security bugs!
 [2018-10-11 16:28 UTC] cmb@php.net
We cannot consider *everything* that might be misused to be a
security issue (consider, for instance, `include
$_GET[$filename]`).  Users should validate/sanitize all user
supplied input; in this case they should make sure that the passed
$step value is actually numeric (and is not so small, that the
result of the range() call would create a huge array).  If,
however, the $step value has not been user supplied input, the
programmer should quickly note the mistake, since the segfault is
reproducible.
 [2018-10-11 16:29 UTC] spam2 at rhsoft dot net
irrelevant - unsanitized input may lead to damage / delete data and son on BUT it must not CRASH the php binary itself
 [2018-10-11 16:47 UTC] cmb@php.net
This is whishful thinking.  For instance, it is documented that
PHP does *not* protect from too deeply nested funcion call
recursion[1], so a recursive implementation of fac() requires to
validate user supplied $n.

[1] <http://php.net/manual/en/functions.user-defined.php>
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Thu Nov 15 03:01:25 2018 UTC