|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2019-10-08 12:25 UTC] cmb@php.net
-Type: Security
+Type: Bug
[2019-10-08 12:25 UTC] cmb@php.net
[2019-10-08 12:36 UTC] nikic@php.net
-Status: Open
+Status: Duplicate
[2019-10-08 12:36 UTC] nikic@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Apr 18 19:01:30 2024 UTC |
Description: ------------ Present in PHP-7.4 / master branches but not PHP-7.3 branch. Compiled with `--disable-all`. Found using AFL. This one triggers the assertion: ht=0x5058780 is already destroyed Not sure if that indicates a potential UAF or not, raising as secbug just in case. Test script: --------------- <?php class T { public $v = []; function __get($var) { if(isset($this->v[$var])) return $t->v[$var]; } function __unset($var) { unset($d->v[$var]); } } $o = new T; $o->v['v'] = 1; $o->r; unset($o->r); $o->{'VirtY^l'.(3)}; Expected result: ---------------- Exit code 0 Actual result: -------------- Program received signal SIGSEGV, Segmentation fault. zend_hash_find_bucket (known_hash=0 '\000', key=0x7ffff7a02870, ht=0x7ffff7a02870) at /home/leigh/php-src/Zend/zend_hash.c:637 637 if (EXPECTED(p->key == key)) { /* check for the same interned string */ (gdb) bt #0 zend_hash_find_bucket (known_hash=0 '\000', key=0x7ffff7a02870, ht=0x7ffff7a02870) at /home/leigh/php-src/Zend/zend_hash.c:637 #1 zend_hash_find (ht=ht@entry=0x7ffff7a55380, key=key@entry=0x7ffff7a02870) at /home/leigh/php-src/Zend/zend_hash.c:2220 #2 0x000055555599fdd1 in zend_hash_find_ex (known_hash=0 '\000', key=0x7ffff7a02870, ht=0x7ffff7a55380) at /home/leigh/php-src/Zend/zend_hash.h:373 #3 zend_hash_find_ex_ind (known_hash=0 '\000', key=0x7ffff7a02870, ht=0x7ffff7a55380) at /home/leigh/php-src/Zend/zend_hash.h:373 #4 ZEND_ISSET_ISEMPTY_DIM_OBJ_SPEC_TMPVAR_CV_HANDLER () at /home/leigh/php-src/Zend/zend_vm_execute.h:17555 #5 0x00005555559bdc33 in execute_ex (ex=0x7ffff7a55380) at /home/leigh/php-src/Zend/zend_vm_execute.h:55576 #6 0x00005555559361f9 in zend_call_function (fci=fci@entry=0x7fffffffa3c0, fci_cache=0x7ffff7a5bb80, fci_cache@entry=0x7fffffffa3a0) at /home/leigh/php-src/Zend/zend_execute_API.c:784 #7 0x00005555559735db in zend_std_call_getter (zobj=zobj@entry=0x7ffff7a78050, prop_name=prop_name@entry=0x7ffff7a02870, retval=retval@entry=0x7ffff7a130e0) at /home/leigh/php-src/Zend/zend_object_handlers.c:208 #8 0x0000555555974cdb in zend_std_read_property (zobj=0x7ffff7a78050, name=0x7ffff7a02870, type=0, cache_slot=<optimised out>, rv=<optimised out>) at /home/leigh/php-src/Zend/zend_object_handlers.c:744 #9 0x00005555559c145a in ZEND_FETCH_OBJ_R_SPEC_CV_CONST_INLINE_HANDLER () at /home/leigh/php-src/Zend/zend_vm_execute.h:39586 #10 execute_ex (ex=0x7ffff7a55380) at /home/leigh/php-src/Zend/zend_vm_execute.h:57255 #11 0x00005555559c4f4d in zend_execute (op_array=0x7ffff7a802a0, return_value=<optimised out>) at /home/leigh/php-src/Zend/zend_vm_execute.h:58019 #12 0x00005555559437b1 in zend_execute_scripts (type=type@entry=8, retval=0x7ffff7a6d120, retval@entry=0x0, file_count=file_count@entry=3) at /home/leigh/php-src/Zend/zend.c:1643 #13 0x00005555558e5780 in php_execute_script (primary_file=<optimised out>) at /home/leigh/php-src/main/main.c:2585 #14 0x00005555559c6f6c in do_cli (argc=2, argv=0x555556172860) at /home/leigh/php-src/sapi/cli/php_cli.c:959 #15 0x000055555577e78d in main (argc=2, argv=0x555556172860) at /home/leigh/php-src/sapi/cli/php_cli.c:1350