|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78702 Refreshable PHP crash
Submitted: 2019-10-21 05:18 UTC Modified: 2019-10-21 08:27 UTC
From: songmingxuan at cert dot org dot cn Assigned:
Status: Duplicate Package: Reproducible crash
PHP Version: 7.3.10 OS: #31~18.04.1-Ubuntu
Private report: No CVE-ID: None
 [2019-10-21 05:18 UTC] songmingxuan at cert dot org dot cn
#php test.php


Test script:

spl_autoload_register(function ($name) {
  echo "IN:  autoload($name)\n";

  static $i = 0;
  if ($i++ > 10) {
      echo "-> Recursion detected - as expected.\n";

  class_exists('UndefinedClass' . $i);

  echo "OUT: autoload($name)\n";


Expected result:
no crash.

Actual result:
Program received signal SIGSEGV, Segmentation fault.

RAX: 0x0 
RBX: 0x7fffff7ff618 --> 0x13 
RCX: 0x7fffff7ff620 --> 0x3000000008 
RDX: 0x55555740ebe7 ("%s\n%s: %s in %s on line %u\n%s")
RSI: 0x1 
RDI: 0x7fffff7ff5d0 --> 0x0 
RBP: 0x25 ('%')
RSP: 0x7fffff7fefe8 
RIP: 0x555556c3047c (<xbuf_format_converter+140>:	mov    QWORD PTR [rsp],rdx)
R8 : 0x7ffff2a69358 ("/home/fuzz/Desktop/phpcrash/crash1.php")
R9 : 0x8 
R10: 0x55555740ebe7 ("%s\n%s: %s in %s on line %u\n%s")
R11: 0x4 
R12: 0x2 
R13: 0x5555573d16c4 --> 0x676e696e726157 ('Warning')
R14: 0x5555573d63da --> 0x276e646c756f6300 ('')
R15: 0x7ffff2a91000 ("Use of undefined constant retu - assumed 'retu' (this will throw an Error in a future version of PHP)")
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
   0x555556c3046c <xbuf_format_converter+124>:	je     0x555556c308f8 <xbuf_format_converter+1288>
   0x555556c30472 <xbuf_format_converter+130>:	xchg   ax,ax
   0x555556c30474 <xbuf_format_converter+132>:	lea    rsp,[rsp-0x98]
=> 0x555556c3047c <xbuf_format_converter+140>:	mov    QWORD PTR [rsp],rdx
   0x555556c30480 <xbuf_format_converter+144>:	mov    QWORD PTR [rsp+0x8],rcx
   0x555556c30485 <xbuf_format_converter+149>:	mov    QWORD PTR [rsp+0x10],rax
   0x555556c3048a <xbuf_format_converter+154>:	mov    rcx,0x5422
   0x555556c30491 <xbuf_format_converter+161>:	call   0x555556c36d68 <__afl_maybe_log>
Invalid $SP address: 0x7fffff7fefe8
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555556c3047c in xbuf_format_converter (xbuf=0x7fffff7ff5d0, is_char=0x1, 
    fmt=0x55555740ebe7 "%s\n%s: %s in %s on line %u\n%s", ap=0x7fffff7ff620)
    at /home/fuzz/Desktop/fuzz_php/php-7.3.10/main/spprintf.c:237
237		while (*fmt) {


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-10-21 07:57 UTC]
-Status: Open +Status: Duplicate
 [2019-10-21 07:57 UTC]
Standard "magic" recursion stack overflow, tracked at bug #64196.
 [2019-10-21 08:27 UTC] songmingxuan at cert dot org dot cn
I want to ask. Can I apply for CVE for this duplicate? Ha ha ha????
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 01 05:01:29 2024 UTC