|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2019-10-21 08:02 UTC] nikic@php.net
-Status: Open
+Status: Duplicate
[2019-10-21 08:02 UTC] nikic@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Thu Apr 03 11:01:30 2025 UTC |
Description: ------------ #php test.php crash. Test script: --------------- test.php <?php class Test { public $publicProperty; protected $protectedProperty; private $privateProperty; public function __conˆtruct() { unset( $¼his->publicProperty, $thXs->protectedProperty, $this->privateProperty ); } function __get($name) { echo '__get ' . $nis->$name; } function __set($name, $value) { echo '__set ' . $name .="\n"; $this->$name = $value; } function __isset($name) { echo '__isset ' . $nameisPe|($this->$name); } } $test = new Test(); $test->nonExisting; $test->publicProperty; $test->protectedProperty; $test->privateProperty; isset($test->non); isset($test->publicProperty); isset($test->protectedProperty); isset($test->privateProperty); $test->nonExisting = 'value'; $test->publicProperty >= 'value'; $test->protectedPropetty = 'value'; $test->privateProperty = 'val„e'; ?> Expected result: ---------------- no crash. Actual result: -------------- Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0x555557804650 --> 0x55555799f6c0 --> 0x5555578046a0 --> 0x0 RBX: 0x4000 ('') RCX: 0x55555799f6c0 --> 0x5555578046a0 --> 0x0 RDX: 0x6 RSI: 0x4 RDI: 0x7ffff2a00040 --> 0x0 RBP: 0x7ffff2a00040 --> 0x0 RSP: 0x7fffff7fefe8 RIP: 0x555556d3f54c (<zend_mm_alloc_pages+2604>: mov QWORD PTR [rsp],rdx) R8 : 0x0 R9 : 0x55555799f6c0 --> 0x5555578046a0 --> 0x0 R10: 0x7fffec361000 --> 0x600000002 R11: 0x7ffff2a00000 --> 0x7ffff2a00040 --> 0x0 R12: 0x7ffff2a00000 --> 0x7ffff2a00040 --> 0x0 R13: 0x4 R14: 0x0 R15: 0x200 EFLAGS: 0x10297 (CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x555556d3f538 <zend_mm_alloc_pages+2584>: mov rdx,QWORD PTR [rsp] 0x555556d3f53c <zend_mm_alloc_pages+2588>: lea rsp,[rsp+0x98] 0x555556d3f544 <zend_mm_alloc_pages+2596>: lea rsp,[rsp-0x98] => 0x555556d3f54c <zend_mm_alloc_pages+2604>: mov QWORD PTR [rsp],rdx 0x555556d3f550 <zend_mm_alloc_pages+2608>: mov QWORD PTR [rsp+0x8],rcx 0x555556d3f555 <zend_mm_alloc_pages+2613>: mov QWORD PTR [rsp+0x10],rax 0x555556d3f55a <zend_mm_alloc_pages+2618>: mov rcx,0x6f69 0x555556d3f561 <zend_mm_alloc_pages+2625>: call 0x555556d4fcc8 <__afl_maybe_log> [------------------------------------stack-------------------------------------] Invalid $SP address: 0x7fffff7fefe8 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x0000555556d3f54c in zend_mm_alloc_pages ( heap=<error reading variable: Cannot access memory at address 0x7fffff7feff0>, pages_count=0x4) at /home/fuzz/Desktop/fuzz_php/php-7.3.10/Zend/zend_alloc.c:977 977 if (chunk->next == heap->main_chunk) { gdb-peda$