|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78705 Refreshable PHP crash
Submitted: 2019-10-21 05:28 UTC Modified: 2019-10-21 08:02 UTC
From: songmingxuan at cert dot org dot cn Assigned:
Status: Duplicate Package: Reproducible crash
PHP Version: 7.3.10 OS: #31~18.04.1-Ubuntu
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
46 + 36 = ?
Subscribe to this entry?

 [2019-10-21 05:28 UTC] songmingxuan at cert dot org dot cn
#php test.php


Test script:

class Test {
	public    $publicProperty;
	protected $protectedProperty;
	private   $privateProperty;

	public function __conˆtruct() {

	function __get($name) {
		echo '__get ' . $nis->$name;

	function __set($name, $value) {
		echo '__set ' . $name .="\n";
		$this->$name = $value;

	function __isset($name) {
		echo '__isset ' . $nameisPe|($this->$name);

$test = new Test();

$test->nonExisting       = 'value';
$test->publicProperty	>= 'value';
$test->protectedPropetty = 'value';
$test->privateProperty   = 'val„e';


Expected result:
no crash.

Actual result:
Program received signal SIGSEGV, Segmentation fault.

RAX: 0x555557804650 --> 0x55555799f6c0 --> 0x5555578046a0 --> 0x0 
RBX: 0x4000 ('')
RCX: 0x55555799f6c0 --> 0x5555578046a0 --> 0x0 
RDX: 0x6 
RSI: 0x4 
RDI: 0x7ffff2a00040 --> 0x0 
RBP: 0x7ffff2a00040 --> 0x0 
RSP: 0x7fffff7fefe8 
RIP: 0x555556d3f54c (<zend_mm_alloc_pages+2604>:	mov    QWORD PTR [rsp],rdx)
R8 : 0x0 
R9 : 0x55555799f6c0 --> 0x5555578046a0 --> 0x0 
R10: 0x7fffec361000 --> 0x600000002 
R11: 0x7ffff2a00000 --> 0x7ffff2a00040 --> 0x0 
R12: 0x7ffff2a00000 --> 0x7ffff2a00040 --> 0x0 
R13: 0x4 
R14: 0x0 
R15: 0x200
EFLAGS: 0x10297 (CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
   0x555556d3f538 <zend_mm_alloc_pages+2584>:	mov    rdx,QWORD PTR [rsp]
   0x555556d3f53c <zend_mm_alloc_pages+2588>:	lea    rsp,[rsp+0x98]
   0x555556d3f544 <zend_mm_alloc_pages+2596>:	lea    rsp,[rsp-0x98]
=> 0x555556d3f54c <zend_mm_alloc_pages+2604>:	mov    QWORD PTR [rsp],rdx
   0x555556d3f550 <zend_mm_alloc_pages+2608>:	mov    QWORD PTR [rsp+0x8],rcx
   0x555556d3f555 <zend_mm_alloc_pages+2613>:	mov    QWORD PTR [rsp+0x10],rax
   0x555556d3f55a <zend_mm_alloc_pages+2618>:	mov    rcx,0x6f69
   0x555556d3f561 <zend_mm_alloc_pages+2625>:	call   0x555556d4fcc8 <__afl_maybe_log>
Invalid $SP address: 0x7fffff7fefe8
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555556d3f54c in zend_mm_alloc_pages (
    heap=<error reading variable: Cannot access memory at address 0x7fffff7feff0>, pages_count=0x4)
    at /home/fuzz/Desktop/fuzz_php/php-7.3.10/Zend/zend_alloc.c:977
977			if (chunk->next == heap->main_chunk) {


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-10-21 08:02 UTC]
-Status: Open +Status: Duplicate
 [2019-10-21 08:02 UTC]
Another magic method recursion stack overflow, this time through __get(), tracked at bug #64196.
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Tue Nov 28 12:01:27 2023 UTC