|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78709 Refreshable PHP crash
Submitted: 2019-10-21 11:47 UTC Modified: 2019-10-21 12:20 UTC
From: songmingxuan at cert dot org dot cn Assigned: cmb (profile)
Status: Duplicate Package: Reproducible crash
PHP Version: 7.4.0RC4 OS: #31~18.04.1-Ubuntu
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: songmingxuan at cert dot org dot cn
New email:
PHP Version: OS:


 [2019-10-21 11:47 UTC] songmingxuan at cert dot org dot cn
#php test.php


Test script:

class Test {
	public    $publicProperty;
	protected $protectedProperty;
	private   $privateProperty;

	public function __conˆtruct() {

	function __get($name) {
		echo '__get ' . $nis->$name;

	function __set($name, $value) {
		echo '__set ' . $name .="\n";
		$this->$name = $value;

	function __isset($name) {
		echo '__isset ' . $nameisPe|($this->$name);

$test = new Test();

$test->nonExisting       = 'value';
$test->publicProperty	>= 'value';
$test->protectedPropetty = 'value';
$test->privateProperty   = 'val„e';


Expected result:
no crash

Actual result:
Program received signal SIGSEGV, Segmentation fault.

RAX: 0x0 
RBX: 0x7fffed2ac6f0 --> 0x7fffed0d0000 --> 0x600000003 
RCX: 0x8 
RDX: 0x6 
RSI: 0x7fffed2ac6f0 --> 0x7fffed0d0000 --> 0x600000003 
RDI: 0x7fffed2ac6f0 --> 0x7fffed0d0000 --> 0x600000003 
RBP: 0x0 
RSP: 0x7fffff7fef98 
RIP: 0x555556686294 (<concat_function+132>:	mov    QWORD PTR [rsp],rdx)
R8 : 0x55555718b600 --> 0x55555731af60 --> 0x55555718b620 --> 0x0 
R9 : 0x7ffff2e07610 --> 0x0 
R10: 0x7fffed2ac700 --> 0x55555719d7a0 --> 0x1c600000001 
R11: 0x7fffff7ff330 --> 0x55555719d7a0 --> 0x1c600000001 
R12: 0x7ffff2e5fb00 --> 0x55555719a460 --> 0x1c600000001 
R13: 0x7fffed2ac6f0 --> 0x7fffed0d0000 --> 0x600000003 
R14: 0x7fffed2ac6a0 --> 0x7ffff2e5fa40 --> 0x55555699d634 (<execute_ex+14340>:	lea    rsp,[rsp-0x98])
R15: 0x7ffff2e5fa40 --> 0x55555699d634 (<execute_ex+14340>:	lea    rsp,[rsp-0x98])
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
   0x555556686283 <concat_function+115>:	cmp    dl,0x6
   0x555556686286 <concat_function+118>:	
    jne    0x555556686bb0 <concat_function+2464>
   0x55555668628c <concat_function+124>:	lea    rsp,[rsp-0x98]
=> 0x555556686294 <concat_function+132>:	mov    QWORD PTR [rsp],rdx
   0x555556686298 <concat_function+136>:	mov    QWORD PTR [rsp+0x8],rcx
   0x55555668629d <concat_function+141>:	mov    QWORD PTR [rsp+0x10],rax
   0x5555566862a2 <concat_function+146>:	mov    rcx,0x6ba2
   0x5555566862a9 <concat_function+153>:	
    call   0x5555566a6600 <__afl_maybe_log>
Invalid $SP address: 0x7fffff7fef98
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555556686294 in concat_function (result=0x7fffed2ac6f0, 
    op1=0x7fffed2ac6f0, op2=0x7ffff2e5fb00)
    at /home/fuzz/Desktop/fuzz_php/php-7.4.0beta4/Zend/zend_types.h:442
442		return pz->u1.v.type;


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-10-21 12:20 UTC]
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2019-10-21 12:20 UTC]
Duplicate of bug #78705.
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sun Jun 07 04:01:28 2020 UTC