php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78710 Refreshable PHP crash
Submitted: 2019-10-21 11:52 UTC Modified: 2019-10-21 12:16 UTC
From: songmingxuan at cert dot org dot cn Assigned: cmb (profile)
Status: Duplicate Package: Reproducible crash
PHP Version: 7.4.0RC4 OS: #31~18.04.1-Ubuntu
Private report: No CVE-ID: None
 [2019-10-21 11:52 UTC] songmingxuan at cert dot org dot cn
Description:
------------
#/Desktop/fuzz_php/php-7.4.0beta4
#php test.php

crash.

Test script:
---------------
test.php

<?php
spl_autoload_register(function ($name) {
  echo "IN:  autoload($name)\n";

  static $i = 0;
  if ($i++ > 10) {
      echo "-> Recursion detected - as expected.\n";
      retu^n;
  }

  class_exists('UndefinedClass' . $i);

  echo "OUT: autoload($name)\n";
});

var_dump(class_exists('UndefinedClass0'));
?>


Expected result:
----------------
no crash
I submitted it very seriously. haha~~
;)

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x7fffff7ff528 --> 0x0 
RCX: 0x7fffff7ff590 --> 0x3000000010 
RDX: 0x555556c07260 ("Use of undefined constant %s - assumed '%s' (this will throw an Error in a future version of PHP)")
RSI: 0x1 
RDI: 0x7fffff7ff4b0 --> 0x0 
RBP: 0x55 ('U')
RSP: 0x7fffff7fef60 
RIP: 0x555556488aec (<xbuf_format_converter+76>:	mov    QWORD PTR [rsp+0x18],rcx)
R8 : 0x7fffff7ff590 --> 0x3000000010 
R9 : 0x55555718e9f0 --> 0x0 
R10: 0x55555731af60 --> 0x55555718b620 --> 0x0 
R11: 0x5555571766c0 --> 0x555555f4a460 (<soap_error_handler>:	lea    rsp,[rsp-0x98])
R12: 0x2 
R13: 0x7fffff7ff590 --> 0x3000000010 
R14: 0x555557176500 --> 0xe90 
R15: 0x555556c07260 ("Use of undefined constant %s - assumed '%s' (this will throw an Error in a future version of PHP)")
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555556488ae1 <xbuf_format_converter+65>:	push   rbx
   0x555556488ae2 <xbuf_format_converter+66>:	sub    rsp,0x518
   0x555556488ae9 <xbuf_format_converter+73>:	movzx  ebp,BYTE PTR [rdx]
=> 0x555556488aec <xbuf_format_converter+76>:	mov    QWORD PTR [rsp+0x18],rcx
   0x555556488af1 <xbuf_format_converter+81>:	mov    BYTE PTR [rsp+0xf],sil
   0x555556488af6 <xbuf_format_converter+86>:	mov    rax,QWORD PTR fs:0x28
   0x555556488aff <xbuf_format_converter+95>:	
    mov    QWORD PTR [rsp+0x508],rax
   0x555556488b07 <xbuf_format_converter+103>:	xor    eax,eax
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x7fffff7fef60
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555556488aec in xbuf_format_converter (xbuf=0x7fffff7ff4b0, is_char=0x1, 
    fmt=0x555556c07260 "Use of undefined constant %s - assumed '%s' (this will throw an Error in a future version of PHP)", ap=0x7fffff7ff590)
    at /home/fuzz/Desktop/fuzz_php/php-7.4.0beta4/main/spprintf.c:193
193	{
gdb-peda$ 


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-10-21 12:16 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2019-10-21 12:16 UTC] cmb@php.net
Duplicate of bug #78703.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Thu Dec 05 17:01:24 2019 UTC