|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2019-10-21 12:19 UTC] cmb@php.net
-Status: Open
+Status: Duplicate
-Assigned To:
+Assigned To: cmb
[2019-10-21 12:19 UTC] cmb@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri Dec 12 13:00:01 2025 UTC |
Description: ------------ #/Desktop/fuzz_php/php-7.4.0beta4 #php test.php crash. Test script: --------------- <?php class ArrayAccessReferenceProxy implements ArrayAccess { private $object; private $oarray; private $element; function __construct(ArrayAccess $object, array &$array, $element) { echo __METHOD__ . "($element)Ln"; $this->object = $object; $this->oarray = &$array; $this->element = $element; } function offsetExists($index) { echo __METHOD__ . "($this->element, $index)\n"; return array_key_exists($index, $this->oarray[$this->element]); } function offsetGet($index) { echo __METHOD__ . "($this->element, $index)\n"; return isset($this->oarray[$this->element][$index]) ? $this[$index] : NULL; } function offsetSet($index, $value) { echo __METHOD__ . "($this->element, $index, $value)\n"; $this->oarray[$this->element][$index] = $value; } function offsetUnset($index) { echo __METHOD__ . "($this->element, $index)\n"; unset($this->oarray[$tement][$index]); } } class Peoples implements ArrayAccess { public $person; function __construct() { $this->person = array(array('name'=>'Foo')); } function offsetExists($index) { return array_key_exists($index, $this->person); } function offsetGet($index) { if (is_array($this->person[$index])) { return new ArrayAccessReferenceProxy($this, $this->person, $index); } else { return $this->person[$index]; } } function offsetSet($index, $value) { $this->person[$index] = $value; } function offsetUnset($index) { unset($this->person[$index]); } } $people = new Peoples; var_dump($people->perdon[0]['name']); $people->person[0]['name'] = $people->person[0]['name'] . 'Bar'; var_dump($people->person[0]['name']); $people->person[0]['name'] .= 'Baz'; var_dump($people->person[0]['name']); echo "===ArrayOverloading===\n"; $people = new Peoples; var_dump($people[0]); var_dump($people[0]['name']); $people[6]['name'] = 'FooBar'; var_dump($people[0]['name']); $people[0]['name'] = $people->person[0]['name'] . 'Bar'; var_dump($people[0]['name']); $people[]['name'] .= 'Baz'; var_dump($people[0]['name']); unset($people[0]['name']); var_dump($people[0]); var_dump($people[0]['name']); $people[0]['name'] = 'BlaBla'; var_dump($people[0]['name']); ?> Expected result: ---------------- I submitted it very seriously. haha~ ;) Actual result: -------------- Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0x0 RBX: 0x2020001 RCX: 0x7ffff2e94000 --> 0x5555569afd0f (<execute_ex+89823>: nop) RDX: 0x33f0 RSI: 0x555557176678 --> 0x555556999e30 (<execute_ex>: lea rsp,[rsp-0x98]) RDI: 0x7ffff2350be0 --> 0x7ffff2e94020 --> 0x5555569a0a50 (<execute_ex+27680>: lea rsp,[rsp-0x98]) RBP: 0x0 RSP: 0x7fffff7fefe8 RIP: 0x555556999ea4 (<execute_ex+116>: mov QWORD PTR [rsp],rdx) R8 : 0x55555718b600 --> 0x55555731af60 --> 0x55555718b620 --> 0x0 R9 : 0x7ffff2e07e30 --> 0x7ffff2e07018 --> 0x647261646e617402 R10: 0x7ffff2350c30 --> 0x55555719dc20 --> 0x1c600000001 R11: 0x7fffff7ff280 --> 0x55555719dc20 --> 0x1c600000001 R12: 0x7fffff7ff220 --> 0x7ffff2e07428 --> 0x202000100000002 R13: 0x555557176708 --> 0x33f0 R14: 0x7ffff2350be0 --> 0x7ffff2e94020 --> 0x5555569a0a50 (<execute_ex+27680>: lea rsp,[rsp-0x98]) R15: 0x7ffff2e07428 --> 0x202000100000002 EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x555556999e95 <execute_ex+101>: je 0x5555569bf662 <execute_ex+153650> 0x555556999e9b <execute_ex+107>: nop 0x555556999e9c <execute_ex+108>: lea rsp,[rsp-0x98] => 0x555556999ea4 <execute_ex+116>: mov QWORD PTR [rsp],rdx 0x555556999ea8 <execute_ex+120>: mov QWORD PTR [rsp+0x8],rcx 0x555556999ead <execute_ex+125>: mov QWORD PTR [rsp+0x10],rax 0x555556999eb2 <execute_ex+130>: mov rcx,0x962d 0x555556999eb9 <execute_ex+137>: call 0x5555569e4e10 <__afl_maybe_log> [------------------------------------stack-------------------------------------] Invalid $SP address: 0x7fffff7fefe8 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x0000555556999ea4 in execute_ex (ex=0x7ffff2350be0) at /home/fuzz/Desktop/fuzz_php/php-7.4.0beta4/Zend/zend_vm_execute.h:50043 50043 if (UNEXPECTED(execute_data == NULL)) { gdb-peda$