php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79214 Seg fault in php_var_export_ex
Submitted: 2020-02-03 02:20 UTC Modified: 2020-02-07 22:38 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: changochen1 at gmail dot com Assigned:
Status: Verified Package: Scripting Engine problem
PHP Version: master-Git-2020-02-03 (Git) OS: ALL
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2020-02-03 02:20 UTC] changochen1 at gmail dot com
Description:
------------
The following poc causes a seg fault in php_var_export_ex.(run with `php -f poc.php`)

Stack dump:
---
==248221==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000bc961e bp 0x7fffeef12990 sp 0x7fffeef11d80 T0)
    #0 0xbc961d in php_var_export_ex (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xbc961d)
    #1 0xbc5658 in php_array_element_export (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xbc5658)
    #2 0xbca1be in php_var_export_ex (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xbca1be)
    #3 0xbc5658 in php_array_element_export (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xbc5658)
    #4 0xbca1be in php_var_export_ex (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xbca1be)
    #5 0xbcd1a6 in zif_var_export (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xbcd1a6)
    #6 0x123c2d1 in execute_ex (/home/rxz226/php-src/bld_asan/sapi/cli/php+0x123c2d1)
    #7 0xdf5a2f in zend_call_function (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xdf5a2f)
    #8 0xe6de12 in zend_fcall_info_call (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xe6de12)
    #9 0xce8f9b in php_output_handler_op (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xce8f9b)
    #10 0xcea7df in php_output_stack_pop (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xcea7df)
    #11 0xce426e in php_output_end_all (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xce426e)
    #12 0xca8df5 in php_request_shutdown (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xca8df5)
    #13 0x1281d33 in do_cli (/home/rxz226/php-src/bld_asan/sapi/cli/php+0x1281d33)
    #14 0x1282acb in main (/home/rxz226/php-src/bld_asan/sapi/cli/php+0x1282acb)
    #15 0x7f9d7b3e782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #16 0x428a78 in _start (/home/rxz226/php-src/bld_asan/sapi/cli/php+0x428a78)
---

Test script:
---------------
<?                                for (   $GLOBALS =  $a      ;
                                  ;
                                                             (  $b   .  set_error_handler ( function () {                           for (  $GLOBALS [] =  $c  ;                           $d < 10 ;                           $d ++ )      list ( $a [] ,   $a  [ $e  ]  ) = array ()   ;                                       }
                               )  )  [ ob_start ( function () {                           $a [ $d ] <  var_export ( $GLOBALS [] = & $GLOBALS ,  list ( var_dump ( [] ) [ var_export ( $GLOBALS [] = $GLOBALS ,  $f  ) ]    ) = array () [ $$g ]  )   ;                            }
                               ) ]                                              ) ;


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-02-07 22:34 UTC] googleguy@php.net
-Status: Open +Status: Feedback
 [2020-02-07 22:34 UTC] googleguy@php.net
All that code does is produce undefined variable warnings. I cannot reproduce your segfault. Please provide a debug backtrace along with this bug report. See https://bugs.php.net/bugs-generating-backtrace.php for details.
 [2020-02-07 22:38 UTC] nikic@php.net
-Status: Feedback +Status: Verified
 [2020-02-07 22:38 UTC] nikic@php.net
@googleguy: You need to either use an asan build, or run test cases through valgrind. I can reproduce valgrind warnings from a quick check.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Thu Nov 26 21:01:23 2020 UTC