php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79258 Seg fault in zend_hash_next_index_insert
Submitted: 2020-02-11 17:11 UTC Modified: 2020-08-04 14:13 UTC
From: changochen1 at gmail dot com Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: master-Git-2020-02-11 (Git) OS: ALL
Private report: No CVE-ID: None
 [2020-02-11 17:11 UTC] changochen1 at gmail dot com
Description:
------------
Segmentation fault in zend_hash_next_index_insert.

Php version:
`PHP 8.0.0-dev (cli) (built: Jan 31 2020 21:52:09) ( NTS )`


Run script:
`php -f poc.php`

Stack dump:
```
==289871==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000e8e458 bp 0x7ffd35627020 sp 0x7ffd35626f60 T0)
    #0 0xe8e457 in zend_hash_next_index_insert (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xe8e457)
    #1 0x1206544 in ZEND_ASSIGN_DIM_SPEC_CV_UNUSED_OP_DATA_CV_HANDLER (/home/rxz226/php-src/bld_asan/sapi/cli/php+0x1206544)
    #2 0x127844f in execute_ex (/home/rxz226/php-src/bld_asan/sapi/cli/php+0x127844f)
    #3 0x127aab7 in zend_execute (/home/rxz226/php-src/bld_asan/sapi/cli/php+0x127aab7)
    #4 0xe43dfb in zend_execute_scripts (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xe43dfb)
    #5 0xcab3b7 in php_execute_script (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xcab3b7)
    #6 0x1280971 in do_cli (/home/rxz226/php-src/bld_asan/sapi/cli/php+0x1280971)
    #7 0x1282acb in main (/home/rxz226/php-src/bld_asan/sapi/cli/php+0x1282acb)
    #8 0x7f09d3a3b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x428a78 in _start (/home/rxz226/php-src/bld_asan/sapi/cli/php+0x428a78)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 zend_hash_next_index_insert
==289871==ABORTING
```

Test script:
---------------
<?php
function exception_error_handler ( $severity , $message , $file , $line ) {
        ( $file ) ;
        ( [ ] ) ;
        foreach ( $GLOBALS as & $v ) gettype ( [ $i = $a = ( ini_get ( 'internal_encoding' ) ) ] [ ++ $i ] > $a [ ++ $i ] [ ++ var_dump ( func_get_args ( empty ( $a [ array ( 'expected_array' => array ( '0' , 'empty' => array ( 'expected_array' => array ( '-' [ -2 ] , 1 , 'foo' ) , 40 ) ) ) ] ) ) ) [ $a [ $a ] = 1 ] ] ) ;
}
set_error_handler ( 'exception_error_handler' ) ;
function & obHandler ( ) { try { return ;
}
catch ( Exception $e ) { return (string) $severity ;
}
return $buffer ;
}
$a = array ( 0 , 1 ) ;
$b [ ] = 2 ;
foreach ( spl_autoload_register ( print_r ( 11 , 50 == ob_start ( ) ) , $a [ ] = $s ) [ $a = array ( ) ] as $b [ 0 ] ) var_dump ( func_get_args ( ) ) ;


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-02-12 06:41 UTC] laruence@php.net
I this this is related to #79259
 [2020-08-04 14:13 UTC] changochen1 at gmail dot com
-Status: Open +Status: Closed
 [2020-08-04 14:13 UTC] changochen1 at gmail dot com
Seems already fixed
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Jan 26 09:01:23 2021 UTC