php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79783 Segfault in php_str_replace_common
Submitted: 2020-07-04 02:06 UTC Modified: 2020-07-06 07:33 UTC
From: changochen1 at gmail dot com Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 8.0Git-2020-07-04 (Git) OS:
Private report: No CVE-ID: None
 [2020-07-04 02:06 UTC] changochen1 at gmail dot com
Description:
------------
In release build, it triggers an segfault:
---
MemorySanitizer:DEADLYSIGNAL
==160146==ERROR: MemorySanitizer: SEGV on unknown address 0x000000000018 (pc 0x000000f8da84 bp 0x000000000000 sp 0x7ffe10b2de00 T160146)
==160146==The signal is caused by a READ memory access.
==160146==Hint: address points to the zero page.
    #0 0xf8da83 in php_str_replace_common /home/yongheng/php_clean/ext/standard/string.c:4379:3
    #1 0x1573b32 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/yongheng/php_clean/Zend/zend_vm_execute.h:1236:2
    #2 0x13ec04f in execute_ex /home/yongheng/php_clean/Zend/zend_vm_execute.h:51852:7
    #3 0x13ec844 in zend_execute /home/yongheng/php_clean/Zend/zend_vm_execute.h:56146:2
    #4 0x1337c58 in zend_execute_scripts /home/yongheng/php_clean/Zend/zend.c:1667:4
    #5 0x10c1cd7 in php_execute_script /home/yongheng/php_clean/main/main.c:2579:14
    #6 0x171abf1 in do_cli /home/yongheng/php_clean/sapi/cli/php_cli.c:958:5
    #7 0x1716fcf in main /home/yongheng/php_clean/sapi/cli/php_cli.c:1357:18
    #8 0x7f78981f4b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #9 0x440309 in _start (/home/yongheng/php_clean/asan/sapi/cli/php+0x440309)

MemorySanitizer can not provide additional info.
SUMMARY: MemorySanitizer: SEGV /home/yongheng/php_clean/ext/standard/string.c:4379:3 in php_str_replace_common
==160146==ABORTING
---

In debug build, it triggers an assertion:
---
/home/yongheng/php_clean/ext/standard/string.c:4379: void php_str_replace_common(zend_execute_data *, zval *, int): Assertion `(zval_get_type(&(*(zcount))) == 10)' failed.
---

Test script:
---------------
<?
str_replace ( array () , 1.500000 , array () , DEFINED ( 678.000000 ) ) ;


Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-07-05 08:41 UTC] maxsem dot wiki at gmail dot com
The following pull request has been associated:

Patch Name: Fix bug #79783: segfault in str_replace()
On GitHub:  https://github.com/php/php-src/pull/5811
Patch:      https://github.com/php/php-src/pull/5811.patch
 [2020-07-06 07:33 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2020-07-06 07:33 UTC] cmb@php.net
Crashes as of PHP 7.4.0; doesn't trigger notice ("only variables
should be passed by reference") as of PHP 7.0.0:
<https://3v4l.org/b1psI>.
 [2020-07-07 07:57 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=971e5c5186a2a2339b0dbad4f2a057a9deed5aa2
Log: Fixed bug #79783
 [2020-07-07 07:57 UTC] nikic@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Thu Nov 26 16:01:23 2020 UTC