php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #79793 Use after free if string used in undefined index warning is changed
Submitted: 2020-07-04 18:52 UTC Modified: 2020-07-07 14:12 UTC
From: changochen1 at gmail dot com Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 8.0Git-2020-07-04 (Git) OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: changochen1 at gmail dot com
New email:
PHP Version: OS:

 

 [2020-07-04 18:52 UTC] changochen1 at gmail dot com 
Description:
------------
LOG:
---
php: /home/yongheng/php_clean/Zend/zend_types.h:1162: uint32_t zend_gc_delref(zend_refcounted_h *): Assertion `p->refcount > 0' failed.
---

Test script:
---------------
<?
ob_start (
    function ( $a ) use ( & $c ) {
        $c .= $a ;
    }
, 20 ) ;
for ( ;;
ob_start (
    function () {
        b  ;
    }
, $d [  $c  ]  ++ )   )
    var_dump ( get_declared_classes () )  ;

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-07-07 14:12 UTC] nikic@php.net
-Summary: Assertion `p->refcount > 0' failed. +Summary: Use after free if string used in undefined index warning is changed -Status: Open +Status: Verified
 [2020-07-07 14:12 UTC] nikic@php.net 
Reduced:

<?php
$key = "foo";
set_error_handler(function () use (&$key) {
    $key .= "bar";
});
$ary[$key]++;

Valgrind:

==1215619== Invalid read of size 4
==1215619==    at 0x9D8AF8: _zend_hash_add_or_update_i (zend_hash.c:736)
==1215619==    by 0x9D93A2: zend_hash_add_new (zend_hash.c:911)
==1215619==    by 0x9F3AEE: zend_fetch_dimension_address_inner (zend_execute.c:2136)
==1215619==    by 0x9F3DA3: zend_fetch_dimension_address (zend_execute.c:2197)
==1215619==    by 0x9F4471: zend_fetch_dimension_address_RW (zend_execute.c:2306)
==1215619==    by 0xA60543: ZEND_FETCH_DIM_RW_SPEC_CV_CV_HANDLER (zend_vm_execute.h:46151)
==1215619==    by 0xA69ED1: execute_ex (zend_vm_execute.h:55890)
==1215619==    by 0xA6A297: zend_execute (zend_vm_execute.h:56094)
==1215619==    by 0x9C442A: zend_execute_scripts (zend.c:1667)
==1215619==    by 0x92BF71: php_execute_script (main.c:2537)
==1215619==    by 0xAA9230: do_cli (php_cli.c:955)
==1215619==    by 0xAAA328: main (php_cli.c:1353)
==1215619==  Address 0x8ebe454 is 4 bytes inside a block of size 32 free'd
==1215619==    at 0x483DFAF: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1215619==    by 0x98B8F2: __zend_realloc (zend_alloc.c:3011)
==1215619==    by 0x98A77F: _realloc_custom (zend_alloc.c:2435)
==1215619==    by 0x98A8DB: _erealloc (zend_alloc.c:2557)
==1215619==    by 0x9B3B4F: zend_string_extend (zend_string.h:224)
==1215619==    by 0x9BAE64: concat_function (zend_operators.c:1876)
==1215619==    by 0x9F1330: zend_binary_op (zend_execute.c:1293)
==1215619==    by 0xA4CE04: ZEND_ASSIGN_OP_SPEC_CV_CONST_HANDLER (zend_vm_execute.h:37663)
==1215619==    by 0xA692F1: execute_ex (zend_vm_execute.h:55282)
==1215619==    by 0x9ACB1D: zend_call_function (zend_execute_API.c:785)
==1215619==    by 0x9AC36A: _call_user_function_ex (zend_execute_API.c:633)
==1215619==    by 0x9C32A0: zend_error_impl (zend.c:1365)
==1215619==    by 0x9C352E: zend_error_va_list (zend.c:1413)
==1215619==    by 0x9C3929: zend_error (zend.c:1485)
==1215619==    by 0x9F3219: zend_undefined_index (zend_execute.c:1909)
==1215619==    by 0x9F32F0: zend_undefined_index_write (zend_execute.c:1937)
==1215619==    by 0x9F3ABC: zend_fetch_dimension_address_inner (zend_execute.c:2131)
==1215619==    by 0x9F3DA3: zend_fetch_dimension_address (zend_execute.c:2197)
==1215619==    by 0x9F4471: zend_fetch_dimension_address_RW (zend_execute.c:2306)
==1215619==    by 0xA60543: ZEND_FETCH_DIM_RW_SPEC_CV_CV_HANDLER (zend_vm_execute.h:46151)
==1215619==    by 0xA69ED1: execute_ex (zend_vm_execute.h:55890)
==1215619==    by 0xA6A297: zend_execute (zend_vm_execute.h:56094)
==1215619==    by 0x9C442A: zend_execute_scripts (zend.c:1667)
==1215619==    by 0x92BF71: php_execute_script (main.c:2537)
==1215619==    by 0xAA9230: do_cli (php_cli.c:955)
==1215619==    by 0xAAA328: main (php_cli.c:1353)
==1215619==  Block was alloc'd at
==1215619==    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1215619==    by 0x98B83F: __zend_malloc (zend_alloc.c:2992)
==1215619==    by 0x98A689: _malloc_custom (zend_alloc.c:2417)
==1215619==    by 0x98A7D3: _emalloc (zend_alloc.c:2536)
==1215619==    by 0x9B39A9: zend_string_alloc (zend_string.h:141)
==1215619==    by 0x9BAE7E: concat_function (zend_operators.c:1878)
==1215619==    by 0x9F1330: zend_binary_op (zend_execute.c:1293)
==1215619==    by 0xA4CE04: ZEND_ASSIGN_OP_SPEC_CV_CONST_HANDLER (zend_vm_execute.h:37663)
==1215619==    by 0xA692F1: execute_ex (zend_vm_execute.h:55282)
==1215619==    by 0x9ACB1D: zend_call_function (zend_execute_API.c:785)
==1215619==    by 0x9AC36A: _call_user_function_ex (zend_execute_API.c:633)
==1215619==    by 0x9C32A0: zend_error_impl (zend.c:1365)
==1215619==    by 0x9C352E: zend_error_va_list (zend.c:1413)
==1215619==    by 0x9C3929: zend_error (zend.c:1485)
==1215619==    by 0x9EEC29: zval_undefined_cv (zend_execute.c:269)
==1215619==    by 0x9EEC4A: _zval_undefined_op1 (zend_execute.c:276)
==1215619==    by 0x9F4322: zend_fetch_dimension_address (zend_execute.c:2272)
==1215619==    by 0x9F4471: zend_fetch_dimension_address_RW (zend_execute.c:2306)
==1215619==    by 0xA60543: ZEND_FETCH_DIM_RW_SPEC_CV_CV_HANDLER (zend_vm_execute.h:46151)
==1215619==    by 0xA69ED1: execute_ex (zend_vm_execute.h:55890)
==1215619==    by 0xA6A297: zend_execute (zend_vm_execute.h:56094)
==1215619==    by 0x9C442A: zend_execute_scripts (zend.c:1667)
==1215619==    by 0x92BF71: php_execute_script (main.c:2537)
==1215619==    by 0xAA9230: do_cli (php_cli.c:955)
==1215619==    by 0xAAA328: main (php_cli.c:1353)
 [2020-07-07 14:33 UTC] nikic@php.net 
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=77acc8a069acbdd0e4ab0ac43f7d676a23e413a1
Log: Fixed bug #79793
 [2020-07-07 14:33 UTC] nikic@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Wed Apr 24 19:01:31 2024 UTC