php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81373 Segmentation fault
Submitted: 2021-08-19 09:11 UTC Modified: 2021-08-19 11:14 UTC
From: m dot volkov at npo-echelon dot ru Assigned: cmb (profile)
Status: Duplicate Package: Reproducible crash
PHP Version: 8.1Git-2021-08-19 (Git) OS: Debian 10
Private report: No CVE-ID: None
 [2021-08-19 09:11 UTC] m dot volkov at npo-echelon dot ru
Description:
------------
Good afternoon. Fuzzing version 8.1 using AFL. At the moment I have found 9 crashes, all of them cause Segmentation Fault. I did not find any reports about them in the bug reports, so I decided to write, maybe this will help make the PCP safer. In the example below, I indicated one of the cases.

Test script:
---------------
--TEST--
ZE2 __toString() in __destruct
--FILE--
<?php

class Test
{
    function __toString()
    {
        return "Hel       echo $this;
    }
lo\n";
    }

    function __destruct()
    {
        echo $this;
    }
}

$o = new Test;
$o = NULL;

$o = new Test;

?>
====DONE====
--E=
Hello

Expected result:
----------------
exception

Actual result:
--------------
segmentation fault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-08-19 11:14 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Type: Security +Type: Bug -Assigned To: +Assigned To: cmb
 [2021-08-19 11:14 UTC] cmb@php.net
Simplified reproducer:

    <?php
    class Test
    {
        function __toString()
        {
            return "$this";
        }
    }

    $o = new Test;
    echo $o;
    ?>

This causes a stack overflow due to infinite recursion, and is
basically a duplicate of bug #64196.  Note that we do not classify
this as security issue, because such code is not supposed to ever
run in production.  See also our security classification[1].

[1] <https://wiki.php.net/security>
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon Oct 25 18:03:49 2021 UTC