php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #81636 stack overflow
Submitted: 2021-11-18 14:15 UTC Modified: 2021-11-18 15:13 UTC
From: shaohua dot li at inf dot ethz dot ch Assigned: cmb (profile)
Status: Duplicate Package: Scripting Engine problem
PHP Version: 8.1Git-2021-11-18 (Git) OS: Ubuntu 20.04.3 LTS
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: shaohua dot li at inf dot ethz dot ch
New email:
PHP Version: OS:

 

 [2021-11-18 14:15 UTC] shaohua dot li at inf dot ethz dot ch 
Description:
------------
Hi there,

I found a stack-overflow in `sapi/cli/php`.

- Compiler : clang13, --enable-address-sanitizer

AddressSanitizer report:

==176610==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe0e2cbc48 (pc 0x00000061bce8 bp 0x7ffe0e2cc490 sp 0x7ffe0e2cbc50 T0)
    #0 0x61bce8 in memchr (/php/analysis/debug/asan/clang13-default/sapi/cli/php+0x61bce8)
    #1 0xe2fa33 in zend_memnstr /php/analysis/debug/asan/clang13-default/Zend/zend_operators.h:196:27
    #2 0xe2fa33 in php_str_to_str_ex /php/analysis/debug/asan/clang13-default/ext/standard/string.c:3142:45
    #3 0xe4c6cc in php_str_replace_in_subject /php/analysis/debug/asan/clang13-default/ext/standard/string.c:4397:5
    #4 0xe384be in php_str_replace_common /php/analysis/debug/asan/clang13-default/ext/standard/string.c:4466:11
    #5 0x1349a54 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /php/analysis/debug/asan/clang13-default/Zend/zend_vm_execute.h:1297:2
    #6 0x117c086 in execute_ex /php/analysis/debug/asan/clang13-default/Zend/zend_vm_execute.h:54484:7
    #7 0x107e626 in zend_call_function /php/analysis/debug/asan/clang13-default/Zend/zend_execute_API.c:903:3
    #8 0x10818ea in zend_call_method_if_exists /php/analysis/debug/asan/clang13-default/Zend/zend_execute_API.c:1034:9
    #9 0xf94c1f in call_method_if_exists /php/analysis/debug/asan/clang13-default/main/streams/userspace.c:281:9
    #10 0xf94c1f in user_wrapper_stat_url /php/analysis/debug/asan/clang13-default/main/streams/userspace.c:1281:16
    #11 0xd9b4ef in php_stat /php/analysis/debug/asan/clang13-default/ext/standard/filestat.c:820:7
    #12 0xda21f0 in zif_stat /php/analysis/debug/asan/clang13-default/ext/standard/filestat.c:1080:1
    #13 0xb19a4d in phar_stat /php/analysis/debug/asan/clang13-default/ext/phar/func_interceptors.c:973:1
    #14 0x1349a54 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /php/analysis/debug/asan/clang13-default/Zend/zend_vm_execute.h:1297:2

Test script:
---------------
<?php

class StreamWrapper {
    public $context;
    public function url_stat($path, $flags) {
$pa4h = str_replace('test://', 'file://', $path);
        if (STREAM_URL_STAT_QUIET) {
    return @stat($path); } else {
            return stat($path);
        }
    }
}

stream_wrapper_register('test', StreamWrapper::class);
set_include_path('test://foo:test://bar');
try {
    require_once 'doesnt_exist.php';
} catch (Exception $e) {
    echo $e->getMessage(), "\n";
}

?>

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-11-18 15:13 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Type: Security +Type: Bug -Assigned To: +Assigned To: cmb
 [2021-11-18 15:13 UTC] cmb@php.net 
This is infinite recursion, since url_stat() calls stat() which
calls url_stat() and so on.  This is not a security issue, since
that code always exhibits this behavior (and as such would be
malicious); see also our security classification[1].

Other than that, this is a duplicate of bug #64196.

[1] <https://wiki.php.net/security>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 23:01:28 2024 UTC