From: victor dot stinner at inl dot fr Operating system: Linux PHP version: 5.2.4 PHP Bug Type: Reproducible crash Bug description: buffer under- and overflow on clone(null)+array_push()
Description: ------------ Hi, I found a critical bug (security issue) in my web application. The code to reproduce it is quite simple (see above). With apache, the result is a line in error.log: [notice] child pid 14988 exit signal Segmentation fault (11). My config: Ubuntu Feisty on Intel Celeron M 420 (32-bit). Victor Stinner http://www.inl.fr/ Reproduce code: --------------- <?php $a = clone(null); array_push($a->b, $c); ?> Expected result: ---------------- no crash Actual result: -------------- Warning: array_push(): First argument should be an array in crash.php on line 3 --------------------------------------- /home/haypo/php-5.2.4/Zend/zend_variables.c(175) : Block 0x084774b8 status: /home/haypo/php-5.2.4/Zend/zend_execute.h(70) : Actual location (location was relayed) Beginning: Freed (magic=0x00000000, expected=0x99954317) Start: Overflown (magic=0x084774A4 instead of 0x496A04CC) At least 4 bytes overflown End: Overflown (magic=0x00000000 instead of 0x39D5CB7E) At least 4 bytes overflown --------------------------------------- -- Edit bug report at http://bugs.php.net/?id=42817&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=42817&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=42817&r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=42817&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=42817&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=42817&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=42817&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=42817&r=needscript Try newer version: http://bugs.php.net/fix.php?id=42817&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=42817&r=support Expected behavior: http://bugs.php.net/fix.php?id=42817&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=42817&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=42817&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=42817&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=42817&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=42817&r=dst IIS Stability: http://bugs.php.net/fix.php?id=42817&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=42817&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=42817&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=42817&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=42817&r=mysqlcfg