From: nguyenmanhdung1710 at gmail dot com Operating system: Ubuntu 16.04 x64 PHP version: 7.3.6 Package: Testing related Bug Type: Bug Bug description:Segmentation Fault in zend_execute.c:2572
Description: ------------ Our fuzzer found a crash (a potential false positive) on php version 3.1.6 (commit b1bdae7621) due to a malformed input. PoC: https://github.com/strongcourage/PoCs/blob/master/php_v3.1.6_b1bdae7621/PoC Command: php $POC Valgrind says: ==25180== Invalid read of size 1 ==25180== at 0x12A5359: zend_object_fetch_property_type_info (zend_execute.c:2572) ==25180== by 0x12A5359: ZEND_ASSIGN_OBJ_REF_SPEC_VAR_TMPVAR_OP_DATA_VAR_HANDLER (zend_vm_execute.h:26956) ==25180== by 0x12D6428: execute_ex (zend_vm_execute.h:62493) ==25180== by 0x130F8DB: zend_execute (zend_vm_execute.h:65287) ==25180== by 0xF374A2: zend_execute_scripts (zend.c:1625) ==25180== by 0xD08147: php_execute_script (main.c:2650) ==25180== by 0x131A67C: do_cli (php_cli.c:985) ==25180== by 0x26F6FC: main (php_cli.c:1375) ==25180== Address 0x125 is not stack'd, malloc'd or (recently) free'd ASAN says: ASAN:DEADLYSIGNAL ================================================================= ==11961==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000124 (pc 0x5654a71320f8 bp 0x7ffc1c9e4470 sp 0x7ffc1c9e4460 T0) ==11961==The signal is caused by a READ memory access. ==11961==Hint: address points to the zero page. #0 0x5654a71320f7 in zend_object_fetch_property_type_info /home/dungnm/fuzzing/php-7.3.6/Zend/zend_execute.c:2572 #1 0x5654a7293da3 in ZEND_ASSIGN_OBJ_REF_SPEC_VAR_TMPVAR_OP_DATA_VAR_HANDLER /home/dungnm/fuzzing/php-7.3.6/Zend/zend_vm_execute.h:26956 #2 0x5654a741388d in execute_ex /home/dungnm/fuzzing/php-7.3.6/Zend/zend_vm_execute.h:62493 #3 0x5654a742a6f5 in zend_execute /home/dungnm/fuzzing/php-7.3.6/Zend/zend_vm_execute.h:65287 #4 0x5654a6fab1e2 in zend_execute_scripts /home/dungnm/fuzzing/php-7.3.6/Zend/zend.c:1625 #5 0x5654a6e04ee1 in php_execute_script /home/dungnm/fuzzing/php-7.3.6/main/main.c:2650 #6 0x5654a7433157 in do_cli /home/dungnm/fuzzing/php-7.3.6/sapi/cli/php_cli.c:985 #7 0x5654a74358aa in main /home/dungnm/fuzzing/php-7.3.6/sapi/cli/php_cli.c:1375 #8 0x7f4efe1a9b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #9 0x5654a6513369 in _start (/home/dungnm/fuzzing/php-7.3.6/obj-asan/sapi/cli/php+0x341369) Thanks, Manh Dung -- Edit bug report at https://bugs.php.net/bug.php?id=78182&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=78182&r=trysnapshot54 Try a snapshot (PHP 5.5): https://bugs.php.net/fix.php?id=78182&r=trysnapshot55 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=78182&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=78182&r=fixed Fixed in release: https://bugs.php.net/fix.php?id=78182&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=78182&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=78182&r=needscript Try newer version: https://bugs.php.net/fix.php?id=78182&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=78182&r=support Expected behavior: https://bugs.php.net/fix.php?id=78182&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=78182&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=78182&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=78182&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=78182&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=78182&r=dst IIS Stability: https://bugs.php.net/fix.php?id=78182&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=78182&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=78182&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=78182&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=78182&r=mysqlcfg
