Home Original page

buffer under- and overflow on clone(null)+array_push()

Bug #42817 buffer under- and overflow on clone(null)+array_push()
Submitted: 2007-10-01 17:13 UTC Modified: 2007-10-04 23:49 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: victor dot stinner at inl dot fr Assigned: iliaa (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5.2.4 OS: Linux
Private report: No CVE-ID: None

 [2007-10-01 17:13 UTC] victor dot stinner at inl dot fr

Description:
------------
Hi,

I found a critical bug (security issue) in my web application. The 
code to reproduce it is quite simple (see above). With apache, the 
result is a line in error.log: [notice] child pid 14988 exit signal 
Segmentation fault (11).

My config: Ubuntu Feisty on Intel Celeron M 420 (32-bit).

Victor Stinner
http://www.inl.fr/

Reproduce code:
---------------
<?php $a = clone(null); array_push($a->b, $c); ?>

Expected result:
----------------
no crash

Actual result:
--------------
Warning: array_push(): First argument should be an array in 
crash.php on line 3
---------------------------------------
/home/haypo/php-5.2.4/Zend/zend_variables.c(175) : Block 0x084774b8 
status:
/home/haypo/php-5.2.4/Zend/zend_execute.h(70) : Actual location 
(location was relayed)
Beginning:      Freed (magic=0x00000000, expected=0x99954317)
    Start:      Overflown (magic=0x084774A4 instead of 0x496A04CC)
                At least 4 bytes overflown
      End:      Overflown (magic=0x00000000 instead of 0x39D5CB7E)
                At least 4 bytes overflown
---------------------------------------

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2007-10-02 14:56 UTC] victor dot stinner at inl dot fr

Hum, I forget to specify PHP version: 5.2.4 (latest). I compiled it 
on source from source code with "./configure --enable-debug" to 
detect the overflow.

Victor Stinner

 [2007-10-02 14:57 UTC] misc at inl dot fr

I can also reproduce the problem on a box running mandriva 2007.0, with this version of php :
apache-mod_php-5.1.6-2mdv2007.0

and i have this error in the log :

[Tue Oct 02 16:51:35 2007] [error] [client 194.167.18.244] PHP Warning:  __clone method called on non-object in /home/users/misc/public_html/test.php on line 1
[Tue Oct 02 16:51:35 2007] [error] [client 194.167.18.244] PHP Warning:  array_push() [<a href='function.array-push'>function.array-push</a>]: First argument should be an array in /home/users/misc/public_html/test.php on line 1
[Tue Oct 02 16:51:36 2007] [notice] child pid 30185 exit signal Segmentation fault (11)

 [2007-10-04 23:26 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

 [2007-10-04 23:49 UTC] victor dot stinner at inl dot fr

"Bug fixed in CVS", great! I saw that you added 3 unit tests:
<?php $a = clone(null); array_push($a->b, $c); ?>
<?php $foo = clone(array()); ?>
<?php $a = clone 0; $a[0]->b = 0; ?>

So there are more cases than just the one in my bug report :-) I 
hope that the next release will be released quickly because my 
error.log is full of segfault messages :-)