Crash in zend_mm_check_ptr // Heap corruption
| Sec Bug #54332 | Crash in zend_mm_check_ptr // Heap corruption | ||||
|---|---|---|---|---|---|
| Submitted: | 2011-03-21 09:27 UTC | Modified: | 2011-07-11 05:48 UTC | ||
| From: | decoder-php at own-hero dot net | Assigned: | dmitry (profile) | ||
| Status: | Closed | Package: | Reproducible crash | ||
| PHP Version: | 5.3.6 | OS: | Linux x86-64 | ||
| Private report: | No | CVE-ID: | None | ||
[2011-03-21 09:27 UTC] decoder-php at own-hero dot net
Description: ------------ The attached code causes a crash with memory corruption on PHP 5.3.6 (tested on 64 bit debug). Test script: --------------- <?php number_format(1e300, 2006, '', ' '); ?> Actual result: -------------- ==20238== Invalid read of size 8 ==20238== at 0x7B9570: zend_mm_check_ptr (zend_alloc.c:1357) ==20238== by 0x7BB273: _zend_mm_realloc_int (zend_alloc.c:2055) ==20238== by 0x7BC4AB: _erealloc (zend_alloc.c:2371) ==20238== by 0x77006B: xbuf_format_converter (spprintf.c:775) ==20238== by 0x303030303030302F: ??? ==20238== by 0x303030303030302F: ??? ==20238== by 0x303030303030302F: ??? ==20238== by 0x303030303030302F: ??? ==20238== by 0x303030303030302F: ??? ==20238== by 0x303030303030302F: ??? ==20238== by 0x303030303030302F: ??? ==20238== by 0x303030303030331B: ??? ==20238== Address 0x3030303030302fe8 is not stack'd, malloc'd or (recently) free'd ==20238== ==20238== ==20238== Process terminating with default action of signal 11 (SIGSEGV) ==20238== General Protection Fault
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2011-07-10 14:39 UTC] felipe@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry
[2011-07-11 05:48 UTC] dmitry@php.net
-Status: Assigned +Status: Closed