[2016-08-20 19:14 UTC] brian dot carpenter at gmail dot com

Description:
------------
Fuzzing PHP 5.6.25 x64 w/ American Fuzzy Lop and ASAN.

Test script:
---------------
https://dl.dropboxusercontent.com/u/6088006/php/segfault_gc_remove_zval_from_buffer

Expected result:
----------------
No crash.



Actual result:
--------------
ASAN_SYMBOLIZER_PATH=/usr/lib/llvm-3.5/bin/llvm-symbolizer ASAN_OPTIONS=symbolizer=1 ./php test00

Warning: Attempt to modify property of non-object in /root/php-tmp/out/crashes/test00 on line 1

Warning: Attempt to modify property of non-object in /root/php-tmp/out/crashes/test00 on line 1

Warning: Creating default object from empty value in /root/php-tmp/out/crashes/test00 on line 1
ASAN:SIGSEGV
=================================================================
==28119==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000009 (pc 0x00000197cd3f sp 0x7ffe8a728df0 bp 0x7ffbeb6c8d78 T0)
    #0 0x197cd3e in gc_remove_from_buffer /root/php-5.6.25/Zend/zend_gc.h:190
    #1 0x197cd3e in gc_remove_zval_from_buffer /root/php-5.6.25/Zend/zend_gc.c:260
    #2 0x1b2c41f in i_zval_ptr_dtor_nogc /root/php-5.6.25/Zend/zend_execute.h:94
    #3 0x1b2c41f in ZEND_BW_XOR_SPEC_VAR_VAR_HANDLER /root/php-5.6.25/Zend/zend_vm_execute.h:19132
    #4 0x1a2d076 in execute_ex /root/php-5.6.25/Zend/zend_vm_execute.h:363
    #5 0x1898248 in zend_execute_scripts /root/php-5.6.25/Zend/zend.c:1341
    #6 0x15cd9af in php_execute_script /root/php-5.6.25/main/main.c:2613
    #7 0x1e5cf19 in do_cli /root/php-5.6.25/sapi/cli/php_cli.c:994
    #8 0x4565ec in main /root/php-5.6.25/sapi/cli/php_cli.c:1378
    #9 0x7ffbe91f0b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #10 0x45761e (/root/php-5.6.25/sapi/cli/php+0x45761e)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/php-5.6.25/Zend/zend_gc.h:190 gc_remove_from_buffer
==28119==ABORTING

 [2016-08-21 04:26 UTC] stas@php.net