Skip to content

SEGV Zend/zend_hash.c - Array Iterator Memory Corruption #19613

New issue
New issue
Open
Open
SEGV Zend/zend_hash.c - Array Iterator Memory Corruption#19613
Labels
BugStatus: Needs Triage
@vi3tL0u1s

Description

@vi3tL0u1s
vi3tL0u1s
opened on Aug 28, 2025

Description

The following fuzzing input

https://github.com/vi3tL0u1s/poc/blob/master/php-src-zend_hash-segv-fault

Resulted in this output:

time ./path/to/php-src/sapi/cli/php < php-src-zend_hash-segv-fault 

Warning: Undefined variable $iC in Standard input code on line 4

Warning: Array to string conversion in Standard input code on line 12
AddressSanitizer:DEADLYSIGNAL
=================================================================
==4066773==ERROR: AddressSanitizer: SEGV on unknown address 0x7fd0c3000040 (pc 0x55de4eac921d bp 0x7ffdb68d1830 sp 0x7ffdb68d16f0 T0)
==4066773==The signal is caused by a WRITE memory access.
    #0 0x55de4eac921d in zend_hash_iterator_pos_ex /php-src/Zend/zend_hash.c:642:12
    #1 0x55de4e9c2d4b in ZEND_FE_FETCH_RW_SPEC_VAR_HANDLER /php-src/Zend/zend_vm_execute.h:23204:9
    #2 0x55de4e837d7a in execute_ex /php-src/Zend/zend_vm_execute.h:113454:12
    #3 0x55de4e838677 in zend_execute /php-src/Zend/zend_vm_execute.h:119146:2
    #4 0x55de4ec65cd0 in zend_execute_script /php-src/Zend/zend.c:1977:3
    #5 0x55de4e46ffeb in php_execute_script_ex /php-src/main/main.c:2608:13
    #6 0x55de4e4704e8 in php_execute_script /php-src/main/main.c:2648:9
    #7 0x55de4ec6dbd2 in do_cli /php-src/sapi/cli/php_cli.c:952:5
    #8 0x55de4ec6ab2c in main /php-src/sapi/cli/php_cli.c:1363:18
    #9 0x7fd0c7d3cd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #10 0x7fd0c7d3ce3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #11 0x55de4d203374 in _start /php-src/sapi/cli/php+0x603374) (BuildId: 08745b1cedbdc2c480cbfd48c2b8c57d104ec64c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /php-src/Zend/zend_hash.c:642:12 in zend_hash_iterator_pos_ex
==4066773==ABORTING

real    0m56.131s
user    0m55.752s
sys     0m0.036s

Crash Location: zend_hash_iterator_pos_ex at /Zend/zend_hash.c:642:12

Commit:

5d5ef5050a

Configurations:

CC="clang" CXX="clang++" CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" ./configure --enable-debug --enable-address-sanitizer --disable-shared --with-pic

Additional Notes

The fuzzing input contains corrupted PHP code with:

  • Undefined variables in loop conditions causing infinite loops
  • Nested foreach loops with conflicting variable references ($v as both reference and value)
  • Array modification (sort()) during active iteration
  • Binary corruption in the input causing invalid memory addresses to be stored in iterator structures

PHP Version

PHP 8.5.0-dev (cli) (built: Aug 28 2025 15:22:18) (NTS DEBUG)
Copyright (c) The PHP Group
Zend Engine v4.5.0-dev, Copyright (c) Zend Technologies
    with Zend OPcache v8.5.0-dev, Copyright (c), by Zend Technologies

Operating System

Ubuntu 20.04

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugStatus: Needs Triage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions