heap buffer overflow #20665
Description
Description
The following code:
<?php
try{
$v_10733 = 'foo::bar';
$v_10734 = 1;
$v_10735 = define($v_10733,$v_10734,);
}
catch (ValueError $exception){
$v_10730 = $exception->getMessage();
$v_10731 = '\n';
$v_10732 = $v_10730 . $v_10731;
}
try{
$v_14659 = '333 ';
$v_14660 = zend_create_unterminated_string($v_14659,);
$v_10740 = 1;
$v_10741 = define($v_14660,$v_10740,);
}
catch (ValueError $exception){
$v_10736 = $exception->getMessage();
$v_10737 = '\n';
$v_10738 = $v_14660 . $v_10737;
}Resulted in this output:
=================================================================
==1828948==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000067380 at pc 0x00000061cba1 bp 0x7ffea4192bf0 sp 0x7ffea41923b0
READ of size 9 at 0x603000067380 thread T0
#0 0x61cba0 in strrchr (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x61cba0)
#1 0x5b3a050 in zend_register_constant /home/w023dtc/nightly_php/php-src/Zend/zend_constants.c:522:22
#2 0x594a859 in zif_define /home/w023dtc/nightly_php/php-src/Zend/zend_builtin_functions.c:591:6
#3 0x611fdbf in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:1421:2
#4 0x5c304db in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:116212:12
#5 0x5c32a6c in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:121924:2
#6 0x69c39c9 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1975:3
#7 0x51907aa in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2645:13
#8 0x51918e8 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2685:9
#9 0x69d88da in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:951:5
#10 0x69d2cbf in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1362:18
#11 0x15329840ad8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#12 0x15329840ae3f in __libc_start_main csu/../csu/libc-start.c:392:3
#13 0x607b04 in _start (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x607b04)
0x603000067380 is located 0 bytes to the right of 32-byte region [0x603000067360,0x603000067380)
allocated by thread T0 here:
#0 0x6829cd in malloc (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x6829cd)
#1 0x5806df3 in __zend_malloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3543:14
#2 0x5805559 in _emalloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2780:10
#3 0x499cfe8 in zend_string_alloc /home/w023dtc/nightly_php/php-src/Zend/zend_string.h:167:36
#4 0x49b34b0 in zif_zend_create_unterminated_string /home/w023dtc/nightly_php/php-src/ext/zend_test/test.c:163:8
#5 0x611fdbf in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:1421:2
#6 0x5c304db in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:116212:12
#7 0x5c32a6c in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:121924:2
#8 0x69c39c9 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1975:3
#9 0x51907aa in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2645:13
#10 0x51918e8 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2685:9
#11 0x69d88da in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:951:5
#12 0x69d2cbf in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1362:18
#13 0x15329840ad8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x61cba0) in strrchr
Shadow bytes around the buggy address:
0x0c0680004e20: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
0x0c0680004e30: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fd
0x0c0680004e40: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x0c0680004e50: fd fd fa fa fd fd fd fd fa fa fd fd fd fa fa fa
0x0c0680004e60: 00 00 00 fa fa fa fd fd fd fd fa fa 00 00 00 00
=>0x0c0680004e70:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0680004e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0680004e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0680004ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0680004eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0680004ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1828948==ABORTING
But I expected this output instead:
USE_ZEND_ALLOC=0 php -d "memory_limit = -1" -d "zend.assertions = 1" -d "display_errors = On" -d "display_startup_errors = On" -d "opcache.memory_consumption=4096M" -d "opcache.enable=1" -d "opcache.enable_cli=1" -d "opcache.jit=tracing" -d "opcache.validate_timestamps=0" -d "opcache.jit_buffer_size=128M" -d "opcache.file_update_protection=0" -d "opcache.max_accelerated_files=1000000" -d "opcache.interned_strings_buffer=64" -d "opcache.jit_prof_threshold=0.000000001" -d "opcache.jit_max_root_traces= 100000" -d "opcache.jit_max_side_traces= 100000" -d "opcache.jit_max_exit_counters=100000" -d "opcache.jit_hot_loop=1" -d "opcache.jit_hot_func=1" -d "opcache.jit_hot_return=1" -d "opcache.jit_hot_side_exit=1" -d "opcache.jit_blacklist_root_trace=255" -d "opcache.jit_blacklist_side_trace=255" -d "opcache.protect_memory=1" script.php
PHP Version
nightly
Operating System
22.04