0001875: Overflow with large amounts of elements for variadics

ID	Project	Category	View Status	Date Submitted	Last Update

0001875	Xdebug	Step Debugging	public	2020-11-02 02:36	2020-11-14 00:38

Reporter	trowbot	Assigned To	derick
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Platform	Windows (WSL)	OS	Ubuntu	OS Version	20.04.1
Product Version	3.0.0beta1
Target Version	3.0.0RC1	Fixed in Version	3.0.0RC1

Summary	0001875: Overflow with large amounts of elements for variadics
Description	Script crashes on the array_push() call, which results in the message "double free or corruption (!prev)". Script appears to run fine when removing "develop" from xdebug.mode.
Steps To Reproduce	Run the following command, substituting the xdebug location and test file location for your system: php -dzend_extension=/usr/lib/php/20190902/xdebug.so -dxdebug.mode=debug,develop -dxdebug.start_with_request=yes testcase.php
Additional Information	php -dzend_extension=/usr/lib/php/20190902/xdebug.so -dxdebug.mode=debug,develop -dxdebug.start_with_request=yes testcase.php double free or corruption (!prev) Aborted php -v PHP 7.4.3 (cli) (built: Oct 6 2020 15:47:56) ( NTS ) Copyright (c) The PHP Group Zend Engine v3.4.0, Copyright (c) Zend Technologies
Tags	No tags attached.
Attached Files	testcase.php (698 bytes) <?php $input = '<!DOCTYPE html><body><svg><altGlyph /><altGlyphDef /><altGlyphItem /><animateColor /><animateMotion /><animateTransform /><clipPath /><feBlend /><feColorMatrix /><feComponentTransfer /><feComposite /><feConvolveMatrix /><feDiffuseLighting /><feDisplacementMap /><feDistantLight /><feFlood /><feFuncA /><feFuncB /><feFuncG /><feFuncR /><feGaussianBlur /><feImage /><feMerge /><feMergeNode /><feMorphology /><feOffset /><fePointLight /><feSpecularLighting /><feSpotLight /><feTile /><feTurbulence /><foreignObject /><glyphRef /><linearGradient /><radialGradient /><textPath /></svg>'; $chars = preg_split('//u', $input, -1, PREG_SPLIT_NO_EMPTY); $a = []; array_push($a, ...$chars); testcase.php (698 bytes)

Operating System	*
PHP Version	7.4.0-7.4.4

trowbot 2020-11-02 03:18 reporter ~0005489	GDB backtrace gdb.txt (4,358 bytes) Starting program: /usr/bin/php -dzend_extension=/usr/lib/php/20190902/xdebug.so -dxdebug.mode=debug,develop -dxdebug.start_with_request=yes tests/testcase.php [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGABRT, Aborted. __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 set = {__val = {0, 140737310997216, 93824999630352, 140737354006919, 1, 0, 140737346882752, 93824992275440, 140737488332160, 140737354038318, 140737308000344, 3, 140737308005504, 140737308000256, 93824999636328, 140737308000320}} pid = <optimized out> tid = <optimized out> ret = <optimized out> #1 0x00007ffff764d859 in __GI_abort () at abort.c:79 save_stage = 1 act = {__sigaction_handler = {sa_handler = 0x0, sa_sigaction = 0x0}, sa_mask = {__val = {93824997250000, 93824997251776, 6, 0, 0, 0, 0, 0, 93824995210752, 0, 93824995210752, 0, 0, 0, 0, 0}}, sa_flags = 0, sa_restorer = 0x0} sigs = {__val = {32, 0 <repeats 15 times>}} #2 0x00007ffff76b83ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff77e2285 "%s\n") at ../sysdeps/posix/libc_fatal.c:155 ap = {{gp_offset = 24, fp_offset = 4294967295, overflow_arg_area = 0x7fffffffa510, reg_save_area = 0x7fffffffa4a0}} fd = <optimized out> list = <optimized out> nlist = <optimized out> cp = <optimized out> #3 0x00007ffff76c047c in malloc_printerr (str=str@entry=0x7ffff77e4690 "double free or corruption (!prev)") at malloc.c:5347 No locals. #4 0x00007ffff76c212c in _int_free (av=0x7ffff7813b80 <main_arena>, p=0x555555c63e80, have_lock=<optimized out>) at malloc.c:4317 size = 2224 fb = <optimized out> nextchunk = 0x555555c64730 nextsize = <optimized out> nextinuse = <optimized out> prevsize = <optimized out> bck = <optimized out> fwd = <optimized out> __PRETTY_FUNCTION__ = "_int_free" #5 0x00007ffff569d56e in function_stack_entry_dtor (elem=0x555555c62610) at /tmp/pear/temp/xdebug/src/base/base.c:129 i = <optimized out> e = 0x555555c62610 #6 0x00007ffff569ed60 in xdebug_vector_pop (v=0x555555c60b10) at /tmp/pear/temp/xdebug/src/lib/vector.h:64 No locals. #7 xdebug_execute_internal (current_execute_data=<optimized out>, return_value=0x7fffffffa660) at /tmp/pear/temp/xdebug/src/base/base.c:920 edata = <optimized out> fse = 0x555555c62610 function_nr = 2 function_call_traced = <optimized out> restore_error_handler_situation = 0 tmp_error_cb = 0x0 #8 0x00005555558801e0 in execute_ex () No symbol table info available. #9 0x00007ffff569e57b in xdebug_execute_ex (execute_data=0x7ffff5413020) at /tmp/pear/temp/xdebug/src/base/base.c:783 op_array = 0x7ffff547e500 edata = <optimized out> fse = 0x555555c62550 function_nr = 0 code_coverage_function_name = 0x0 code_coverage_filename = 0x0 code_coverage_init = 0 #10 0x000055555588314b in zend_execute () No symbol table info available. #11 0x00005555557fa1ec in zend_execute_scripts () No symbol table info available. #12 0x0000555555799ed0 in php_execute_script () No symbol table info available. #13 0x0000555555885282 in ?? () No symbol table info available. #14 0x0000555555661938 in ?? () No symbol table info available. #15 0x00007ffff764f0b3 in __libc_start_main (main=0x555555661530, argc=5, argv=0x7fffffffe088, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe078) at ../csu/libc-start.c:308 self = <optimized out> result = <optimized out> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {93824995615712, 1032218154151072225, 93824993335984, 140737488347264, 0, 0, -1032218155216121375, -1032236665173945887}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x5, 0x7fffffffe088}, data = {prev = 0x0, cleanup = 0x0, canceltype = 5}}} not_first_call = <optimized out> #16 0x0000555555661ade in _start () No symbol table info available. gdb.txt (4,358 bytes)

derick 2020-11-02 08:33 administrator ~0005490	I can reproduce this. Valgrind shows the following: ==1904314== Invalid write of size 8 ==1904314== at 0x8B4F918: collect_params_internal (base.c:429) ==1904314== by 0x8B500F5: xdebug_add_stack_frame (base.c:653) ==1904314== by 0x8B5092C: xdebug_execute_internal (base.c:860) ==1904314== by 0x97E6EC: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:1620) ==1904314== by 0x9DF2B3: execute_ex (zend_vm_execute.h:53787) ==1904314== by 0x8B50620: xdebug_execute_ex (base.c:783) ==1904314== by 0x9E3350: zend_execute (zend_vm_execute.h:57883) ==1904314== by 0x90FC84: zend_execute_scripts (zend.c:1677) ==1904314== by 0x87A4C5: php_execute_script (main.c:2621) ==1904314== by 0x9E5CD9: do_cli (php_cli.c:964) ==1904314== by 0x9E6C71: main (php_cli.c:1359) ==1904314== Address 0x8d7f738 is 8 bytes after a block of size 2,208 alloc'd ==1904314== at 0x483877F: malloc (vg_replace_malloc.c:307) ==1904314== by 0x8B4F72E: collect_params_internal (base.c:391) ==1904314== by 0x8B500F5: xdebug_add_stack_frame (base.c:653) ==1904314== by 0x8B5092C: xdebug_execute_internal (base.c:860) ==1904314== by 0x97E6EC: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:1620) ==1904314== by 0x9DF2B3: execute_ex (zend_vm_execute.h:53787) ==1904314== by 0x8B50620: xdebug_execute_ex (base.c:783) ==1904314== by 0x9E3350: zend_execute (zend_vm_execute.h:57883) ==1904314== by 0x90FC84: zend_execute_scripts (zend.c:1677) ==1904314== by 0x87A4C5: php_execute_script (main.c:2621) ==1904314== by 0x9E5CD9: do_cli (php_cli.c:964) ==1904314== by 0x9E6C71: main (php_cli.c:1359) ==1904314== ==1904314== Invalid write of size 4 ==1904314== at 0x8B4F922: collect_params_internal (base.c:429) ==1904314== by 0x8B500F5: xdebug_add_stack_frame (base.c:653) ==1904314== by 0x8B5092C: xdebug_execute_internal (base.c:860) ==1904314== by 0x97E6EC: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:1620) ==1904314== by 0x9DF2B3: execute_ex (zend_vm_execute.h:53787) ==1904314== by 0x8B50620: xdebug_execute_ex (base.c:783) ==1904314== by 0x9E3350: zend_execute (zend_vm_execute.h:57883) ==1904314== by 0x90FC84: zend_execute_scripts (zend.c:1677) ==1904314== by 0x87A4C5: php_execute_script (main.c:2621) ==1904314== by 0x9E5CD9: do_cli (php_cli.c:964) ==1904314== by 0x9E6C71: main (php_cli.c:1359) ==1904314== Address 0x8d7f740 is 16 bytes after a block of size 2,208 alloc'd ==1904314== at 0x483877F: malloc (vg_replace_malloc.c:307) ==1904314== by 0x8B4F72E: collect_params_internal (base.c:391) ==1904314== by 0x8B500F5: xdebug_add_stack_frame (base.c:653) ==1904314== by 0x8B5092C: xdebug_execute_internal (base.c:860) ==1904314== by 0x97E6EC: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:1620) ==1904314== by 0x9DF2B3: execute_ex (zend_vm_execute.h:53787) ==1904314== by 0x8B50620: xdebug_execute_ex (base.c:783) ==1904314== by 0x9E3350: zend_execute (zend_vm_execute.h:57883) ==1904314== by 0x90FC84: zend_execute_scripts (zend.c:1677) ==1904314== by 0x87A4C5: php_execute_script (main.c:2621) ==1904314== by 0x9E5CD9: do_cli (php_cli.c:964) ==1904314== by 0x9E6C71: main (php_cli.c:1359)

derick 2020-11-13 17:18 administrator ~0005526	https://github.com/xdebug/xdebug/pull/686

Date Modified	Username	Field	Change
2020-11-02 02:36	trowbot	New Issue
2020-11-02 02:36	trowbot	File Added: testcase.php
2020-11-02 03:18	trowbot	File Added: gdb.txt
2020-11-02 03:18	trowbot	Note Added: 0005489
2020-11-02 08:33	derick	Assigned To	=> derick
2020-11-02 08:33	derick	Status	new => confirmed
2020-11-02 08:33	derick	Note Added: 0005490
2020-11-03 16:44	derick	Target Version	=> 3.0.0RC1
2020-11-03 16:44	derick	Operating System	Windows 10 20H2 => *
2020-11-13 17:18	derick	Status	confirmed => assigned
2020-11-13 17:18	derick	Summary	double free or corruption (!prev) => Overflow with large amounts of elements for variadics
2020-11-13 17:18	derick	Note Added: 0005526
2020-11-14 00:38	derick	Status	assigned => closed
2020-11-14 00:38	derick	Resolution	open => fixed
2020-11-14 00:38	derick	Fixed in Version	=> 3.0.0RC1

View Issue Details

Activities

Issue History