View Issue Details

IDProjectCategoryView StatusLast Update
0001875XdebugStep Debuggingpublic2020-11-14 00:38
Reportertrowbot Assigned Toderick  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
PlatformWindows (WSL)OSUbuntuOS Version20.04.1
Product Version3.0.0beta1 
Target Version3.0.0RC1Fixed in Version3.0.0RC1 
Summary0001875: Overflow with large amounts of elements for variadics
Description

Script crashes on the array_push() call, which results in the message "double free or corruption (!prev)". Script appears to run fine when removing "develop" from xdebug.mode.

Steps To Reproduce

Run the following command, substituting the xdebug location and test file location for your system:
php -dzend_extension=/usr/lib/php/20190902/xdebug.so -dxdebug.mode=debug,develop -dxdebug.start_with_request=yes testcase.php

Additional Information

php -dzend_extension=/usr/lib/php/20190902/xdebug.so -dxdebug.mode=debug,develop -dxdebug.start_with_request=yes testcase.php
double free or corruption (!prev)
Aborted

php -v
PHP 7.4.3 (cli) (built: Oct 6 2020 15:47:56) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies

TagsNo tags attached.
Attached Files
testcase.php (698 bytes)   
<?php

$input = '<!DOCTYPE html><body><svg><altGlyph /><altGlyphDef /><altGlyphItem /><animateColor /><animateMotion /><animateTransform /><clipPath /><feBlend /><feColorMatrix /><feComponentTransfer /><feComposite /><feConvolveMatrix /><feDiffuseLighting /><feDisplacementMap /><feDistantLight /><feFlood /><feFuncA /><feFuncB /><feFuncG /><feFuncR /><feGaussianBlur /><feImage /><feMerge /><feMergeNode /><feMorphology /><feOffset /><fePointLight /><feSpecularLighting /><feSpotLight /><feTile /><feTurbulence /><foreignObject /><glyphRef /><linearGradient /><radialGradient /><textPath /></svg>';
$chars = preg_split('//u', $input, -1, PREG_SPLIT_NO_EMPTY);
$a = [];

array_push($a, ...$chars);
testcase.php (698 bytes)   
Operating System*
PHP Version7.4.0-7.4.4

Activities

trowbot

2020-11-02 03:18

reporter   ~0005489

GDB backtrace

gdb.txt (4,358 bytes)   
Starting program: /usr/bin/php -dzend_extension=/usr/lib/php/20190902/xdebug.so -dxdebug.mode=debug,develop -dxdebug.start_with_request=yes tests/testcase.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
        set = {__val = {0, 140737310997216, 93824999630352, 140737354006919, 1, 0, 140737346882752, 93824992275440, 
            140737488332160, 140737354038318, 140737308000344, 3, 140737308005504, 140737308000256, 93824999636328, 
            140737308000320}}
        pid = <optimized out>
        tid = <optimized out>
        ret = <optimized out>
#1  0x00007ffff764d859 in __GI_abort () at abort.c:79
        save_stage = 1
        act = {__sigaction_handler = {sa_handler = 0x0, sa_sigaction = 0x0}, sa_mask = {__val = {93824997250000, 
              93824997251776, 6, 0, 0, 0, 0, 0, 93824995210752, 0, 93824995210752, 0, 0, 0, 0, 0}}, sa_flags = 0, 
          sa_restorer = 0x0}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x00007ffff76b83ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff77e2285 "%s\n")
    at ../sysdeps/posix/libc_fatal.c:155
        ap = {{gp_offset = 24, fp_offset = 4294967295, overflow_arg_area = 0x7fffffffa510, 
            reg_save_area = 0x7fffffffa4a0}}
        fd = <optimized out>
        list = <optimized out>
        nlist = <optimized out>
        cp = <optimized out>
#3  0x00007ffff76c047c in malloc_printerr (str=str@entry=0x7ffff77e4690 "double free or corruption (!prev)")
    at malloc.c:5347
No locals.
#4  0x00007ffff76c212c in _int_free (av=0x7ffff7813b80 <main_arena>, p=0x555555c63e80, have_lock=<optimized out>)
    at malloc.c:4317
        size = 2224
        fb = <optimized out>
        nextchunk = 0x555555c64730
        nextsize = <optimized out>
        nextinuse = <optimized out>
        prevsize = <optimized out>
        bck = <optimized out>
        fwd = <optimized out>
        __PRETTY_FUNCTION__ = "_int_free"
#5  0x00007ffff569d56e in function_stack_entry_dtor (elem=0x555555c62610) at /tmp/pear/temp/xdebug/src/base/base.c:129
        i = <optimized out>
        e = 0x555555c62610
#6  0x00007ffff569ed60 in xdebug_vector_pop (v=0x555555c60b10) at /tmp/pear/temp/xdebug/src/lib/vector.h:64
No locals.
#7  xdebug_execute_internal (current_execute_data=<optimized out>, return_value=0x7fffffffa660) at /tmp/pear/temp/xdebug/src/base/base.c:920
        edata = <optimized out>
        fse = 0x555555c62610
        function_nr = 2
        function_call_traced = <optimized out>
        restore_error_handler_situation = 0
        tmp_error_cb = 0x0
#8  0x00005555558801e0 in execute_ex ()
No symbol table info available.
#9  0x00007ffff569e57b in xdebug_execute_ex (execute_data=0x7ffff5413020) at /tmp/pear/temp/xdebug/src/base/base.c:783
        op_array = 0x7ffff547e500
        edata = <optimized out>
        fse = 0x555555c62550
        function_nr = 0
        code_coverage_function_name = 0x0
        code_coverage_filename = 0x0
        code_coverage_init = 0
#10 0x000055555588314b in zend_execute ()
No symbol table info available.
#11 0x00005555557fa1ec in zend_execute_scripts ()
No symbol table info available.
#12 0x0000555555799ed0 in php_execute_script ()
No symbol table info available.
#13 0x0000555555885282 in ?? ()
No symbol table info available.
#14 0x0000555555661938 in ?? ()
No symbol table info available.
#15 0x00007ffff764f0b3 in __libc_start_main (main=0x555555661530, argc=5, argv=0x7fffffffe088, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe078) at ../csu/libc-start.c:308
        self = <optimized out>
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {93824995615712, 1032218154151072225, 93824993335984, 140737488347264, 0, 0, -1032218155216121375, -1032236665173945887}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x5, 0x7fffffffe088}, data = {prev = 0x0, cleanup = 0x0, canceltype = 5}}}
        not_first_call = <optimized out>
#16 0x0000555555661ade in _start ()
No symbol table info available.
gdb.txt (4,358 bytes)   

derick

2020-11-02 08:33

administrator   ~0005490

I can reproduce this. Valgrind shows the following:


==1904314== Invalid write of size 8
==1904314== at 0x8B4F918: collect_params_internal (base.c:429)
==1904314== by 0x8B500F5: xdebug_add_stack_frame (base.c:653)
==1904314== by 0x8B5092C: xdebug_execute_internal (base.c:860)
==1904314== by 0x97E6EC: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:1620)
==1904314== by 0x9DF2B3: execute_ex (zend_vm_execute.h:53787)
==1904314== by 0x8B50620: xdebug_execute_ex (base.c:783)
==1904314== by 0x9E3350: zend_execute (zend_vm_execute.h:57883)
==1904314== by 0x90FC84: zend_execute_scripts (zend.c:1677)
==1904314== by 0x87A4C5: php_execute_script (main.c:2621)
==1904314== by 0x9E5CD9: do_cli (php_cli.c:964)
==1904314== by 0x9E6C71: main (php_cli.c:1359)
==1904314== Address 0x8d7f738 is 8 bytes after a block of size 2,208 alloc'd
==1904314== at 0x483877F: malloc (vg_replace_malloc.c:307)
==1904314== by 0x8B4F72E: collect_params_internal (base.c:391)
==1904314== by 0x8B500F5: xdebug_add_stack_frame (base.c:653)
==1904314== by 0x8B5092C: xdebug_execute_internal (base.c:860)
==1904314== by 0x97E6EC: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:1620)
==1904314== by 0x9DF2B3: execute_ex (zend_vm_execute.h:53787)
==1904314== by 0x8B50620: xdebug_execute_ex (base.c:783)
==1904314== by 0x9E3350: zend_execute (zend_vm_execute.h:57883)
==1904314== by 0x90FC84: zend_execute_scripts (zend.c:1677)
==1904314== by 0x87A4C5: php_execute_script (main.c:2621)
==1904314== by 0x9E5CD9: do_cli (php_cli.c:964)
==1904314== by 0x9E6C71: main (php_cli.c:1359)
==1904314==
==1904314== Invalid write of size 4
==1904314== at 0x8B4F922: collect_params_internal (base.c:429)
==1904314== by 0x8B500F5: xdebug_add_stack_frame (base.c:653)
==1904314== by 0x8B5092C: xdebug_execute_internal (base.c:860)
==1904314== by 0x97E6EC: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:1620)
==1904314== by 0x9DF2B3: execute_ex (zend_vm_execute.h:53787)
==1904314== by 0x8B50620: xdebug_execute_ex (base.c:783)
==1904314== by 0x9E3350: zend_execute (zend_vm_execute.h:57883)
==1904314== by 0x90FC84: zend_execute_scripts (zend.c:1677)
==1904314== by 0x87A4C5: php_execute_script (main.c:2621)
==1904314== by 0x9E5CD9: do_cli (php_cli.c:964)
==1904314== by 0x9E6C71: main (php_cli.c:1359)
==1904314== Address 0x8d7f740 is 16 bytes after a block of size 2,208 alloc'd
==1904314== at 0x483877F: malloc (vg_replace_malloc.c:307)
==1904314== by 0x8B4F72E: collect_params_internal (base.c:391)
==1904314== by 0x8B500F5: xdebug_add_stack_frame (base.c:653)
==1904314== by 0x8B5092C: xdebug_execute_internal (base.c:860)
==1904314== by 0x97E6EC: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:1620)
==1904314== by 0x9DF2B3: execute_ex (zend_vm_execute.h:53787)
==1904314== by 0x8B50620: xdebug_execute_ex (base.c:783)
==1904314== by 0x9E3350: zend_execute (zend_vm_execute.h:57883)
==1904314== by 0x90FC84: zend_execute_scripts (zend.c:1677)
==1904314== by 0x87A4C5: php_execute_script (main.c:2621)
==1904314== by 0x9E5CD9: do_cli (php_cli.c:964)
==1904314== by 0x9E6C71: main (php_cli.c:1359)

derick

2020-11-13 17:18

administrator   ~0005526

https://github.com/xdebug/xdebug/pull/686

Issue History

Date Modified Username Field Change
2020-11-02 02:36 trowbot New Issue
2020-11-02 02:36 trowbot File Added: testcase.php
2020-11-02 03:18 trowbot File Added: gdb.txt
2020-11-02 03:18 trowbot Note Added: 0005489
2020-11-02 08:33 derick Assigned To => derick
2020-11-02 08:33 derick Status new => confirmed
2020-11-02 08:33 derick Note Added: 0005490
2020-11-03 16:44 derick Target Version => 3.0.0RC1
2020-11-03 16:44 derick Operating System Windows 10 20H2 => *
2020-11-13 17:18 derick Status confirmed => assigned
2020-11-13 17:18 derick Summary double free or corruption (!prev) => Overflow with large amounts of elements for variadics
2020-11-13 17:18 derick Note Added: 0005526
2020-11-14 00:38 derick Status assigned => closed
2020-11-14 00:38 derick Resolution open => fixed
2020-11-14 00:38 derick Fixed in Version => 3.0.0RC1