View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001875 | Xdebug | Step Debugging | public | 2020-11-02 02:36 | 2020-11-14 00:38 |
| Reporter | trowbot | Assigned To | derick | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Platform | Windows (WSL) | OS | Ubuntu | OS Version | 20.04.1 |
| Product Version | 3.0.0beta1 | ||||
| Target Version | 3.0.0RC1 | Fixed in Version | 3.0.0RC1 | ||
| Summary | 0001875: Overflow with large amounts of elements for variadics | ||||
| Description | Script crashes on the array_push() call, which results in the message "double free or corruption (!prev)". Script appears to run fine when removing "develop" from xdebug.mode. | ||||
| Steps To Reproduce | Run the following command, substituting the xdebug location and test file location for your system: | ||||
| Additional Information | php -dzend_extension=/usr/lib/php/20190902/xdebug.so -dxdebug.mode=debug,develop -dxdebug.start_with_request=yes testcase.php php -v | ||||
| Tags | No tags attached. | ||||
| Attached Files | testcase.php (698 bytes)
<?php
$input = '<!DOCTYPE html><body><svg><altGlyph /><altGlyphDef /><altGlyphItem /><animateColor /><animateMotion /><animateTransform /><clipPath /><feBlend /><feColorMatrix /><feComponentTransfer /><feComposite /><feConvolveMatrix /><feDiffuseLighting /><feDisplacementMap /><feDistantLight /><feFlood /><feFuncA /><feFuncB /><feFuncG /><feFuncR /><feGaussianBlur /><feImage /><feMerge /><feMergeNode /><feMorphology /><feOffset /><fePointLight /><feSpecularLighting /><feSpotLight /><feTile /><feTurbulence /><foreignObject /><glyphRef /><linearGradient /><radialGradient /><textPath /></svg>';
$chars = preg_split('//u', $input, -1, PREG_SPLIT_NO_EMPTY);
$a = [];
array_push($a, ...$chars);
| ||||
| Operating System | * | ||||
| PHP Version | 7.4.0-7.4.4 | ||||
|
|
GDB backtrace gdb.txt (4,358 bytes)
Starting program: /usr/bin/php -dzend_extension=/usr/lib/php/20190902/xdebug.so -dxdebug.mode=debug,develop -dxdebug.start_with_request=yes tests/testcase.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
set = {__val = {0, 140737310997216, 93824999630352, 140737354006919, 1, 0, 140737346882752, 93824992275440,
140737488332160, 140737354038318, 140737308000344, 3, 140737308005504, 140737308000256, 93824999636328,
140737308000320}}
pid = <optimized out>
tid = <optimized out>
ret = <optimized out>
#1 0x00007ffff764d859 in __GI_abort () at abort.c:79
save_stage = 1
act = {__sigaction_handler = {sa_handler = 0x0, sa_sigaction = 0x0}, sa_mask = {__val = {93824997250000,
93824997251776, 6, 0, 0, 0, 0, 0, 93824995210752, 0, 93824995210752, 0, 0, 0, 0, 0}}, sa_flags = 0,
sa_restorer = 0x0}
sigs = {__val = {32, 0 <repeats 15 times>}}
#2 0x00007ffff76b83ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff77e2285 "%s\n")
at ../sysdeps/posix/libc_fatal.c:155
ap = {{gp_offset = 24, fp_offset = 4294967295, overflow_arg_area = 0x7fffffffa510,
reg_save_area = 0x7fffffffa4a0}}
fd = <optimized out>
list = <optimized out>
nlist = <optimized out>
cp = <optimized out>
#3 0x00007ffff76c047c in malloc_printerr (str=str@entry=0x7ffff77e4690 "double free or corruption (!prev)")
at malloc.c:5347
No locals.
#4 0x00007ffff76c212c in _int_free (av=0x7ffff7813b80 <main_arena>, p=0x555555c63e80, have_lock=<optimized out>)
at malloc.c:4317
size = 2224
fb = <optimized out>
nextchunk = 0x555555c64730
nextsize = <optimized out>
nextinuse = <optimized out>
prevsize = <optimized out>
bck = <optimized out>
fwd = <optimized out>
__PRETTY_FUNCTION__ = "_int_free"
#5 0x00007ffff569d56e in function_stack_entry_dtor (elem=0x555555c62610) at /tmp/pear/temp/xdebug/src/base/base.c:129
i = <optimized out>
e = 0x555555c62610
#6 0x00007ffff569ed60 in xdebug_vector_pop (v=0x555555c60b10) at /tmp/pear/temp/xdebug/src/lib/vector.h:64
No locals.
#7 xdebug_execute_internal (current_execute_data=<optimized out>, return_value=0x7fffffffa660) at /tmp/pear/temp/xdebug/src/base/base.c:920
edata = <optimized out>
fse = 0x555555c62610
function_nr = 2
function_call_traced = <optimized out>
restore_error_handler_situation = 0
tmp_error_cb = 0x0
#8 0x00005555558801e0 in execute_ex ()
No symbol table info available.
#9 0x00007ffff569e57b in xdebug_execute_ex (execute_data=0x7ffff5413020) at /tmp/pear/temp/xdebug/src/base/base.c:783
op_array = 0x7ffff547e500
edata = <optimized out>
fse = 0x555555c62550
function_nr = 0
code_coverage_function_name = 0x0
code_coverage_filename = 0x0
code_coverage_init = 0
#10 0x000055555588314b in zend_execute ()
No symbol table info available.
#11 0x00005555557fa1ec in zend_execute_scripts ()
No symbol table info available.
#12 0x0000555555799ed0 in php_execute_script ()
No symbol table info available.
#13 0x0000555555885282 in ?? ()
No symbol table info available.
#14 0x0000555555661938 in ?? ()
No symbol table info available.
#15 0x00007ffff764f0b3 in __libc_start_main (main=0x555555661530, argc=5, argv=0x7fffffffe088, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe078) at ../csu/libc-start.c:308
self = <optimized out>
result = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {93824995615712, 1032218154151072225, 93824993335984, 140737488347264, 0, 0, -1032218155216121375, -1032236665173945887}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x5, 0x7fffffffe088}, data = {prev = 0x0, cleanup = 0x0, canceltype = 5}}}
not_first_call = <optimized out>
#16 0x0000555555661ade in _start ()
No symbol table info available.
|
|
|
I can reproduce this. Valgrind shows the following: <pre> |
|
|
|
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2020-11-02 02:36 | trowbot | New Issue | |
| 2020-11-02 02:36 | trowbot | File Added: testcase.php | |
| 2020-11-02 03:18 | trowbot | File Added: gdb.txt | |
| 2020-11-02 03:18 | trowbot | Note Added: 0005489 | |
| 2020-11-02 08:33 | derick | Assigned To | => derick |
| 2020-11-02 08:33 | derick | Status | new => confirmed |
| 2020-11-02 08:33 | derick | Note Added: 0005490 | |
| 2020-11-03 16:44 | derick | Target Version | => 3.0.0RC1 |
| 2020-11-03 16:44 | derick | Operating System | Windows 10 20H2 => * |
| 2020-11-13 17:18 | derick | Status | confirmed => assigned |
| 2020-11-13 17:18 | derick | Summary | double free or corruption (!prev) => Overflow with large amounts of elements for variadics |
| 2020-11-13 17:18 | derick | Note Added: 0005526 | |
| 2020-11-14 00:38 | derick | Status | assigned => closed |
| 2020-11-14 00:38 | derick | Resolution | open => fixed |
| 2020-11-14 00:38 | derick | Fixed in Version | => 3.0.0RC1 |
