Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segmentation fault ext/zip/php_zip.c #17138

Open
YuanchengJiang opened this issue Dec 13, 2024 · 4 comments
Open

Segmentation fault ext/zip/php_zip.c #17138

YuanchengJiang opened this issue Dec 13, 2024 · 4 comments
Labels
Bug Extension: zip Status: Needs Feedback

Comments

@YuanchengJiang
Copy link

Description

The following code:

I cannot reproduce ;(

<?php
class C {
    public static $p;
}
try {
    new ReflectionProperty();
} catch (TypeError $re) {
    echo "Ok - ".$re->getMessage().PHP_EOL;
}
try {
    new ReflectionProperty('C::p');
} catch (TypeError $re) {
    echo "Ok - ".$re->getMessage().PHP_EOL;
}
try {
    new ReflectionProperty('C', 'p', 'x');
} catch (TypeError $re) {
    echo "Ok - ".$re->getMessage().PHP_EOL;
}
$fusion = $clsAttr;
$dirname = __DIR__ . '/';
include $dirname . 'utils.inc';
$file = $dirname . 'oo_setcomment.zip';
@unlink($fusion);
$zip = new ZipArchive;
if (!$zip->open($file, ZIPARCHIVE::CREATE)) {
    exit('failed');
}
$zip->addFromString('entry1.txt', 'entry #1');
$zip->addFromString('entry2.txt', 'entry #2');
$zip->addFromString('dir/entry2d.txt', 'entry #2');
$zip->addFromString('entry4.txt', 'entry #1');
var_dump($zip->setCommentIndex($zip->lastId, 'entry4.txt'));
$zip->addFromString('entry5.txt', 'entry #2');
var_dump($zip->setCommentIndex($zip->lastId, 'entry5.txt'));
var_dump($zip->setCommentName('entry1.txt', 'entry1.txt'));
var_dump($zip->setCommentName('entry2.txt', 'entry2.txt'));
var_dump($zip->setCommentName('dir/entry2d.txt', 'dir/entry2d.txt'));
var_dump($zip->setArchiveComment('archive'));
var_dump($zip->setArchiveComment('archive'));
if (!$zip->status == ZIPARCHIVE::ER_OK) {
    echo "failed to write zip\n";
}
$zip->close();
if (!$zip->open($file)) {
    @unlink($file);
    exit('failed');
}
var_dump($zip->getCommentIndex(0));
var_dump($zip->getCommentIndex(1));
var_dump($zip->getCommentIndex(2));
var_dump($zip->getCommentIndex(3));
var_dump($zip->getCommentIndex(4));
var_dump($zip->getArchiveComment());
$zip->close();
@unlink($file);
var_dump(get_defined_vars());
try {array_key_first($p);} catch (Exception $e) { echo($e); }
try {array_key_first($file);} catch (Exception $e) { echo($e); }
try {array_key_first($p);} catch (Exception $e) { echo($e); }
try {array_key_first($p);} catch (Exception $e) { echo($e); }
try {array_key_first($p);} catch (Exception $e) { echo($e); }
try {array_key_first($re);} catch (Exception $e) { echo($e); }
try {array_key_first($re);} catch (Exception $e) { echo($e); }
try {array_key_first($dirname);} catch (Exception $e) { echo($e); }
try {array_key_first($zip);} catch (Exception $e) { echo($e); }
try {array_key_first($fusion);} catch (Exception $e) { echo($e); }

Resulted in this output:

Ok - ReflectionProperty::__construct() expects exactly 2 arguments, 0 given
Ok - ReflectionProperty::__construct() expects exactly 2 arguments, 1 given
Ok - ReflectionProperty::__construct() expects exactly 2 arguments, 3 given

Warning: Undefined variable $clsAttr in /home/phpfuzz/WorkSpace/flowfusion/php-src/tests/fused/fused1488.php on line 20
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2423054==ERROR: AddressSanitizer: SEGV on unknown address 0x00004a00002b (pc 0x7feb5e826d79 bp 0x7fff3f7441d0 sp 0x7fff3f743968 T0)
==2423054==The signal is caused by a READ memory access.
    #0 0x7feb5e826d79  string/../sysdeps/x86_64/multiarch/memcmp-avx2-movbe.S:413
    #1 0x61bffe in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x61bffe)
    #2 0x61c37a in memcmp (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x61c37a)
    #3 0x7feb5e8dd09e in zip_file_set_comment (/lib/x86_64-linux-gnu/libzip.so.4+0x709e)
    #4 0x3485c69 in zim_ZipArchive_setCommentIndex /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/zip/php_zip.c:2213:2
    #5 0x425da17 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:2037:4
    #6 0x3f7c167 in execute_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:58595:7
    #7 0x3f7e3ec in zend_execute /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:64247:2
    #8 0x4d15019 in zend_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1934:3
    #9 0x35298da in php_execute_script_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2577:13
    #10 0x352aa18 in php_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2617:9
    #11 0x4d2932a in do_cli /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:938:5
    #12 0x4d2380f in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1313:18
    #13 0x7feb5e6b6d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #14 0x7feb5e6b6e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #15 0x605934 in _start (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x605934)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV string/../sysdeps/x86_64/multiarch/memcmp-avx2-movbe.S:413
==2423054==ABORTING

Env:

-d "opcache.cache_id=worker7" -d "output_handler=" -d "open_basedir=" -d "disable_functions=" -d "output_buffering=Off" -d "error_reporting=30719" -d "display_errors=1" -d "display_startup_errors=1" -d "log_errors=0" -d "html_errors=0" -d "track_errors=0" -d "report_memleaks=1" -d "report_zend_debug=0" -d "docref_root=" -d "docref_ext=.html" -d "error_prepend_string=" -d "error_append_string=" -d "auto_prepend_file=" -d "auto_append_file=" -d "ignore_repeated_errors=0" -d "precision=14" -d "serialize_precision=-1" -d "memory_limit=128M" -d "opcache.fast_shutdown=0" -d "opcache.file_update_protection=0" -d "opcache.revalidate_freq=0" -d "opcache.jit_hot_loop=1" -d "opcache.jit_hot_func=1" -d "opcache.jit_hot_return=1" -d "opcache.jit_hot_side_exit=1" -d "opcache.jit_max_root_traces=100000" -d "opcache.jit_max_side_traces=100000" -d "opcache.jit_max_exit_counters=100000" -d "opcache.protect_memory=1" -d "zend.assertions=1" -d "zend.exception_ignore_args=0" -d "zend.exception_string_param_max_len=15" -d "short_open_tag=0" -d "extension_dir=/home/phpfuzz/WorkSpace/flowfusion/php-src/modules/" -d "zend_extension=/home/phpfuzz/WorkSpace/flowfusion/php-src/modules/opcache.so" -d "session.auto_start=0" -d "zlib.output_compression=Off" -d "session.sid_length=32"

PHP Version

nightly

Operating System

ubuntu 22.04
@devnexen
Copy link
Member

can't reproduce locally.

@remicollet
Copy link
Member

And segfault seems to be raise in libzip

@cmb69
Copy link
Member

cmb69 commented Dec 13, 2024

I cannot reproduce either.

@nielsdos
Copy link
Member

Here neither.
@YuanchengJiang What libzip version did the reproducer reproduce with? Chances are that this might be a bug in libzip that was fixed in the meantime.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Extension: zip Status: Needs Feedback
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@remicollet @cmb69 @devnexen @nielsdos @YuanchengJiang