ID: 42817 User updated by: victor dot stinner at inl dot fr Reported By: victor dot stinner at inl dot fr Status: Open Bug Type: Scripting Engine problem Operating System: Linux PHP Version: 5.2.4 New Comment:
Hum, I forget to specify PHP version: 5.2.4 (latest). I compiled it on source from source code with "./configure --enable-debug" to detect the overflow. Victor Stinner Previous Comments: ------------------------------------------------------------------------ [2007-10-01 17:13:42] victor dot stinner at inl dot fr Description: ------------ Hi, I found a critical bug (security issue) in my web application. The code to reproduce it is quite simple (see above). With apache, the result is a line in error.log: [notice] child pid 14988 exit signal Segmentation fault (11). My config: Ubuntu Feisty on Intel Celeron M 420 (32-bit). Victor Stinner http://www.inl.fr/ Reproduce code: --------------- <?php $a = clone(null); array_push($a->b, $c); ?> Expected result: ---------------- no crash Actual result: -------------- Warning: array_push(): First argument should be an array in crash.php on line 3 --------------------------------------- /home/haypo/php-5.2.4/Zend/zend_variables.c(175) : Block 0x084774b8 status: /home/haypo/php-5.2.4/Zend/zend_execute.h(70) : Actual location (location was relayed) Beginning: Freed (magic=0x00000000, expected=0x99954317) Start: Overflown (magic=0x084774A4 instead of 0x496A04CC) At least 4 bytes overflown End: Overflown (magic=0x00000000 instead of 0x39D5CB7E) At least 4 bytes overflown --------------------------------------- ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=42817&edit=1
