Skip to content

heap buffer overflow in optimizer #21404

Closed as duplicate of#20733
Closed as duplicate of#20733
heap buffer overflow in optimizer#21404
Labels
BugStatus: Duplicate
@chongwick

Description

@chongwick
chongwick
opened on Mar 10, 2026

Description

The following code:

<?php
function f_0() {
    $x = 7;
    $y = [&$x];
    if (true) {
        return match($y){1,6=>0};
    }
    if (!true) {
        return 0;
    }
}
$contents = <<<EOS
"A", "B", "C"
"D", "E", "F"
EOS;
$file = new SplTempFileObject;
$file->fwrite($contents);
$mem = shm_attach(1);
shm_put_var($mem, 1, new C);
$input = new MyClass(10);
var_dump( array_walk($input, "callback", 1));
$intlcal = new IntlGregorianCalendar(2012, 1, 29, 16, 7, 8);
var_dump($intlcal->getTime(), (float)strtotime('2012-02-29 16:07:08') * 1000);
var_dump(gmp_rootrem(-100, 4));
$cfg = <<<EOT
[global]
error_log = {{FILE:LOG}}
pid = {{FILE:PID}}
[unconfined]
listen = {{ADDR}}
access.log=/dev/stderr
ping.path = /ping
ping.response = pong
pm = dynamic
pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 3
EOT;

Resulted in this output:

=================================================================
==270974==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000200c4 at pc 0x0000055497fb bp 0x7ffe436da1a0 sp 0x7ffe436da198
READ of size 4 at 0x6020000200c4 thread T0
    #0 0x55497fa in zend_build_cfg /home/w023dtc/nightly_php/php-src/Zend/Optimizer/zend_cfg.c:401:6
    #1 0x30396cd in zend_jit_build_cfg /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit.c:1078:2
    #2 0x2c3d3d3 in zend_jit_setup_hot_trace_counters /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_trace.c:8963:7
    #3 0x2c3a936 in zend_jit_op_array /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit.c:3370:10
    #4 0x2413ace in zend_persist_op_array /home/w023dtc/nightly_php/php-src/ext/opcache/zend_persist.c:727:4
    #5 0x24098a0 in zend_accel_script_persist /home/w023dtc/nightly_php/php-src/ext/opcache/zend_persist.c:1463:3
    #6 0x24704f3 in cache_script_in_shared_memory /home/w023dtc/nightly_php/php-src/ext/opcache/ZendAccelerator.c:1671:26
    #7 0x245d984 in persistent_compile_file /home/w023dtc/nightly_php/php-src/ext/opcache/ZendAccelerator.c:2208:24
    #8 0x696a8f0 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1972:28
    #9 0x51a5a1a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2648:13
    #10 0x51a6b58 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2688:9
    #11 0x697fa1a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:949:5
    #12 0x6979dff in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1360:18
    #13 0x147afa3dad8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #14 0x147afa3dae3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #15 0x607b54 in _start (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x607b54)

0x6020000200c4 is located 4 bytes to the right of 16-byte region [0x6020000200b0,0x6020000200c0)
allocated by thread T0 here:
    #0 0x682a1d in malloc (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x682a1d)
    #1 0x5824923 in __zend_malloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3544:14
    #2 0x5823089 in _emalloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2779:10
    #3 0x55644cd in zend_arena_alloc /home/w023dtc/nightly_php/php-src/Zend/zend_arena.h:172:25
    #4 0x5553df9 in zend_arena_calloc /home/w023dtc/nightly_php/php-src/Zend/zend_arena.h:185:8
    #5 0x5542b33 in zend_build_cfg /home/w023dtc/nightly_php/php-src/Zend/Optimizer/zend_cfg.c:286:25
    #6 0x30396cd in zend_jit_build_cfg /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit.c:1078:2
    #7 0x2c3d3d3 in zend_jit_setup_hot_trace_counters /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit_trace.c:8963:7
    #8 0x2c3a936 in zend_jit_op_array /home/w023dtc/nightly_php/php-src/ext/opcache/jit/zend_jit.c:3370:10
    #9 0x2413ace in zend_persist_op_array /home/w023dtc/nightly_php/php-src/ext/opcache/zend_persist.c:727:4
    #10 0x24098a0 in zend_accel_script_persist /home/w023dtc/nightly_php/php-src/ext/opcache/zend_persist.c:1463:3
    #11 0x24704f3 in cache_script_in_shared_memory /home/w023dtc/nightly_php/php-src/ext/opcache/ZendAccelerator.c:1671:26
    #12 0x245d984 in persistent_compile_file /home/w023dtc/nightly_php/php-src/ext/opcache/ZendAccelerator.c:2208:24
    #13 0x696a8f0 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1972:28
    #14 0x51a5a1a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2648:13
    #15 0x51a6b58 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2688:9
    #16 0x697fa1a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:949:5
    #17 0x6979dff in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1360:18
    #18 0x147afa3dad8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/w023dtc/nightly_php/php-src/Zend/Optimizer/zend_cfg.c:401:6 in zend_build_cfg
Shadow bytes around the buggy address:
  0x0c047fffbfc0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c047fffbfd0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fffbfe0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fffbff0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
  0x0c047fffc000: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
=>0x0c047fffc010: fa fa fd fa fa fa 00 00[fa]fa fa fa fa fa fa fa
  0x0c047fffc020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffc030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffc040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffc050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffc060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==270974==ABORTING

USE_ZEND_ALLOC=0 php -d "memory_limit = -1" -d "zend.assertions = 1" -d "display_errors = On" -d "display_startup_errors = On" -d "opcache.memory_consumption=4096M" -d "opcache.enable=1" -d "opcache.enable_cli=1" -d "opcache.jit=tracing" -d "opcache.validate_timestamps=0" -d "opcache.jit_buffer_size=128M" -d "opcache.file_update_protection=0" -d "opcache.max_accelerated_files=1000000" -d "opcache.interned_strings_buffer=64" -d "opcache.jit_prof_threshold=0.000000001" -d "opcache.jit_max_root_traces=  100000" -d "opcache.jit_max_side_traces=  100000" -d "opcache.jit_max_exit_counters=100000" -d "opcache.jit_hot_loop=1" -d "opcache.jit_hot_func=1" -d "opcache.jit_hot_return=1" -d "opcache.jit_hot_side_exit=1" -d "opcache.jit_blacklist_root_trace=255" -d "opcache.jit_blacklist_side_trace=255" -d "opcache.protect_memory=1" script.php

PHP Version

nightly

Operating System

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugStatus: Duplicate

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions