Closed
Description
Description
The following code:
<?php
require_once __DIR__ . DIRECTORY_SEPARATOR . 'test_offset_helpers.inc';
$fusion = $offsets;
$r = deflate_init(ZLIB_ENCODING_DEFLATE, ["dictionary" => $fusion]);
Resulted in this output:
=================================================================
==2278709==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000264 at pc 0x55876106cf42 bp 0x7ffd9ea46bb0 sp 0x7ffd9ea46ba8
READ of size 4 at 0x603000000264 thread T0
#0 0x55876106cf41 in zend_mm_free_heap /php-src/Zend/zend_alloc.c:1528:28
#1 0x558761072825 in _efree /php-src/Zend/zend_alloc.c:2751:2
#2 0x55875e2bcdb2 in zlib_create_dictionary_string /php-src/ext/zlib/zlib.c:816:9
#3 0x55875e2c41af in zif_deflate_init /php-src/ext/zlib/zlib.c:1134:7
#4 0x55876190eda3 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /php-src/Zend/zend_vm_execute.h:1363:2
#5 0x558761443713 in execute_ex /php-src/Zend/zend_vm_execute.h:58565:7
#6 0x558761445872 in zend_execute /php-src/Zend/zend_vm_execute.h:64217:2
#7 0x558762145b01 in zend_execute_script /php-src/Zend/zend.c:1928:3
#8 0x558760a56798 in php_execute_script_ex /php-src/main/main.c:2574:13
#9 0x558760a57858 in php_execute_script /php-src/main/main.c:2614:9
#10 0x558762159276 in do_cli /php-src/sapi/cli/php_cli.c:935:5
#11 0x558762153944 in main /php-src/sapi/cli/php_cli.c:1310:18
#12 0x7f44ab6a7d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
#13 0x7f44ab6a7e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
#14 0x55875da06db4 in _start (/php-src/sapi/cli/php+0x2606db4) (BuildId: 10f0f1f073ebe7bcaf9944c9da559b10d59463b0)
0x603000000264 is located 2 bytes to the right of 18-byte region [0x603000000250,0x603000000262)
allocated by thread T0 here:
#0 0x55875da8c7de in malloc (/php-src/sapi/cli/php+0x268c7de) (BuildId: 10f0f1f073ebe7bcaf9944c9da559b10d59463b0)
#1 0x7f44aaa9fee7 (/lib/x86_64-linux-gnu/libtasn1.so.6+0x3ee7) (BuildId: 2fde6ecb43c586fe4077118f771077aa1298e7ea)
SUMMARY: AddressSanitizer: heap-buffer-overflow /php-src/Zend/zend_alloc.c:1528:28 in zend_mm_free_heap
Shadow bytes around the buggy address:
0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff8000: fa fa fd fd fd fa fa fa 00 00 00 00 fa fa 00 00
0x0c067fff8010: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x0c067fff8020: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
0x0c067fff8030: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
=>0x0c067fff8040: 00 fa fa fa 00 00 00 02 fa fa 00 00[02]fa fa fa
0x0c067fff8050: 00 00 06 fa fa fa 00 00 00 02 fa fa 00 00 02 fa
0x0c067fff8060: fa fa 00 00 00 02 fa fa 00 00 00 02 fa fa 00 00
0x0c067fff8070: 06 fa fa fa 00 00 04 fa fa fa 00 00 00 fa fa fa
0x0c067fff8080: 00 00 04 fa fa fa 00 00 05 fa fa fa 00 00 01 fa
0x0c067fff8090: fa fa 00 00 01 fa fa fa 00 00 04 fa fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2278709==ABORTING
PHP Version
PHP 8.4.0-dev
Operating System
ubuntu 22.04