Skip to content

SEGV SplTempFileObject ftruncate negative #17463

Closed
@YuanchengJiang

Description

@YuanchengJiang

Description

The following code:

<?php
$cls = new SplTempFileObject();
$num = -1;
$cls->ftruncate($num);

Resulted in this output:

=================================================================
==2613696==ERROR: AddressSanitizer: negative-size-param: (size=-1)
    #0 0x67fe49 in __asan_memset (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x67fe49)
    #1 0x3630f10 in php_stream_memory_set_option /home/phpfuzz/WorkSpace/flowfusion/php-src/main/streams/memory.c:244:7
    #2 0x365e9ea in _php_stream_set_option /home/phpfuzz/WorkSpace/flowfusion/php-src/main/streams/streams.c:1434:9
    #3 0x3634a5e in php_stream_temp_set_option /home/phpfuzz/WorkSpace/flowfusion/php-src/main/streams/memory.c:528:12
    #4 0x365e9ea in _php_stream_set_option /home/phpfuzz/WorkSpace/flowfusion/php-src/main/streams/streams.c:1434:9
    #5 0x3668d5b in _php_stream_truncate_set_size /home/phpfuzz/WorkSpace/flowfusion/php-src/main/streams/streams.c:1474:9
    #6 0x2aad626 in zim_SplFileObject_ftruncate /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/spl/spl_directory.c:2694:2
    #7 0x427b93e in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:1919:4
    #8 0x3f9d527 in execute_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:58595:7
    #9 0x3f9f7ac in zend_execute /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:64247:2
    #10 0x4d3bcd9 in zend_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1934:3
    #11 0x353f27a in php_execute_script_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2577:13
    #12 0x35403b8 in php_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2617:9
    #13 0x4d4ffea in do_cli /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:938:5
    #14 0x4d4a4cf in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1313:18
    #15 0x7fcad9dd3d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #16 0x7fcad9dd3e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #17 0x605934 in _start (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x605934)

Address 0x7fcad36501d8 is a wild pointer.
SUMMARY: AddressSanitizer: negative-size-param (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x67fe49) in __asan_memset
==2613696==ABORTING

PHP Version

nightly

Operating System

No response

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions