Closed
Description
Description
The following code:
<?php
$cls = new Dom\Implementation();
class C {
const myConst = 1;
}
$rc = new ReflectionClass("C");
echo "Check invalid params:\n";
var_dump($rc->getConstant(1));
var_dump($rc->getConstant(1.5));
var_dump($rc->getConstant(true));
$fusion = $clsAttr;
const FILLUNIT = 5 * 1024;
function test($boundaryLen) {
printf("Boundary len: %d\n", $boundaryLen);
$cmd = [
getenv('TEST_PHP_CGI_EXECUTABLE'),
'-C',
'-n',
__DIR__ . '/GHSA-9pqp-7h25-4f32.inc',
];
$boundary = str_repeat('A', $boundaryLen);
$body = ""
. "--$boundary\r\n"
. "Content-Disposition: form-data; name=\"koko\"\r\n"
. "\r\n"
. "BBB\r\n--" . substr($boundary, 0, -1) . "CCC\r\n"
. "--$boundary--\r\n"
;
$env = array_merge($_ENV, [
'REDIRECT_STATUS' => '1',
'CONTENT_TYPE' => "multipart/form-data; boundary=$fusion",
'CONTENT_LENGTH' => strlen($body),
'REQUEST_METHOD' => 'POST',
'SCRIPT_FILENAME' => __DIR__ . '/GHSA-9pqp-7h25-4f32.inc',
]);
$spec = [
0 => ['pipe', 'r'],
1 => STDOUT,
2 => STDOUT,
];
$pipes = [];
print "Starting...\n";
$handle = proc_open($cmd, $spec, $pipes, getcwd(), $env);
fwrite($pipes[0], $body);
$status = proc_close($handle);
print "\n";
}
for ($offset = -1; $offset <= 1; $offset++) {
test(FILLUNIT - strlen("\r\n--") + $offset);
}Resulted in this output:
Check invalid params:
bool(false)
bool(false)
bool(false)
Warning: Undefined variable $clsAttr in /home/phpfuzz/WorkSpace/flowfusion/php-src/tests/fused/fused7885.php on line 11
Boundary len: 5115
Warning: Undefined variable $fusion in /home/phpfuzz/WorkSpace/flowfusion/php-src/tests/fused/fused7885.php on line 31
Starting...
/home/phpfuzz/WorkSpace/flowfusion/php-src/main/rfc1867.c:299:21: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:108:34: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/phpfuzz/WorkSpace/flowfusion/php-src/main/rfc1867.c:299:21 in
Boundary len: 5116
Warning: Undefined variable $fusion in /home/phpfuzz/WorkSpace/flowfusion/php-src/tests/fused/fused7885.php on line 31
Starting...
/home/phpfuzz/WorkSpace/flowfusion/php-src/main/rfc1867.c:299:21: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:108:34: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/phpfuzz/WorkSpace/flowfusion/php-src/main/rfc1867.c:299:21 in
Boundary len: 5117
Warning: Undefined variable $fusion in /home/phpfuzz/WorkSpace/flowfusion/php-src/tests/fused/fused7885.php on line 31
Starting...
/home/phpfuzz/WorkSpace/flowfusion/php-src/main/rfc1867.c:299:21: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:108:34: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/phpfuzz/WorkSpace/flowfusion/php-src/main/rfc1867.c:299:21 in
Config:
-d "opcache.cache_id=worker2" -d "output_handler=" -d "open_basedir=" -d "disable_functions=" -d "output_buffering=Off" -d "error_reporting=30719" -d "display_errors=1" -d "display_startup_errors=1" -d "log_errors=0" -d "html_errors=0" -d "track_errors=0" -d "report_memleaks=1" -d "report_zend_debug=0" -d "docref_root=" -d "docref_ext=.html" -d "error_prepend_string=" -d "error_append_string=" -d "auto_prepend_file=" -d "auto_append_file=" -d "ignore_repeated_errors=0" -d "precision=14" -d "serialize_precision=-1" -d "memory_limit=128M" -d "opcache.fast_shutdown=0" -d "opcache.file_update_protection=0" -d "opcache.revalidate_freq=0" -d "opcache.jit_hot_loop=1" -d "opcache.jit_hot_func=1" -d "opcache.jit_hot_return=1" -d "opcache.jit_hot_side_exit=1" -d "opcache.jit_max_root_traces=100000" -d "opcache.jit_max_side_traces=100000" -d "opcache.jit_max_exit_counters=100000" -d "opcache.protect_memory=1" -d "zend.assertions=1" -d "zend.exception_ignore_args=0" -d "zend.exception_string_param_max_len=15" -d "short_open_tag=0" -d "extension_dir=/home/phpfuzz/WorkSpace/flowfusion/php-src/modules/" -d "zend_extension=/home/phpfuzz/WorkSpace/flowfusion/php-src/modules/opcache.so" -d "session.auto_start=0" -d "zlib.output_compression=Off" -d "session.cookie_httponly=0" -d "opcache.enable=1" -d "opcache.enable_cli=1" -d "opcache.jit=1213"
I cannot reproduce it (thus also cannot reduce it), not sure if it is enough for fix
PHP Version
nightly
Operating System
ubuntu 22.04