Closed
Description
Description
The following code:
<?php
$zip = zip_open(__DIR__."/test_procedural.zip");
while ($zip = zip_read($zip)) {
echo zip_entry_name($zip)."\n";
}Resulted in this output:
=================================================================
==2988798==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020000198b0 at pc 0x000000617aa6 bp 0x7ffcae96fc10 sp 0x7ffcae96f3d0
READ of size 2 at 0x6020000198b0 thread T0
#0 0x617aa5 in strlen (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x617aa5)
#1 0x3469ed2 in php_zip_entry_get_info /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/zip/php_zip.c:1386:4
#2 0x346941e in zif_zip_entry_name /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/zip/php_zip.c:1425:2
#3 0x448fb1f in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:1698:3
#4 0x3f7c167 in execute_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:58595:7
#5 0x3f7e3ec in zend_execute /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:64247:2
#6 0x4d15019 in zend_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1934:3
#7 0x35298da in php_execute_script_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2577:13
#8 0x352aa18 in php_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2617:9
#9 0x4d2932a in do_cli /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:938:5
#10 0x4d2380f in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1313:18
#11 0x7f300a19fd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#12 0x7f300a19fe3f in __libc_start_main csu/../csu/libc-start.c:392:3
#13 0x605934 in _start (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x605934)
0x6020000198b0 is located 0 bytes inside of 4-byte region [0x6020000198b0,0x6020000198b4)
freed by thread T0 here:
#0 0x680592 in free (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x680592)
#1 0x7f300a3c492e (/lib/x86_64-linux-gnu/libzip.so.4+0x592e)
previously allocated by thread T0 here:
#0 0x6807fd in malloc (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x6807fd)
#1 0x7f300a3d11b7 (/lib/x86_64-linux-gnu/libzip.so.4+0x121b7)
SUMMARY: AddressSanitizer: heap-use-after-free (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x617aa5) in strlen
Shadow bytes around the buggy address:
0x0c047fffb2c0: fa fa fd fa fa fa 00 00 fa fa 00 00 fa fa 00 fa
0x0c047fffb2d0: fa fa 00 00 fa fa 00 fa fa fa 00 00 fa fa 00 fa
0x0c047fffb2e0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fa
0x0c047fffb2f0: fa fa fd fd fa fa 00 fa fa fa fd fd fa fa fd fa
0x0c047fffb300: fa fa fd fd fa fa 00 fa fa fa 00 06 fa fa fd fd
=>0x0c047fffb310: fa fa fd fa fa fa[fd]fa fa fa fd fd fa fa fd fa
0x0c047fffb320: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fd
0x0c047fffb330: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
0x0c047fffb340: fa fa fd fd fa fa fd fa fa fa 00 07 fa fa fd fd
0x0c047fffb350: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fa fa
0x0c047fffb360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2988798==ABORTING
Dependency: test_procedural.zip
PHP Version
nightly
Operating System
ubuntu 22.04