Segmentation fault ext/zip/php_zip.c

[YuanchengJiang]

Description

The following code:

I cannot reproduce ;(

<?php
class C {
    public static $p;
}
try {
    new ReflectionProperty();
} catch (TypeError $re) {
    echo "Ok - ".$re->getMessage().PHP_EOL;
}
try {
    new ReflectionProperty('C::p');
} catch (TypeError $re) {
    echo "Ok - ".$re->getMessage().PHP_EOL;
}
try {
    new ReflectionProperty('C', 'p', 'x');
} catch (TypeError $re) {
    echo "Ok - ".$re->getMessage().PHP_EOL;
}
$fusion = $clsAttr;
$dirname = __DIR__ . '/';
include $dirname . 'utils.inc';
$file = $dirname . 'oo_setcomment.zip';
@unlink($fusion);
$zip = new ZipArchive;
if (!$zip->open($file, ZIPARCHIVE::CREATE)) {
    exit('failed');
}
$zip->addFromString('entry1.txt', 'entry #1');
$zip->addFromString('entry2.txt', 'entry #2');
$zip->addFromString('dir/entry2d.txt', 'entry #2');
$zip->addFromString('entry4.txt', 'entry #1');
var_dump($zip->setCommentIndex($zip->lastId, 'entry4.txt'));
$zip->addFromString('entry5.txt', 'entry #2');
var_dump($zip->setCommentIndex($zip->lastId, 'entry5.txt'));
var_dump($zip->setCommentName('entry1.txt', 'entry1.txt'));
var_dump($zip->setCommentName('entry2.txt', 'entry2.txt'));
var_dump($zip->setCommentName('dir/entry2d.txt', 'dir/entry2d.txt'));
var_dump($zip->setArchiveComment('archive'));
var_dump($zip->setArchiveComment('archive'));
if (!$zip->status == ZIPARCHIVE::ER_OK) {
    echo "failed to write zip\n";
}
$zip->close();
if (!$zip->open($file)) {
    @unlink($file);
    exit('failed');
}
var_dump($zip->getCommentIndex(0));
var_dump($zip->getCommentIndex(1));
var_dump($zip->getCommentIndex(2));
var_dump($zip->getCommentIndex(3));
var_dump($zip->getCommentIndex(4));
var_dump($zip->getArchiveComment());
$zip->close();
@unlink($file);
var_dump(get_defined_vars());
try {array_key_first($p);} catch (Exception $e) { echo($e); }
try {array_key_first($file);} catch (Exception $e) { echo($e); }
try {array_key_first($p);} catch (Exception $e) { echo($e); }
try {array_key_first($p);} catch (Exception $e) { echo($e); }
try {array_key_first($p);} catch (Exception $e) { echo($e); }
try {array_key_first($re);} catch (Exception $e) { echo($e); }
try {array_key_first($re);} catch (Exception $e) { echo($e); }
try {array_key_first($dirname);} catch (Exception $e) { echo($e); }
try {array_key_first($zip);} catch (Exception $e) { echo($e); }
try {array_key_first($fusion);} catch (Exception $e) { echo($e); }

Resulted in this output:

Ok - ReflectionProperty::__construct() expects exactly 2 arguments, 0 given
Ok - ReflectionProperty::__construct() expects exactly 2 arguments, 1 given
Ok - ReflectionProperty::__construct() expects exactly 2 arguments, 3 given

Warning: Undefined variable $clsAttr in /home/phpfuzz/WorkSpace/flowfusion/php-src/tests/fused/fused1488.php on line 20
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2423054==ERROR: AddressSanitizer: SEGV on unknown address 0x00004a00002b (pc 0x7feb5e826d79 bp 0x7fff3f7441d0 sp 0x7fff3f743968 T0)
==2423054==The signal is caused by a READ memory access.
    #0 0x7feb5e826d79  string/../sysdeps/x86_64/multiarch/memcmp-avx2-movbe.S:413
    #1 0x61bffe in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x61bffe)
    #2 0x61c37a in memcmp (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x61c37a)
    #3 0x7feb5e8dd09e in zip_file_set_comment (/lib/x86_64-linux-gnu/libzip.so.4+0x709e)
    #4 0x3485c69 in zim_ZipArchive_setCommentIndex /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/zip/php_zip.c:2213:2
    #5 0x425da17 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:2037:4
    #6 0x3f7c167 in execute_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:58595:7
    #7 0x3f7e3ec in zend_execute /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:64247:2
    #8 0x4d15019 in zend_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1934:3
    #9 0x35298da in php_execute_script_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2577:13
    #10 0x352aa18 in php_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2617:9
    #11 0x4d2932a in do_cli /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:938:5
    #12 0x4d2380f in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1313:18
    #13 0x7feb5e6b6d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #14 0x7feb5e6b6e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #15 0x605934 in _start (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x605934)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV string/../sysdeps/x86_64/multiarch/memcmp-avx2-movbe.S:413
==2423054==ABORTING

Env:

-d "opcache.cache_id=worker7" -d "output_handler=" -d "open_basedir=" -d "disable_functions=" -d "output_buffering=Off" -d "error_reporting=30719" -d "display_errors=1" -d "display_startup_errors=1" -d "log_errors=0" -d "html_errors=0" -d "track_errors=0" -d "report_memleaks=1" -d "report_zend_debug=0" -d "docref_root=" -d "docref_ext=.html" -d "error_prepend_string=" -d "error_append_string=" -d "auto_prepend_file=" -d "auto_append_file=" -d "ignore_repeated_errors=0" -d "precision=14" -d "serialize_precision=-1" -d "memory_limit=128M" -d "opcache.fast_shutdown=0" -d "opcache.file_update_protection=0" -d "opcache.revalidate_freq=0" -d "opcache.jit_hot_loop=1" -d "opcache.jit_hot_func=1" -d "opcache.jit_hot_return=1" -d "opcache.jit_hot_side_exit=1" -d "opcache.jit_max_root_traces=100000" -d "opcache.jit_max_side_traces=100000" -d "opcache.jit_max_exit_counters=100000" -d "opcache.protect_memory=1" -d "zend.assertions=1" -d "zend.exception_ignore_args=0" -d "zend.exception_string_param_max_len=15" -d "short_open_tag=0" -d "extension_dir=/home/phpfuzz/WorkSpace/flowfusion/php-src/modules/" -d "zend_extension=/home/phpfuzz/WorkSpace/flowfusion/php-src/modules/opcache.so" -d "session.auto_start=0" -d "zlib.output_compression=Off" -d "session.sid_length=32"

PHP Version

nightly

Operating System

ubuntu 22.04

[devnexen]

can't reproduce locally.

[remicollet]

And segfault seems to be raise in libzip

[cmb69]

I cannot reproduce either.

[nielsdos]

Here neither.
@YuanchengJiang What libzip version did the reproducer reproduce with? Chances are that this might be a bug in libzip that was fixed in the meantime.

[github-actions]

No feedback was provided. The issue is being suspended because we assume that you are no longer experiencing the problem. If this is not the case and you are able to provide the information that was requested earlier, please do so. Thank you.