Skip to content

Accessing a BcMath\Number property by ref crashes #18641

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
YuanchengJiang opened this issue May 24, 2025 · 0 comments
Closed

Accessing a BcMath\Number property by ref crashes #18641

YuanchengJiang opened this issue May 24, 2025 · 0 comments
Assignees
@nielsdos
Labels
Bug Extension: bcmath Status: Verified

Comments

@YuanchengJiang
Copy link

Description

The following code:

<?php
$a = new BCMath\Number("1");
$fusion = $a;
Test::$test = &$fusion->value;

Resulted in this output:

/home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_types.h:670:13: runtime error: member access within misaligned address 0x7e5313a4b3d7 for type 'const zval' (aka 'const struct _zval_struct'), which requires 8 byte alignment
0x7e5313a4b3d7: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_types.h:670:13 in

To reproduce:

./php-src/sapi/cli/php  ./test.php

Commit:

dfff6ac852a23c6e33c06c7716d095ad4a7166d8

Configurations:

CC="clang-12" CXX="clang++-12" CFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" CXXFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" ./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip --with-mysqli --with-pdo-mysql --with-pdo-pgsql --with-pgsql --with-sqlite3 --with-pdo-sqlite --with-webp --with-jpeg --with-freetype --enable-sigchild --with-readline --with-pcre-jit --with-iconv

Operating System:

Ubuntu 20.04 Host, Docker 0599jiangyc/flowfusion:latest

This report is automatically generated by FlowFusion

PHP Version

dfff6ac852a23c6e33c06c7716d095ad4a7166d8

Operating System

No response
@nielsdos nielsdos self-assigned this May 24, 2025
@nielsdos nielsdos changed the title SEGV Zend/zend_types.h Accessing a BcMath\Number property by ref crashes May 24, 2025
nielsdos added a commit to nielsdos/php-src that referenced this issue May 24, 2025
@nielsdos
Fix phpGH-18641: Accessing a BcMath\Number property by ref crashes
8fa745e 
The properties are virtual so we need a custom get_property_ptr_ptr
handler.
@nielsdos nielsdos linked a pull request May 24, 2025 that will close this issue
Fix GH-18641: Accessing a BcMath\Number property by ref crashes #18643
Closed
nielsdos added a commit that referenced this issue May 24, 2025
@nielsdos
Merge branch 'PHP-8.4'
25e60d6 
* PHP-8.4:
  Fix memory leak when calloc() fails in php_readline_completion_cb()
  Fix GH-18641: Accessing a BcMath\Number property by ref crashes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nielsdos nielsdos

Labels
Bug Extension: bcmath Status: Verified
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix GH-18641: Accessing a BcMath\Number property by ref crashes nielsdos/php-src
2 participants
@nielsdos @YuanchengJiang