<?php
$v_205278 = 'The quick brown fox jumps over the lazy dog.';
$v_205282 = 1;
$v_205273 = $v_205278 . $v_205282;
$v_205274 = new PharData($v_205273,);
$v_205280 = gzencode($v_205278,);
$v_205276 = $v_205274->decompress($v_205280,);
Fatal error: Uncaught BadMethodCallException: data phar converted from "/home/The quick brown fox jumps over the lazy dog.1" has invalid extension in /home/7800e76d7fc62c4949b8.php.er:13
Stack trace:
#0 /home/7800e76d7fc62c4949b8.php.er(13): PharData->decompress('\x1F\x8B\x08\x00\x00\x00\x00\x00\x00\x03\v\xC9HU(...')
#1 {main}
thrown in /home/7800e76d7fc62c4949b8.php.er on line 13
=================================================================
==128==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000062180 at pc 0x0000063642fa bp 0x7fff1006bf90 sp 0x7fff1006bf88
READ of size 1 at 0x606000062180 thread T0
#0 0x63642f9 in zend_inline_hash_func /home/w023dtc/nightly_php/php-src/Zend/zend_string.h:481:4
#1 0x6365c53 in zend_hash_str_del /home/w023dtc/nightly_php/php-src/Zend/zend_hash.c:1678:6
#2 0x351f9e4 in phar_archive_delref /home/w023dtc/nightly_php/php-src/ext/phar/phar.c:277:8
#3 0x350233c in phar_spl_foreign_dtor /home/w023dtc/nightly_php/php-src/ext/phar/phar_object.c:1082:3
#4 0x3e2d68a in spl_filesystem_object_free_storage /home/w023dtc/nightly_php/php-src/ext/spl/spl_directory.c:144:3
#5 0x672a671 in zend_objects_store_del /home/w023dtc/nightly_php/php-src/Zend/zend_objects_API.c:196:4
#6 0x683f7f7 in rc_dtor_func /home/w023dtc/nightly_php/php-src/Zend/zend_variables.c:57:2
#7 0x683fa7e in i_zval_ptr_dtor /home/w023dtc/nightly_php/php-src/Zend/zend_variables.h:45:4
#8 0x683f834 in zval_ptr_dtor /home/w023dtc/nightly_php/php-src/Zend/zend_variables.c:84:2
#9 0x6361611 in _zend_hash_del_el_ex /home/w023dtc/nightly_php/php-src/Zend/zend_hash.c:1493:3
#10 0x635ed8d in _zend_hash_del_el /home/w023dtc/nightly_php/php-src/Zend/zend_hash.c:1520:2
#11 0x63786d4 in zend_hash_reverse_apply /home/w023dtc/nightly_php/php-src/Zend/zend_hash.c:2236:5
#12 0x5a840bc in shutdown_destructors /home/w023dtc/nightly_php/php-src/Zend/zend_execute_API.c:260:4
#13 0x6887cab in zend_call_destructors /home/w023dtc/nightly_php/php-src/Zend/zend.c:1336:3
#14 0x5068a03 in php_request_shutdown /home/w023dtc/nightly_php/php-src/main/main.c:1948:3
#15 0x68b5331 in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1159:3
#16 0x68aa30f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1363:18
#17 0x149951c10d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#18 0x149951c10e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#19 0x6061f4 in _start (/home/php+0x6061f4)
0x606000062180 is located 0 bytes inside of 52-byte region [0x606000062180,0x6060000621b4)
freed by thread T0 here:
#0 0x680e52 in free (/home/php+0x680e52)
#1 0x56e5993 in __zend_free /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3571:2
#2 0x56f0a4b in _efree /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2790:3
#3 0x3483ebc in phar_convert_to_other /home/w023dtc/nightly_php/php-src/ext/phar/phar_object.c:2335:4
#4 0x34a952d in zim_Phar_decompress /home/w023dtc/nightly_php/php-src/ext/phar/phar_object.c:3295:9
#5 0x5dd940b in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:2119:4
#6 0x5b18433 in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:113454:12
#7 0x5b1a9bc in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:119146:2
#8 0x689b019 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1977:3
#9 0x507d5ba in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2608:13
#10 0x507e6f8 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2648:9
#11 0x68aff2a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:952:5
#12 0x68aa30f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1363:18
#13 0x149951c10d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
previously allocated by thread T0 here:
#0 0x6810bd in malloc (/home/php+0x6810bd)
#1 0x56f1d03 in __zend_malloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3543:14
#2 0x56f0469 in _emalloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2780:10
#3 0x56f21e2 in _estrndup /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2873:15
#4 0x5050237 in expand_filepath_with_mode /home/w023dtc/nightly_php/php-src/main/fopen_wrappers.c:853:15
#5 0x504f2a2 in expand_filepath_ex /home/w023dtc/nightly_php/php-src/main/fopen_wrappers.c:782:9
#6 0x5042023 in expand_filepath /home/w023dtc/nightly_php/php-src/main/fopen_wrappers.c:775:9
#7 0x352ed26 in phar_create_or_parse_filename /home/w023dtc/nightly_php/php-src/ext/phar/phar.c:1452:18
#8 0x35280cf in phar_open_or_create_filename /home/w023dtc/nightly_php/php-src/ext/phar/phar.c:1391:9
#9 0x34652d4 in zim_Phar___construct /home/w023dtc/nightly_php/php-src/ext/phar/phar_object.c:1164:6
#10 0x5dd57db in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:1994:4
#11 0x5b18433 in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:113454:12
#12 0x5b1a9bc in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:119146:2
#13 0x689b019 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1977:3
#14 0x507d5ba in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2608:13
#15 0x507e6f8 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2648:9
#16 0x68aff2a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:952:5
#17 0x68aa30f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1363:18
#18 0x149951c10d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-use-after-free /home/w023dtc/nightly_php/php-src/Zend/zend_string.h:481:4 in zend_inline_hash_func
Shadow bytes around the buggy address:
0x0c0c800043e0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
0x0c0c800043f0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0c80004400: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0c80004410: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
0x0c0c80004420: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
=>0x0c0c80004430:[fd]fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0c80004440: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c80004450: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0c80004460: 00 00 00 00 00 00 05 fa fa fa fa fa fd fd fd fd
0x0c0c80004470: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
0x0c0c80004480: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==128==ABORTING
Description
The following code:
Resulted in this output:
USE_ZEND_ALLOC=0
PHP Version
Operating System
ubuntu 22.04