- 
                Notifications
    You must be signed in to change notification settings 
- Fork 8k
Closed
Description
Description
The following fuzzing input
https://github.com/vi3tL0u1s/poc/blob/master/php-src-zend_hash-segv-fault
Resulted in this output:
time ./path/to/php-src/sapi/cli/php < php-src-zend_hash-segv-fault 
Warning: Undefined variable $iC in Standard input code on line 4
Warning: Array to string conversion in Standard input code on line 12
AddressSanitizer:DEADLYSIGNAL
=================================================================
==4066773==ERROR: AddressSanitizer: SEGV on unknown address 0x7fd0c3000040 (pc 0x55de4eac921d bp 0x7ffdb68d1830 sp 0x7ffdb68d16f0 T0)
==4066773==The signal is caused by a WRITE memory access.
    #0 0x55de4eac921d in zend_hash_iterator_pos_ex /php-src/Zend/zend_hash.c:642:12
    #1 0x55de4e9c2d4b in ZEND_FE_FETCH_RW_SPEC_VAR_HANDLER /php-src/Zend/zend_vm_execute.h:23204:9
    #2 0x55de4e837d7a in execute_ex /php-src/Zend/zend_vm_execute.h:113454:12
    #3 0x55de4e838677 in zend_execute /php-src/Zend/zend_vm_execute.h:119146:2
    #4 0x55de4ec65cd0 in zend_execute_script /php-src/Zend/zend.c:1977:3
    #5 0x55de4e46ffeb in php_execute_script_ex /php-src/main/main.c:2608:13
    #6 0x55de4e4704e8 in php_execute_script /php-src/main/main.c:2648:9
    #7 0x55de4ec6dbd2 in do_cli /php-src/sapi/cli/php_cli.c:952:5
    #8 0x55de4ec6ab2c in main /php-src/sapi/cli/php_cli.c:1363:18
    #9 0x7fd0c7d3cd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #10 0x7fd0c7d3ce3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #11 0x55de4d203374 in _start /php-src/sapi/cli/php+0x603374) (BuildId: 08745b1cedbdc2c480cbfd48c2b8c57d104ec64c)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /php-src/Zend/zend_hash.c:642:12 in zend_hash_iterator_pos_ex
==4066773==ABORTING
real    0m56.131s
user    0m55.752s
sys     0m0.036s
Crash Location: zend_hash_iterator_pos_ex at /Zend/zend_hash.c:642:12
Commit:
5d5ef5050a
Configurations:
CC="clang" CXX="clang++" CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" ./configure --enable-debug --enable-address-sanitizer --disable-shared --with-pic
Additional Notes
The fuzzing input contains corrupted PHP code with:
- Undefined variables in loop conditions causing infinite loops
- Nested foreach loops with conflicting variable references ($vas both reference and value)
- Array modification (sort()) during active iteration
- Binary corruption in the input causing invalid memory addresses to be stored in iterator structures
PHP Version
PHP 8.5.0-dev (cli) (built: Aug 28 2025 15:22:18) (NTS DEBUG)
Copyright (c) The PHP Group
Zend Engine v4.5.0-dev, Copyright (c) Zend Technologies
    with Zend OPcache v8.5.0-dev, Copyright (c), by Zend Technologies
Operating System
Ubuntu 20.04