| CARVIEW |
Select Language
HTTP/2 200
date: Tue, 30 Dec 2025 10:42:43 GMT
content-type: text/html; charset=utf-8
cache-control: max-age=0, private, must-revalidate
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com github.githubassets.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com wss://alive-staging.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com marketplace-screenshots.githubusercontent.com/ copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com github.githubassets.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
link: ; rel=preload; as=fetch; crossorigin=use-credentials
referrer-policy: no-referrer-when-downgrade
server-timing: issue_layout-fragment;desc="issue_layout fragment";dur=190.968418,issue_conversation_content-fragment;desc="issue_conversation_content fragment";dur=775.846673,nginx;desc="NGINX";dur=0.467652,glb;desc="GLB";dur=96.183568
strict-transport-security: max-age=31536000; includeSubdomains; preload
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With, Accept,Accept-Encoding, Accept, X-Requested-With
x-content-type-options: nosniff
x-frame-options: deny
x-voltron-version: aab62e3
x-xss-protection: 0
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=4BpN5xOzZksm91X0C%2FFPu92%2BHiieU5D0%2Fo%2BR2jEpRp9L1ToegaMU5CVE6n008aZgBBxrMuyL5JCLe%2Bg2tKCYLkHvOwVaSwM7itAU5380K363FY92hrdG0adp9AEYamwngNpKHwe8J4W%2FeNLtv1qo0qtUV%2Fy3lb4BaoVJemnKSNsNmep3pfpCtZLBtmr0k2bnAARqAoFa9xzcRK5iaBo8GirGQuDJr8qx8pUHjrPfIdtxSYC2YoRXd3%2F%2FWmjnzeJN4dSCvZEwzeO%2BHG1alJPblQ%3D%3D--YUZ%2FQqZabbCoGU3T--5hrgI%2BKPANW4xrYJ4HqdFw%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.1436638854.1767091362; Path=/; Domain=github.com; Expires=Wed, 30 Dec 2026 10:42:42 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Wed, 30 Dec 2026 10:42:42 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: C8E8:12330D:786581:8399DE:6953ACA2
Stack buffer underflow when executing copy() · Issue #13903 · php/php-src · GitHub
No typeNo projectsNo milestoneNone yetNo branches or pull requests
Skip to content
Navigation Menu
{{ message }}
-
Notifications
You must be signed in to change notification settings - Fork 8k
Closed
Assignees
Description
Description
The following code:
<?php
class C {
public function __destruct() {
echo __METHOD__, "\n";
}
}
function f() {
Fiber::suspend();
}
$fiber = new Fiber(function () {
$c = new C();
$fiber = Fiber::getCurrent();
// Force symbol table
get_defined_vars();
f();
});
print "1\n";
$fiber->start();
gc_collect_cycles();
print "2\n";
$fiber = null;
gc_collect_cycles();
print "3\n";
$src = __DIR__ . "/bug81145_src.bin";
$dst = __DIR__ . "/bug81145_dst.bin";
define('SIZE_4G', 0x100000000);
$fp = fopen($src, "ab");
fwrite($fp, random_bytes(0x200));
fclose($fp);
copy($src, $dst);
?>Resulted in this output:
==1888107==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7f8c128e4e40 at pc 0x562a5c420398 bp 0x7ffe1d212bb0 sp 0x7ffe1d212388
READ of size 536870912 at 0x7f8c128e4e40 thread T0
#0 0x562a5c420397 in __interceptor_write (/php-src/sapi/cli/php+0x1c20397) (BuildId: 065f1d90bc5cce24727b57028166b78b93cb08d5)
#1 0x562a5e1e122f in php_stdiop_write /php-src/main/streams/plain_wrapper.c:359:27
#2 0x562a5e1aaf11 in _php_stream_write_buffer /php-src/main/streams/streams.c:1175:23
#3 0x562a5e1a50e0 in _php_stream_write /php-src/main/streams/streams.c:1305:11
#4 0x562a5e1b16bf in _php_stream_copy_to_stream_ex /php-src/main/streams/streams.c:1729:16
#5 0x562a5dc7e400 in php_copy_file_ctx /php-src/ext/standard/file.c:1614:9
#6 0x562a5dc7d7e5 in zif_copy /php-src/ext/standard/file.c:1510:6
#7 0x562a5eb90434 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /php-src/Zend/zend_vm_execute.h:1287:2
#8 0x562a5e72f757 in execute_ex /php-src/Zend/zend_vm_execute.h:57144:7
#9 0x562a5e730b22 in zend_execute /php-src/Zend/zend_vm_execute.h:62776:2
#10 0x562a5e57c8c8 in zend_execute_script /php-src/Zend/zend.c:1896:3
#11 0x562a5e0e6586 in php_execute_script_ex /php-src/main/main.c:2499:13
#12 0x562a5e0e6e28 in php_execute_script /php-src/main/main.c:2539:9
#13 0x562a5f4ad293 in do_cli /php-src/sapi/cli/php_cli.c:966:5
#14 0x562a5f4a9822 in main /php-src/sapi/cli/php_cli.c:1340:18
#15 0x7f8c191a9d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#16 0x7f8c191a9e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#17 0x562a5c4031e4 in _start (/php-src/sapi/cli/php+0x1c031e4) (BuildId: 065f1d90bc5cce24727b57028166b78b93cb08d5)
Address 0x7f8c128e4e40 is a wild pointer inside of access range of size 0x000020000000.
SUMMARY: AddressSanitizer: stack-buffer-underflow (/php-src/sapi/cli/php+0x1c20397) (BuildId: 065f1d90bc5cce24727b57028166b78b93cb08d5) in __interceptor_write
Shadow bytes around the buggy address:
0x0ff202514970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff202514980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff202514990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff2025149a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff2025149b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff2025149c0: 00 00 00 00 00 00 00 00[f1]f1 f1 f1 00 00 f2 f2
0x0ff2025149d0: 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x0ff2025149e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff2025149f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff202514a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff202514a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1888107==ABORTING
To reproduce:
/php-src/sapi/cli/php -n -c '/php-src/tmp-php.ini' -d "opcache.cache_id=worker14" -d "output_handler=" -d "open_basedir=" -d "disable_functions=" -d "output_buffering=Off" -d "error_reporting=32767" -d "display_errors=1" -d "display_startup_errors=1" -d "log_errors=0" -d "html_errors=0" -d "track_errors=0" -d "report_memleaks=1" -d "report_zend_debug=0" -d "docref_root=" -d "docref_ext=.html" -d "error_prepend_string=" -d "error_append_string=" -d "auto_prepend_file=" -d "auto_append_file=" -d "ignore_repeated_errors=0" -d "precision=14" -d "serialize_precision=-1" -d "memory_limit=128M" -d "opcache.fast_shutdown=0" -d "opcache.file_update_protection=0" -d "opcache.revalidate_freq=0" -d "opcache.jit_hot_loop=1" -d "opcache.jit_hot_func=1" -d "opcache.jit_hot_return=1" -d "opcache.jit_hot_side_exit=1" -d "opcache.jit_max_root_traces=100000" -d "opcache.jit_max_side_traces=100000" -d "opcache.jit_max_exit_counters=100000" -d "opcache.protect_memory=1" -d "zend.assertions=1" -d "zend.exception_ignore_args=0" -d "zend.exception_string_param_max_len=15" -d "short_open_tag=0" -d "extension_dir=/php-src/modules/" -d "zend_extension=/php-src/modules/opcache.so" -d "session.auto_start=0" -f "./test.php" 2>&1
PHP Version
PHP 8.4.0-dev
Operating System
ubuntu 22.04
Metadata
Metadata
Assignees
Type
Projects
Milestone
Relationships
Development
Issue actions
You can’t perform that action at this time.