| CARVIEW |
Select Language
HTTP/2 200
date: Tue, 30 Dec 2025 10:43:14 GMT
content-type: text/html; charset=utf-8
cache-control: max-age=0, private, must-revalidate
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com github.githubassets.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com wss://alive-staging.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com marketplace-screenshots.githubusercontent.com/ copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com github.githubassets.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
link: ; rel=preload; as=fetch; crossorigin=use-credentials
referrer-policy: no-referrer-when-downgrade
server-timing: issue_layout-fragment;desc="issue_layout fragment";dur=209.44659,issue_conversation_content-fragment;desc="issue_conversation_content fragment";dur=729.031141,nginx;desc="NGINX";dur=1.325425,glb;desc="GLB";dur=97.067423
strict-transport-security: max-age=31536000; includeSubdomains; preload
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With, Accept,Accept-Encoding, Accept, X-Requested-With
x-content-type-options: nosniff
x-frame-options: deny
x-voltron-version: aab62e3
x-xss-protection: 0
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=AsXZaXT2t%2FkA7MUwGWAIJoIVV45po9tsPyDned6ptQQJIgOJ4%2FLKXSrIk9P3nYnlfhxITPCEgTlN7A2wGWITsmmEWfBp81qVdYwNh0Y620CmsHNqYOQci3Wc6nw9s1PFJ1ka0VHAYDTDpFoBu4syVmXyzXja%2B0sq8J%2FbSInfvm7%2BZOYgL8c7mafOT8UQAs%2BGjrapZ6QDahfvJv8o3TGxVobLoa0LBvpC2C8e3tojXfUqdh8fhdx6%2FSVWbfW6SUbDpfeBDr2%2BiVNQtLMILSkbBQ%3D%3D--HEqFYADpbfjsO1dK--n6zHEXmDR%2BIf4BE0kwoaeg%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.840514011.1767091393; Path=/; Domain=github.com; Expires=Wed, 30 Dec 2026 10:43:13 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Wed, 30 Dec 2026 10:43:13 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: 8004:2E7100:78291A:835FB7:6953ACC1
heap buffer overflow in phpdbg (zend_hash_num_elements() Zend/zend_hash.h) · Issue #15268 · php/php-src · GitHub
No typeNo projectsNo milestoneNone yetNo branches or pull requests
Skip to content
Navigation Menu
{{ message }}
-
Notifications
You must be signed in to change notification settings - Fork 8k
Closed
Assignees
Description
Description
The following code:
<?php
namespace Foo {
class Bar {
function Foo($bar) {
var_dump($bar);
}
function baz() { }
}
}
namespace {
function foo($baz) {
var_dump(strrev($baz));
}
(new \Foo\Bar)->Foo("test");
foo("test");
}
spl_autoload_register(function($class) {
if ($class === 'A') {
class A {
public function method(B $x) {}
}
} else if ($class == 'B') {
class B extends A {
public function method(C $x) {}
}
} else {
class C extends B {
}
}
});
$b = new B;
$c = new C;
?>Resulted in this output:
==1977146==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000dbc at pc 0x55687f67b8a5 bp 0x7fff6e410180 sp 0x7fff6e410170
READ of size 4 at 0x603000000dbc thread T0
#0 0x55687f67b8a4 in zend_hash_num_elements /php-src/Zend/zend_hash.h:309
#1 0x55687f6885c6 in phpdbg_print_class_name /php-src/sapi/phpdbg/phpdbg_info.c:379
#2 0x55687f68988f in phpdbg_do_info_classes /php-src/sapi/phpdbg/phpdbg_info.c:410
#3 0x55687f6983a1 in phpdbg_internal_stack_execute /php-src/sapi/phpdbg/phpdbg_cmd.c:702
#4 0x55687f6987e3 in phpdbg_stack_execute /php-src/sapi/phpdbg/phpdbg_cmd.c:732
#5 0x55687f62cece in phpdbg_interactive /php-src/sapi/phpdbg/phpdbg_prompt.c:1547
#6 0x55687f5e69b8 in main /php-src/sapi/phpdbg/phpdbg.c:1610
#7 0x7f0f27278d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
#8 0x7f0f27278e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
#9 0x55687ce068d4 in _start (/php-src/sapi/phpdbg/phpdbg+0x32068d4)
0x603000000dbc is located 4 bytes to the left of 32-byte region [0x603000000dc0,0x603000000de0)
allocated by thread T0 here:
#0 0x7f0f27f77887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55687eb67b73 in __zend_malloc /php-src/Zend/zend_alloc.c:3280
#2 0x55687f57092a in zend_string_alloc /php-src/Zend/zend_string.h:176
#3 0x55687f570c7c in zend_string_init /php-src/Zend/zend_string.h:198
#4 0x55687f572c05 in zend_interned_strings_init /php-src/Zend/zend_string.c:114
#5 0x55687f5c3bf9 in zend_startup /php-src/Zend/zend.c:1042
#6 0x55687e6d8975 in php_module_startup /php-src/main/main.c:2144
#7 0x55687f5de8f7 in php_sapi_phpdbg_module_startup /php-src/sapi/phpdbg/phpdbg.c:705
#8 0x55687f5e3ace in main /php-src/sapi/phpdbg/phpdbg.c:1358
#9 0x7f0f27278d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /php-src/Zend/zend_hash.h:309 in zend_hash_num_elements
Shadow bytes around the buggy address:
0x0c067fff8160: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x0c067fff8170: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
0x0c067fff8180: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
0x0c067fff8190: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x0c067fff81a0: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
=>0x0c067fff81b0: fa fa 00 00 00 00 fa[fa]00 00 00 00 fa fa 00 00
0x0c067fff81c0: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x0c067fff81d0: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
0x0c067fff81e0: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
0x0c067fff81f0: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x0c067fff8200: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1977146==ABORTING
To reproduce:
phpdbg ./test.php
> i classes
PHP Version
PHP 8.4.0-dev
Operating System
ubuntu 22.04
Metadata
Metadata
Assignees
Type
Projects
Milestone
Relationships
Development
Issue actions
You can’t perform that action at this time.