Description:
------------
Run with ASAN
Test script:
---------------
<?php
bcpowmod(1, "A", 128, -200);
bcpowmod(1, 1.2, 1, 1);
Expected result:
----------------
No crash
Actual result:
--------------
bc math warning: non-zero scale in exponent
=================================================================
==15893==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb3805f68 at pc 0x083fd271 bp 0xbf91e4d8 sp 0xbf91e4c8
READ of size 1 at 0xb3805f68 thread T0
#0 0x83fd270 in bc_divide /home/fmunozs/phpgit/php56/ext/bcmath/libbcmath/src/div.c:122
#1 0x83fff96 in bc_raisemod /home/fmunozs/phpgit/php56/ext/bcmath/libbcmath/src/raisemod.c:69
#2 0x83f9923 in zif_bcpowmod /home/fmunozs/phpgit/php56/ext/bcmath/bcmath.c:426
#3 0x9a7c718 in zend_do_fcall_common_helper_SPEC /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:558
#4 0x9640316 in execute_ex /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:363
#5 0x9a6c9c8 in zend_execute /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:388
#6 0x9470b59 in zend_execute_scripts /home/fmunozs/phpgit/php56/Zend/zend.c:1341
#7 0x91acc6b in php_execute_script /home/fmunozs/phpgit/php56/main/main.c:2613
#8 0x9a8648a in do_cli /home/fmunozs/phpgit/php56/sapi/cli/php_cli.c:994
#9 0x808a502 in main /home/fmunozs/phpgit/php56/sapi/cli/php_cli.c:1378
#10 0xb6dbe645 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18645)
#11 0x808aaba (/home/fmunozs/phpgit/php56/sapi/cli/php+0x808aaba)
0xb3805f68 is located 8 bytes to the left of 8-byte region [0xb3805f70,0xb3805f78)
freed by thread T0 here:
#0 0xb726f9f4 in free (/usr/lib/i386-linux-gnu/libasan.so.2+0x969f4)
#1 0xb334c911 (/usr/lib/i386-linux-gnu/libtasn1.so.6+0xa911)
previously allocated by thread T0 here:
#0 0xb726fd06 in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96d06)
#1 0xb334c17e (/usr/lib/i386-linux-gnu/libtasn1.so.6+0xa17e)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fmunozs/phpgit/php56/ext/bcmath/libbcmath/src/div.c:122 bc_divide
Shadow bytes around the buggy address:
0x36700b90: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x36700ba0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x36700bb0: fa fa fd fa fa fa 00 00 fa fa fd fa fa fa fd fa
0x36700bc0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x36700bd0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x36700be0: fa fa fd fa fa fa fd fa fa fa fd fa fa[fa]fd fa
0x36700bf0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x36700c00: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa 00 06
0x36700c10: fa fa 00 03 fa fa 00 05 fa fa 00 06 fa fa 00 07
0x36700c20: fa fa 00 00 fa fa 00 07 fa fa 00 00 fa fa 00 05
0x36700c30: fa fa 00 07 fa fa 00 07 fa fa 00 00 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==15893==ABORTING