Description:
------------
Run with PHP/ASAN
The offset parameter reads from arbitrary memory when a negative value is passed and the first parameter is an array element.
Test script:
---------------
<?php
$vals = [ 1, 1, 1, 1, 1, 1, 1,1, 1, 1, 1, 1, 1, 1,1,1, 1, 1, 1, 1, 1, 1,1,1, 1,1, 1, 1, 1, 1, 1,1, 1, 1, 1,1,1,1,1,
1,1,1, 1, 1, 1,1,1, 1, 1, 1, 1 , 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,1, 1,1, 1,1,1, 1 ,
str_repeat("ABCD", 16384) ];
grapheme_stripos($vals[76], "A", -201);
Expected result:
----------------
no crash
Actual result:
--------------
==16765==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb0ebf747 at pc 0xb71b3c35 bp 0xbff95058 sp 0xbff94c2c
READ of size 202 at 0xb0ebf747 thread T0
#0 0xb71b3c34 (/usr/lib/i386-linux-gnu/libasan.so.2+0x37c34)
#1 0xaf8e42c5 in zend_memnstr /home/fmunozs/phpgit/php56/Zend/zend_operators.h:280
#2 0xaf8e42c5 in zif_grapheme_stripos /home/fmunozs/phpgit/php56/ext/intl/grapheme/grapheme_string.c:222
#3 0x9a7c718 in zend_do_fcall_common_helper_SPEC /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:558
#4 0x9640316 in execute_ex /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:363
#5 0x9a6c9c8 in zend_execute /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:388
#6 0x9470b59 in zend_execute_scripts /home/fmunozs/phpgit/php56/Zend/zend.c:1341
#7 0x91acc6b in php_execute_script /home/fmunozs/phpgit/php56/main/main.c:2613
#8 0x9a8648a in do_cli /home/fmunozs/phpgit/php56/sapi/cli/php_cli.c:994
#9 0x808a502 in main /home/fmunozs/phpgit/php56/sapi/cli/php_cli.c:1378
#10 0xb6d61645 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18645)
#11 0x808aaba (/home/fmunozs/phpgit/php56/sapi/cli/php+0x808aaba)
0xb0ebf747 is located 185 bytes to the left of 262144-byte region [0xb0ebf800,0xb0eff800)
allocated by thread T0 here:
#0 0xb7212d06 in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96d06)
#1 0x92e8597 in zend_mm_mem_malloc_alloc /home/fmunozs/phpgit/php56/Zend/zend_alloc.c:287
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
0x361d7e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x361d7ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x361d7eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x361d7ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x361d7ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x361d7ee0: fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa
0x361d7ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x361d7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x361d7f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x361d7f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x361d7f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==16765==ABORTING