René's URL Explorer Experiment


Title: Invalid read/segfault on specific input · Issue #177 · msgpack/msgpack-php · GitHub

Open Graph Title: Invalid read/segfault on specific input · Issue #177 · msgpack/msgpack-php

X Title: Invalid read/segfault on specific input · Issue #177 · msgpack/msgpack-php

Description: Hi again 👋, I found a flaw in msgpack on a specific input string. Very easy to reproducer:

Open Graph Description: Hi again 👋, I found a flaw in msgpack on a specific input string. Very easy to reproducer:

X Description: Hi again 👋, I found a flaw in msgpack on a specific input string. Very easy to reproducer: <?php $data = hex2bin('de06000000c09baa316e3b303e66656367675203060657545563343864643600000000')...

Opengraph URL: https://github.com/msgpack/msgpack-php/issues/177

X: @github

direct link

Domain: patch-diff.githubusercontent.com

Hey, it has json ld scripts: 
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Invalid read/segfault on specific input","articleBody":"Hi again :wave:,\r\n\r\nI found a flaw in msgpack on a specific input string.\r\n\r\nVery easy to reproducer:\r\n\r\n```php\r\n\u003c?php\r\n$data = hex2bin('de06000000c09baa316e3b303e66656367675203060657545563343864643600000000');\r\n$unserilized = msgpack_unserialize($data);\r\n```\r\n\r\nWith the zend allocator:\r\n\r\n```\r\n valgrind sapi/cli/php unserialize.php\r\n==3142543== Memcheck, a memory error detector\r\n==3142543== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al.\r\n==3142543== Using Valgrind-3.23.0 and LibVEX; rerun with -h for copyright info\r\n==3142543== Command: sapi/cli/php unserialize.php\r\n==3142543==\r\n==3142543== Warning: set address range perms: large range [0x59c95000, 0xd9c95000) (defined)\r\n==3142543== Warning: set address range perms: large range [0x59c96000, 0xd9c95000) (undefined)\r\n\r\nWarning: [msgpack] (php_msgpack_unserialize) Insufficient data for unserializing in /home/mike/dev/phpfarm/src/php-8.3.11-debug/unserialize.php on line 4\r\nphp: /home/mike/dev/phpfarm/src/php-8.3.11-debug/Zend/zend_gc.c:698: gc_possible_root: Assertion `zval_gc_type((ref)-\u003egc.u.type_info) == 7 || zval_gc_type((ref)-\u003egc.u.type_info) == 8' failed.\r\n==3142543==\r\n==3142543== Process terminating with default action of signal 6 (SIGABRT)\r\n==3142543==    at 0x5E009FC: __pthread_kill_implementation (pthread_kill.c:44)\r\n==3142543==    by 0x5E009FC: __pthread_kill_internal (pthread_kill.c:78)\r\n==3142543==    by 0x5E009FC: pthread_kill@@GLIBC_2.34 (pthread_kill.c:89)\r\n==3142543==    by 0x5DAC475: raise (raise.c:26)\r\n==3142543==    by 0x5D927F2: abort (abort.c:79)\r\n==3142543==    by 0x5D9271A: __assert_fail_base.cold (assert.c:92)\r\n==3142543==    by 0x5DA3E95: __assert_fail (assert.c:101)\r\n==3142543==    by 0xEA5570: gc_possible_root (zend_gc.c:698)\r\n==3142543==    by 0xDD50CA: gc_check_possible_root (zend_gc.h:98)\r\n==3142543==    by 0xDD511C: i_zval_ptr_dtor (zend_variables.h:46)\r\n==3142543==    by 0xDD52EB: zval_ptr_dtor (zend_variables.c:84)\r\n==3142543==    by 0x8C9D3B: msgpack_unserialize_var_destroy (msgpack_unpack.c:364)\r\n==3142543==    by 0x8C4DB9: php_msgpack_unserialize (msgpack.c:279)\r\n==3142543==    by 0x8C4F2D: zif_msgpack_unserialize (msgpack.c:318)\r\n==3142543==\r\n==3142543== HEAP SUMMARY:\r\n==3142543==     in use at exit: 3,418,965 bytes in 27,735 blocks\r\n==3142543==   total heap usage: 30,680 allocs, 2,944 frees, 2,151,772,892 bytes allocated\r\n==3142543==\r\n==3142543== LEAK SUMMARY:\r\n==3142543==    definitely lost: 34,983 bytes in 986 blocks\r\n==3142543==    indirectly lost: 40 bytes in 1 blocks\r\n==3142543==      possibly lost: 2,619,303 bytes in 21,628 blocks\r\n==3142543==    still reachable: 2,148,244,191 bytes in 5,121 blocks\r\n==3142543==         suppressed: 0 bytes in 0 blocks\r\n==3142543== Rerun with --leak-check=full to see details of leaked memory\r\n==3142543==\r\n==3142543== For lists of detected and suppressed errors, rerun with: -s\r\n==3142543== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)\r\n[1]    3142543 IOT instruction (core dumped)  valgrind sapi/cli/php unserialize.php\r\n```\r\n\r\nWithout the allocator:\r\n\r\n```\r\n USE_ZEND_ALLOC=0 valgrind sapi/cli/php unserialize.php\r\n==3142751== Memcheck, a memory error detector\r\n==3142751== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al.\r\n==3142751== Using Valgrind-3.23.0 and LibVEX; rerun with -h for copyright info\r\n==3142751== Command: sapi/cli/php unserialize.php\r\n==3142751==\r\n==3142751== Warning: set address range perms: large range [0x59c95000, 0xd9c95000) (defined)\r\n==3142751== Warning: set address range perms: large range [0x59c96000, 0xd9c95000) (undefined)\r\n\r\nWarning: [msgpack] (php_msgpack_unserialize) Insufficient data for unserializing in /home/mike/dev/phpfarm/src/php-8.3.11-debug/unserialize.php on line 4\r\n==3142751== Invalid read of size 4\r\n==3142751==    at 0xDD4E45: zend_gc_delref (zend_types.h:1342)\r\n==3142751==    by 0xDD50FE: i_zval_ptr_dtor (zend_variables.h:43)\r\n==3142751==    by 0xDD52EB: zval_ptr_dtor (zend_variables.c:84)\r\n==3142751==    by 0x8C9D3B: msgpack_unserialize_var_destroy (msgpack_unpack.c:364)\r\n==3142751==    by 0x8C4DB9: php_msgpack_unserialize (msgpack.c:279)\r\n==3142751==    by 0x8C4F2D: zif_msgpack_unserialize (msgpack.c:318)\r\n==3142751==    by 0xE18658: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:1337)\r\n==3142751==    by 0xE8E113: execute_ex (zend_vm_execute.h:57216)\r\n==3142751==    by 0xE92959: zend_execute (zend_vm_execute.h:61604)\r\n==3142751==    by 0xDD9AAA: zend_execute_scripts (zend.c:1891)\r\n==3142751==    by 0xD37F82: php_execute_script (main.c:2528)\r\n==3142751==    by 0xF4C25A: do_cli (php_cli.c:966)\r\n==3142751==  Address 0xa07ee50 is 0 bytes inside a block of size 56 free'd\r\n==3142751==    at 0x484C9F4: free (vg_replace_malloc.c:989)\r\n==3142751==    by 0xD9AF5D: _efree_custom (zend_alloc.c:2500)\r\n==3142751==    by 0xD9B0A8: _efree (zend_alloc.c:2620)\r\n==3142751==    by 0xDF2F95: zend_array_destroy (zend_hash.c:1867)\r\n==3142751==    by 0xDD517A: rc_dtor_func (zend_variables.c:57)\r\n==3142751==    by 0xDD510E: i_zval_ptr_dtor (zend_variables.h:44)\r\n==3142751==    by 0xDD52EB: zval_ptr_dtor (zend_variables.c:84)\r\n==3142751==    by 0x8CADD3: msgpack_unserialize_map_item (msgpack_unpack.c:647)\r\n==3142751==    by 0x8C4511: msgpack_unserialize_execute (unpack_template.h:405)\r\n==3142751==    by 0x8C4B9D: php_msgpack_unserialize (msgpack.c:252)\r\n==3142751==    by 0x8C4F2D: zif_msgpack_unserialize (msgpack.c:318)\r\n==3142751==    by 0xE18658: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:1337)\r\n==3142751==  Block was alloc'd at\r\n==3142751==    at 0x484977B: malloc (vg_replace_malloc.c:446)\r\n==3142751==    by 0xD9C29B: __zend_malloc (zend_alloc.c:3128)\r\n==3142751==    by 0xD9AEF0: _malloc_custom (zend_alloc.c:2491)\r\n==3142751==    by 0xD9B02E: _emalloc (zend_alloc.c:2610)\r\n==3142751==    by 0xDEDEC9: _zend_new_array (zend_hash.c:291)\r\n==3142751==    by 0x8CA788: msgpack_unserialize_array (msgpack_unpack.c:550)\r\n==3142751==    by 0x8C39BA: msgpack_unserialize_execute (unpack_template.h:231)\r\n==3142751==    by 0x8C4B9D: php_msgpack_unserialize (msgpack.c:252)\r\n==3142751==    by 0x8C4F2D: zif_msgpack_unserialize (msgpack.c:318)\r\n==3142751==    by 0xE18658: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:1337)\r\n==3142751==    by 0xE8E113: execute_ex (zend_vm_execute.h:57216)\r\n==3142751==    by 0xE92959: zend_execute (zend_vm_execute.h:61604)\r\n==3142751==\r\nphp: /home/mike/dev/phpfarm/src/php-8.3.11-debug/Zend/zend_types.h:1342: zend_gc_delref: Assertion `p-\u003erefcount \u003e 0' failed.\r\n==3142751==\r\n==3142751== Process terminating with default action of signal 6 (SIGABRT)\r\n==3142751==    at 0x5E009FC: __pthread_kill_implementation (pthread_kill.c:44)\r\n==3142751==    by 0x5E009FC: __pthread_kill_internal (pthread_kill.c:78)\r\n==3142751==    by 0x5E009FC: pthread_kill@@GLIBC_2.34 (pthread_kill.c:89)\r\n==3142751==    by 0x5DAC475: raise (raise.c:26)\r\n==3142751==    by 0x5D927F2: abort (abort.c:79)\r\n==3142751==    by 0x5D9271A: __assert_fail_base.cold (assert.c:92)\r\n==3142751==    by 0x5DA3E95: __assert_fail (assert.c:101)\r\n==3142751==    by 0xDD4E63: zend_gc_delref (zend_types.h:1342)\r\n==3142751==    by 0xDD50FE: i_zval_ptr_dtor (zend_variables.h:43)\r\n==3142751==    by 0xDD52EB: zval_ptr_dtor (zend_variables.c:84)\r\n==3142751==    by 0x8C9D3B: msgpack_unserialize_var_destroy (msgpack_unpack.c:364)\r\n==3142751==    by 0x8C4DB9: php_msgpack_unserialize (msgpack.c:279)\r\n==3142751==    by 0x8C4F2D: zif_msgpack_unserialize (msgpack.c:318)\r\n==3142751==    by 0xE18658: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:1337)\r\n==3142751==\r\n==3142751== HEAP SUMMARY:\r\n==3142751==     in use at exit: 3,854,817 bytes in 27,959 blocks\r\n==3142751==   total heap usage: 31,192 allocs, 3,232 frees, 2,152,369,935 bytes allocated\r\n==3142751==\r\n==3142751== LEAK SUMMARY:\r\n==3142751==    definitely lost: 34,983 bytes in 986 blocks\r\n==3142751==    indirectly lost: 40 bytes in 1 blocks\r\n==3142751==      possibly lost: 2,679,753 bytes in 21,820 blocks\r\n==3142751==    still reachable: 2,148,619,593 bytes in 5,153 blocks\r\n==3142751==         suppressed: 0 bytes in 0 blocks\r\n==3142751== Rerun with --leak-check=full to see details of leaked memory\r\n==3142751==\r\n==3142751== For lists of detected and suppressed errors, rerun with: -s\r\n==3142751== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)\r\n[1]    3142751 IOT instruction (core dumped)  USE_ZEND_ALLOC=0 valgrind sapi/cli/php unserialize.php\r\n```\r\n\r\nI can replicate the problem both in debug and release builds of PHP. I'm using 8.3.11 here though.\r\n\r\n```bash\r\nPHP 8.3.11 (cli) (built: Aug 30 2024 09:27:49) (NTS)\r\nCopyright (c) The PHP Group\r\nZend Engine v4.3.11, Copyright (c) Zend Technologies\r\n    with Zend OPcache v8.3.11, Copyright (c), by Zend Technologies\r\n```\r\n\r\nLet me know if I can provide any other info.","author":{"url":"https://github.com/michael-grunder","@type":"Person","name":"michael-grunder"},"datePublished":"2024-11-03T20:51:13.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/177/msgpack-php/issues/177"}
route-pattern/_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format)
route-controllervoltron_issues_fragments
route-actionissue_layout
fetch-noncev2:43cbb5ab-7207-637b-c87b-762918aa43e8
current-catalog-service-hash81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114
request-id806A:3F983D:7A68B04:A0932F1:696DC7F3
html-safe-nonce8655aff7ba205d1c9943348575864efa0bb64759b2f563a1a299d284ef9dc419
visitor-payloadeyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI4MDZBOjNGOTgzRDo3QTY4QjA0OkEwOTMyRjE6Njk2REM3RjMiLCJ2aXNpdG9yX2lkIjoiNDEwMDkzMTkxNTI2NDkzNTkyMyIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9
visitor-hmac02be6df33e1767d7c925d9ff5c855fe6c00263f2952abdf7e8cc589e033d2416
hovercard-subject-tagissue:2631467249
github-keyboard-shortcutsrepository,issues,copilot
google-site-verificationApib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I
octolytics-urlhttps://collector.github.com/github/collect
analytics-location///voltron/issues_fragments/issue_layout
fb:app_id1401488693436528
apple-itunes-appapp-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/msgpack/msgpack-php/177/issue_layout
twitter:imagehttps://opengraph.githubassets.com/0922e7c7a25d855d4e4bffc9264358ccc93d6636ee1778c9c057b26d32ba656d/msgpack/msgpack-php/issues/177
twitter:cardsummary_large_image
og:imagehttps://opengraph.githubassets.com/0922e7c7a25d855d4e4bffc9264358ccc93d6636ee1778c9c057b26d32ba656d/msgpack/msgpack-php/issues/177
og:image:altHi again 👋, I found a flaw in msgpack on a specific input string. Very easy to reproducer:
og:image:width1200
og:image:height600
og:site_nameGitHub
og:typeobject
og:author:usernamemichael-grunder
hostnamegithub.com
expected-hostnamegithub.com
None4922b452d03cd8dbce479d866a11bc25b59ef6ee2da23aa9b0ddefa6bd4d0064
turbo-cache-controlno-preview
go-importgithub.com/msgpack/msgpack-php git https://github.com/msgpack/msgpack-php.git
octolytics-dimension-user_id198264
octolytics-dimension-user_loginmsgpack
octolytics-dimension-repository_id5481147
octolytics-dimension-repository_nwomsgpack/msgpack-php
octolytics-dimension-repository_publictrue
octolytics-dimension-repository_is_forkfalse
octolytics-dimension-repository_network_root_id5481147
octolytics-dimension-repository_network_root_nwomsgpack/msgpack-php
turbo-body-classeslogged-out env-production page-responsive
disable-turbofalse
browser-stats-urlhttps://api.github.com/_private/browser/stats
browser-errors-urlhttps://api.github.com/_private/browser/errors
release7e5ae23c70136152637ceee8d6faceb35596ec46
ui-targetfull
theme-color#1e2327
color-schemelight dark

Links:

Skip to contenthttps://patch-diff.githubusercontent.com/msgpack/msgpack-php/issues/177#start-of-content
https://patch-diff.githubusercontent.com/
Sign in https://patch-diff.githubusercontent.com/login?return_to=https%3A%2F%2Fgithub.com%2Fmsgpack%2Fmsgpack-php%2Fissues%2F177
GitHub CopilotWrite better code with AIhttps://github.com/features/copilot
GitHub SparkBuild and deploy intelligent appshttps://github.com/features/spark
GitHub ModelsManage and compare promptshttps://github.com/features/models
MCP RegistryNewIntegrate external toolshttps://github.com/mcp
ActionsAutomate any workflowhttps://github.com/features/actions
CodespacesInstant dev environmentshttps://github.com/features/codespaces
IssuesPlan and track workhttps://github.com/features/issues
Code ReviewManage code changeshttps://github.com/features/code-review
GitHub Advanced SecurityFind and fix vulnerabilitieshttps://github.com/security/advanced-security
Code securitySecure your code as you buildhttps://github.com/security/advanced-security/code-security
Secret protectionStop leaks before they starthttps://github.com/security/advanced-security/secret-protection
Why GitHubhttps://github.com/why-github
Documentationhttps://docs.github.com
Bloghttps://github.blog
Changeloghttps://github.blog/changelog
Marketplacehttps://github.com/marketplace
View all featureshttps://github.com/features
Enterpriseshttps://github.com/enterprise
Small and medium teamshttps://github.com/team
Startupshttps://github.com/enterprise/startups
Nonprofitshttps://github.com/solutions/industry/nonprofits
App Modernizationhttps://github.com/solutions/use-case/app-modernization
DevSecOpshttps://github.com/solutions/use-case/devsecops
DevOpshttps://github.com/solutions/use-case/devops
CI/CDhttps://github.com/solutions/use-case/ci-cd
View all use caseshttps://github.com/solutions/use-case
Healthcarehttps://github.com/solutions/industry/healthcare
Financial serviceshttps://github.com/solutions/industry/financial-services
Manufacturinghttps://github.com/solutions/industry/manufacturing
Governmenthttps://github.com/solutions/industry/government
View all industrieshttps://github.com/solutions/industry
View all solutionshttps://github.com/solutions
AIhttps://github.com/resources/articles?topic=ai
Software Developmenthttps://github.com/resources/articles?topic=software-development
DevOpshttps://github.com/resources/articles?topic=devops
Securityhttps://github.com/resources/articles?topic=security
View all topicshttps://github.com/resources/articles
Customer storieshttps://github.com/customer-stories
Events & webinarshttps://github.com/resources/events
Ebooks & reportshttps://github.com/resources/whitepapers
Business insightshttps://github.com/solutions/executive-insights
GitHub Skillshttps://skills.github.com
Documentationhttps://docs.github.com
Customer supporthttps://support.github.com
Community forumhttps://github.com/orgs/community/discussions
Trust centerhttps://github.com/trust-center
Partnershttps://github.com/partners
GitHub SponsorsFund open source developershttps://github.com/sponsors
Security Labhttps://securitylab.github.com
Maintainer Communityhttps://maintainers.github.com
Acceleratorhttps://github.com/accelerator
Archive Programhttps://archiveprogram.github.com
Topicshttps://github.com/topics
Trendinghttps://github.com/trending
Collectionshttps://github.com/collections
Enterprise platformAI-powered developer platformhttps://github.com/enterprise
GitHub Advanced SecurityEnterprise-grade security featureshttps://github.com/security/advanced-security
Copilot for BusinessEnterprise-grade AI featureshttps://github.com/features/copilot/copilot-business
Premium SupportEnterprise-grade 24/7 supporthttps://github.com/premium-support
Pricinghttps://github.com/pricing
Search syntax tipshttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
documentationhttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
Sign in https://patch-diff.githubusercontent.com/login?return_to=https%3A%2F%2Fgithub.com%2Fmsgpack%2Fmsgpack-php%2Fissues%2F177
Sign up https://patch-diff.githubusercontent.com/signup?ref_cta=Sign+up&ref_loc=header+logged+out&ref_page=%2F%3Cuser-name%3E%2F%3Crepo-name%3E%2Fvoltron%2Fissues_fragments%2Fissue_layout&source=header-repo&source_repo=msgpack%2Fmsgpack-php
Reloadhttps://patch-diff.githubusercontent.com/msgpack/msgpack-php/issues/177
Reloadhttps://patch-diff.githubusercontent.com/msgpack/msgpack-php/issues/177
Reloadhttps://patch-diff.githubusercontent.com/msgpack/msgpack-php/issues/177
msgpack https://patch-diff.githubusercontent.com/msgpack
msgpack-phphttps://patch-diff.githubusercontent.com/msgpack/msgpack-php
Notifications https://patch-diff.githubusercontent.com/login?return_to=%2Fmsgpack%2Fmsgpack-php
Fork 118 https://patch-diff.githubusercontent.com/login?return_to=%2Fmsgpack%2Fmsgpack-php
Star 786 https://patch-diff.githubusercontent.com/login?return_to=%2Fmsgpack%2Fmsgpack-php
Code https://patch-diff.githubusercontent.com/msgpack/msgpack-php
Issues 19 https://patch-diff.githubusercontent.com/msgpack/msgpack-php/issues
Pull requests 1 https://patch-diff.githubusercontent.com/msgpack/msgpack-php/pulls
Actions https://patch-diff.githubusercontent.com/msgpack/msgpack-php/actions
Security Uh oh! There was an error while loading. Please reload this page. https://patch-diff.githubusercontent.com/msgpack/msgpack-php/security
Please reload this pagehttps://patch-diff.githubusercontent.com/msgpack/msgpack-php/issues/177
Insights https://patch-diff.githubusercontent.com/msgpack/msgpack-php/pulse
Code https://patch-diff.githubusercontent.com/msgpack/msgpack-php
Issues https://patch-diff.githubusercontent.com/msgpack/msgpack-php/issues
Pull requests https://patch-diff.githubusercontent.com/msgpack/msgpack-php/pulls
Actions https://patch-diff.githubusercontent.com/msgpack/msgpack-php/actions
Security https://patch-diff.githubusercontent.com/msgpack/msgpack-php/security
Insights https://patch-diff.githubusercontent.com/msgpack/msgpack-php/pulse
New issuehttps://patch-diff.githubusercontent.com/login?return_to=https://github.com/msgpack/msgpack-php/issues/177
New issuehttps://patch-diff.githubusercontent.com/login?return_to=https://github.com/msgpack/msgpack-php/issues/177
Invalid read/segfault on specific inputhttps://patch-diff.githubusercontent.com/msgpack/msgpack-php/issues/177#top
https://github.com/michael-grunder
https://github.com/michael-grunder
michael-grunderhttps://github.com/michael-grunder
on Nov 3, 2024https://github.com/msgpack/msgpack-php/issues/177#issue-2631467249
https://github.com
Termshttps://docs.github.com/site-policy/github-terms/github-terms-of-service
Privacyhttps://docs.github.com/site-policy/privacy-policies/github-privacy-statement
Securityhttps://github.com/security
Statushttps://www.githubstatus.com/
Communityhttps://github.community/
Docshttps://docs.github.com/
Contacthttps://support.github.com?tags=dotcom-footer

Viewport: width=device-width

URLs of crawlers that visited me.